LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryСloud SecurityData PrivacyApplication SecurityThreat IntelligenceNewsLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyIn the latest evolution of automated cyberattacks, two threat campaigns heavily leveraged AI agents to support attacks against entities in Mexico and Brazil.Alexander Culafi,Senior News Writer,Dark ReadingMay 13, 20265 Min ReadSource: Anna Vaczi via Alamy Stock PhotoThreat actors in Latin America have begun to use AI agents to facilitate their entire attack chains, from assisting with initial access to generating penetration tools on the fly — and organizations need to prepare accordingly.Trend Micro's TrendAI Research team yesterday published research concerning two threat actors in the region using AI agents — and specifically vibe-coded hacking, or "vibe-hacking" — to compromise government organizations and other entities. The first campaign, "Shadow-Aether-040," was first identified in late 2025. An attacker was targeting Latin American organizations in the public sector, along with organizations in financial services, aviation, and retail. TrendAI researchers identified a command-and-control (C2) server used by the campaign that lacked operational security, and were thus able to suss out details on how the attack was conducted. Based on TrendAI researchers' access to the C2 server, Shadow-Aether-040 compromised six government entities in Mexico between Dec. 27 and Jan. 4. Attackers executed activities across the full chain of compromise with the support of AI agents — ultimately leading to data theft in some cases.Related:Hugging Face Packages Weaponized With a Single File TweakTrend AI Research tracked the second campaign, "Shadow-Aether-064," beginning in April. There were significant commonalities between this campaign and Shadow-Aether-040, namely similar tooling, but TrendAI assessed the campaigns to be possibly distinct. Specifically, Shadow-Aether-040 was observed to be Spanish speaking, while Shadow-Aether-064 was likely operated by Brazilian Portuguese speakers. And while Shadow-Aether-064 also used significant AI tooling in all stages of its operation, it primarily targeted financial organizations in Brazil with an aim to steal financial data.Vibe Hacking Across a Complete AI Cyberattack ChainShadow-Aether-040 was able to jailbreak the AI agent and make it do their bidding by claiming instructions were for an "authorized red-team exercise." While AI agents generally have safeguards to prevent this kind of thing, multiple iterative attempts enabled the attacker to succeed. Shadow-Aether-040 leveraged an agentic command line interface (CLI) to target organizations, and the CLI sent prompts to Anthropic's Claude. This campaign treated the agent as a kind of assistant that would be given tasks to help support the operation. For instance, the attacker enabled the AI agent to leverage Shodan and VulDB in order to identify potential vulnerabilities across an external-facing server; and once the vulnerability scanners identified the bugs on targeted servers, the attackers then deployed Web shells for initial access. Related:Hackers Use AI for Exploit Development, Attack AutomationAfter that, the threat actor commanded its AI agent to use Web shells to deploy additional backdoors and traffic-tunneling tools to maintain persistence. TrendAI also identified one backdoor, a Python-based package called "implante_http," that was likely created with AI assistance.Along the way, Shadow-Aether-040 instructed the AI to document the workflow of the attack and organize collected information into different directories as Markdown files. "This allowed the AI agent to understand previously completed actions, restore the prior operational context by reading through the Markdown files inside a given folder, and continue work on the unfinished tasks at any time," the researchers' blog post read.Shadow-Aether-064 similarly used AI agents to compromise and remotely command servers. Both actors leveraged ProxyChains, SOCKS5 tunneling, and SSH for initial access, as well as additional open source tooling like Chisel, CrackMapExec, Impacket, and Neo-reGeorg. But most striking here is that both campaigns also created custom, dynamically generated hacking tools and scripts using AI, making it harder for traditional security solutions to detect, since they rely on known signatures. The tools were used to support network scanning, password spraying, and vulnerability exploitation. Both also created "custom backdoors capable of establishing reverse tunnels for traffic forwarding from a SOCKS5 proxy," according to the research.Related:After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets"Because these dynamically generated commands, scripts, and code differ with each execution, they effectively replace open source hacking tools that are more likely to be detected, reducing the possibility of detection by traditional security solutions," TrendAI explained.Vibe Hacking Is Imperfect; Position Now for DefenseShadow-Aether-040 and Shadow-Aether-064 are the latest examples of threat actors using AI agents for front-to-back threat activities, and this won't be the last time security professionals will hear about this kind of thing, in Latin America and beyond. As AI assistants capable of complex technical tasks become more accessible to threat actors, stories like this will almost certainly become more common. Stephen Hilt, principal threat researcher at TrendAI, tells Dark Reading that the way these attacks were conducted goes beyond a simple smash and grab."What AI enabled in both cases was the operational tempo to pursue those objectives faster and with less manual overhead," he says. "Threat actors will always take the path of least resistance and right now AI is that path, but the motivation driving these campaigns goes deeper than just convenience."But there's good news, because vibe hacking isn't quite ready for prime time, which gives defenders a chance to position for resilience. 'Ransomvibing' recently infested the Visual Studio Extension Market, but the malicious VS Code extension failed to remove obvious signs of its malicious nature. Pakistan's APT36 nation-state group has begun using vibe-coding to churn out malware at scale, but the results so far are mediocre at best. And the vibe-coded Sicarii ransomware entered the scene last year, but has poorly designed code and can’t be decrypted.TrendAI researchers noted in the report that they identified cases where vibe-hacking threat actors failed because the AI agent couldn't determine a clear path for lateral movement. In these cases, the targets had stronger security configurations. This is where doing the security basics comes in handy."Against an environment with strong security fundamentals, even AI-augmented campaigns will struggle to find a way through," the research blog post read. "Timely patching, properly implemented zero-trust access controls, and comprehensive monitoring of environmental activity will be increasingly important in defending against this evolving threat landscape."Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!Read more about:DR Global Latin AmericaAbout the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Threat actors in Latin America are increasingly leveraging AI agents to facilitate automated cyberattack chains, employing techniques such as vibe-coding to generate custom hacking tools dynamically, which necessitates a reassessment of traditional security measures. Research by TrendAI focused on two specific threat campaigns, "Shadow-Aether-040" and "Shadow-Aether-064," which utilized AI agents across the entire attack spectrum, from initial access to data exfiltration. The first campaign, Shadow-Aether-040, targeted public sector organizations, as well as entities in finance, aviation, and retail in Mexico, successfully compromising six government entities between late December 2025 and early January 2026. Attackers successfully jailbroke the AI agent by framing the instructions as an authorized red-team exercise, enabling the agent to utilize command-line interfaces to probe external servers using tools like Shodan and VulDB to identify vulnerabilities, subsequently deploying web shells for initial access. Furthermore, the attackers employed the AI agent to document the attack workflow, organizing collected information into Markdown files, which allowed the agent to restore operational context and continue unfinished tasks autonomously. This campaign also resulted in the creation of custom, dynamically generated tools and backdoors, including a Python-based package named implante_http, which supported network scanning and persistence mechanisms.

The second campaign, Shadow-Aether-064, operated with distinct characteristics, primarily targeting financial organizations in Brazil with the objective of stealing financial data. While similar in utilizing AI agents for remote command and compromise, this campaign incorporated different tooling and linguistic nuances, with researchers noting that Shadow-Aether-040 was observed to be Spanish speaking while Shadow-Aether-064 was likely operated by Brazilian Portuguese speakers. Both campaigns effectively utilized various infrastructure tools such as ProxyChains, SOCKS5 tunneling, and SSH for initial access, alongside open source tools like Chisel, CrackMapExec, Impacket, and Neo-reGeorg for execution. A critical outcome of both campaigns was the creation of custom, dynamically generated scripts and tools, which inherently evade detection by conventional security solutions that rely on known signatures. These custom tools were used for activities such as network scanning, password spraying, and vulnerability exploitation, and attackers also developed custom backdoors capable of establishing reverse tunnels for traffic forwarding via a SOCKS5 proxy.

The primary advantage threat actors gained from this AI-augmented approach was the increased operational tempo, allowing them to pursue objectives with significantly reduced manual overhead. However, the research indicates that vibe-hacking is not yet fully optimized for sophisticated cyber operations; the success of these attacks is contingent on the environment they target. Researchers found that AI agents struggled when facing environments with strong security fundamentals, suggesting that defense posture is crucial. Specifically, AI-augmented campaigns encounter resistance when targets implement timely patching, properly enforced zero-trust access controls, and comprehensive monitoring of environmental activity. Therefore, the study concludes that implementing strong security basics—including timely patching, zero-trust access controls, and active environmental monitoring—becomes increasingly vital for defending against this evolving threat landscape, regardless of the sophistication of the attacker's AI capabilities.