APT36 Unleashes Wave of AI-Generated “Vibeware” Targeting Indian Government Networks

Researchers have uncovered a new cyber campaign attributed to APT36, a Pakistan-linked threat group, that is targeting Indian government networks with large volumes of AI-generated malware. Security analysts say the operation focuses less on sophistication and more on overwhelming defenders with sheer scale.

The campaign introduces what researchers describe as “Vibeware,” a term used to characterize low-quality malware generated with the assistance of artificial intelligence. While many of the samples appear sloppy or partially functional, the massive number of variants increases the likelihood that at least some will evade traditional detection systems.

AI-Generated Malware at Scale

According to cybersecurity researchers at Bitdefender, the attackers are leveraging AI-assisted development workflows to rapidly generate malware samples with minor variations. This allows the group to produce a constant stream of new binaries that can bypass signature-based detection mechanisms used by many security tools.

Rather than investing significant resources into highly advanced malware, the attackers appear to be prioritizing quantity. The strategy mirrors tactics seen in spam campaigns, where overwhelming volume increases the chances of successful compromise.

Unusual Programming Languages Used

Another distinctive feature of the campaign is the use of niche programming languages rarely seen in mainstream malware development. Analysts observed samples written in Nim, Zig, and Crystal, languages that are uncommon in enterprise environments and therefore less likely to be immediately recognized by antivirus engines.

By using these alternative languages, the attackers may be attempting to evade automated detection pipelines that are tuned to identify malware compiled with more traditional toolchains such as C++ or .NET.

Cloud Services Used for Command and Control

The infrastructure behind the operation also relies heavily on legitimate cloud and collaboration platforms. Researchers found that command-and-control communications and data exfiltration activity were routed through widely used services including Google Sheets, Slack, and Discord.

By blending malicious activity with legitimate traffic generated by these platforms, the attackers can make detection more difficult for defenders monitoring network activity.

Credential Theft and Data Exfiltration Tools

The campaign deploys several tools designed to harvest credentials and steal sensitive files from infected systems. One component identified in the attack chain is a spyware module called LuminousCookies, which attempts to bypass modern browser security mechanisms by injecting itself directly into browser memory.

This technique is designed to circumvent App-Bound Encryption protections that modern browsers use to secure stored credentials and cookies.

Another tool observed in the operation, known as BackupSpy, focuses on collecting documents from compromised systems. The malware scans for sixteen different file types commonly associated with government or corporate data and maintains a manifest of stolen files before exfiltration.

Delivery Through Social Engineering

Initial access attempts appear to rely on social engineering tactics rather than direct exploitation. Attackers are reportedly distributing malicious files disguised as documents, including PDF lures and modified browser shortcuts that execute spyware once opened.

These techniques suggest the campaign is targeting individual users within government networks rather than attempting direct compromise of hardened infrastructure.

A New Phase of AI-Assisted Cyber Operations

The emergence of Vibeware highlights a broader shift in cybercrime and state-backed operations. Artificial intelligence is increasingly being used not only to improve malware sophistication but also to dramatically accelerate malware production.

For defenders, this trend introduces a new challenge. Instead of analyzing a handful of advanced samples, security teams may face hundreds or thousands of rapidly generated variants designed to bypass detection through constant mutation.

Researchers warn that while many of the current samples appear poorly written, the strategy itself could prove effective over time. As AI-assisted malware development continues to evolve, defenders may need to rely more heavily on behavioral detection and threat intelligence rather than static signatures to counter large-scale campaigns.