LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly

СLOUD SECURITY DATA PRIVACY APPLICATION SECURITY THREAT INTELLIGENCE NEWS LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly In the latest evolution of automated cyberattacks, two threat campaigns heavily leveraged AI agents to support attacks against entities in Mexico and Brazil. Alexander Culafi,Senior News Writer,Dark Reading May 13, 2026 5 Min Read SOURCE: ANNA VACZI VIA ALAMY STOCK PHOTO Threat actors in Latin America have begun to use AI agents to facilitate their entire attack chains, from assisting with initial access to generating penetration tools on the fly — and organizations need to prepare accordingly. Trend Micro's TrendAI Research team yesterday published research concerning two threat actors in the region using AI agents — and specifically vibe-coded hacking, or "vibe-hacking" — to compromise government organizations and other entities.  The first campaign, "Shadow-Aether-040," was first identified in late 2025. An attacker was targeting Latin American organizations in the public sector, along with organizations in financial services, aviation, and retail. TrendAI researchers identified a command-and-control (C2) server used by the campaign that lacked operational security, and were thus able to suss out details on how the attack was conducted.  Based on TrendAI researchers' access to the C2 server, Shadow-Aether-040 compromised six government entities in Mexico between Dec. 27 and Jan. 4. Attackers executed activities across the full chain of compromise with the support of AI agents — ultimately leading to data theft in some cases. Related:Hugging Face Packages Weaponized With a Single File Tweak Trend AI Research tracked the second campaign, "Shadow-Aether-064," beginning in April. There were significant commonalities between this campaign and Shadow-Aether-040, namely similar tooling, but TrendAI assessed the campaigns to be possibly distinct. Specifically, Shadow-Aether-040 was observed to be Spanish speaking, while Shadow-Aether-064 was likely operated by Brazilian Portuguese speakers. And while Shadow-Aether-064 also used significant AI tooling in all stages of its operation, it primarily targeted financial organizations in Brazil with an aim to steal financial data. Vibe Hacking Across a Complete AI Cyberattack Chain Shadow-Aether-040 was able to jailbreak the AI agent and make it do their bidding by claiming instructions were for an "authorized red-team exercise." While AI agents generally have safeguards to prevent this kind of thing, multiple iterative attempts enabled the attacker to succeed.  Shadow-Aether-040 leveraged an agentic command line interface (CLI) to target organizations, and the CLI sent prompts to Anthropic's Claude. This campaign treated the agent as a kind of assistant that would be given tasks to help support the operation.  For instance, the attacker enabled the AI agent to leverage Shodan and VulDB in order to identify potential vulnerabilities across an external-facing server; and once the vulnerability scanners identified the bugs on targeted servers, the attackers then deployed Web shells for initial access.  Related:Hackers Use AI for Exploit Development, Attack Automation After that, the threat actor commanded its AI agent to use Web shells to deploy additional backdoors and traffic-tunneling tools to maintain persistence. TrendAI also identified one backdoor, a Python-based package called "implante_http," that was likely created with AI assistance. Along the way, Shadow-Aether-040 instructed the AI to document the workflow of the attack and organize collected information into different directories as Markdown files.  "This allowed the AI agent to understand previously completed actions, restore the prior operational context by reading through the Markdown files inside a given folder, and continue work on the unfinished tasks at any time," the researchers' blog post read. Shadow-Aether-064 similarly used AI agents to compromise and remotely command servers. Both actors leveraged ProxyChains, SOCKS5 tunneling, and SSH for initial access, as well as additional open source tooling like Chisel, CrackMapExec, Impacket, and Neo-reGeorg.  But most striking here is that both campaigns also created custom, dynamically generated hacking tools and scripts using AI, making it harder for traditional security solutions to detect, since they rely on known signatures. The tools were used to support network scanning, password spraying, and vulnerability exploitation. Both also created "custom backdoors capable of establishing reverse tunnels for traffic forwarding from a SOCKS5 proxy," according to the research. Related:After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets "Because these dynamically generated commands, scripts, and code differ with each execution, they effectively replace open source hacking tools that are more likely to be detected, reducing the possibility of detection by traditional security solutions," TrendAI explained. Vibe Hacking Is Imperfect; Position Now for Defense Shadow-Aether-040 and Shadow-Aether-064 are the latest examples of threat actors using AI agents for front-to-back threat activities, and this won't be the last time security professionals will hear about this kind of thing, in Latin America and beyond. As AI assistants capable of complex technical tasks become more accessible to threat actors, stories like this will almost certainly become more common.  Stephen Hilt, principal threat researcher at TrendAI, tells Dark Reading that the way these attacks were conducted goes beyond a simple smash and grab. "What AI enabled in both cases was the operational tempo to pursue those objectives faster and with less manual overhead," he says. "Threat actors will always take the path of least resistance and right now AI is that path, but the motivation driving these campaigns goes deeper than just convenience." But there's good news, because vibe hacking isn't quite ready for prime time, which gives defenders a chance to position for resilience. 'Ransomvibing' recently infested the Visual Studio Extension Market, but the malicious VS Code extension failed to remove obvious signs of its malicious nature. Pakistan's APT36 nation-state group has begun using vibe-coding to churn out malware at scale, but the results so far are mediocre at best. And the vibe-coded Sicarii ransomware entered the scene last year, but has poorly designed code and can’t be decrypted. TrendAI researchers noted in the report that they identified cases where vibe-hacking threat actors failed because the AI agent couldn't determine a clear path for lateral movement. In these cases, the targets had stronger security configurations. This is where doing the security basics comes in handy. "Against an environment with strong security fundamentals, even AI-augmented campaigns will struggle to find a way through," the research blog post read. "Timely patching, properly implemented zero-trust access controls, and comprehensive monitoring of environmental activity will be increasingly important in defending against this evolving threat landscape." Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! Read more about: DR Global Latin America About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like СLOUD SECURITY APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials by Elizabeth Montalbano APR 13, 2026 СLOUD SECURITY TeamPCP Turns Cloud Infrastructure Into Crime Bots by Jai Vijayan, Contributing Writer FEB 09, 2026 СLOUD SECURITY The Cloud Edge Is the New Attack Surface by Robert Lemos, Contributing Writer SEP 17, 2025 СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS