A threat actor has been caught using AI-generated malware in a real network intrusion, deploying a PowerShell script that an assistant had "vibe-coded" to map out an Active Directory environment.
In a report published on July 8, Huntress said it recovered and rebuilt the script from an incident on June 3, calling it a "case study in how criminals are weaponizing AI."
Vibe coding, generating software by prompting an AI in plain language rather than writing it manually, has handed even mediocre attackers the ability to spin up bespoke, one-off tools.
A Script With AI Fingerprints
The tool observed by Huntress was titled "100% Working AD Information Gathering Script - FULLY FIXED," a phrase the firm said betrayed a back-and-forth with a large language model (LLM), errors pasted in until it worked.
The attacker had even left in a placeholder server name that the AI supplied as an example, copied across without editing.
Other giveaways, Huntress said, were the script's over-engineering, five separate fallback methods to find the domain controller where a human coder would pick one, and its fondness for colorful console output.
Once it located the controller, the script harvested Active Directory users, computers, groups and trusts into spreadsheets. It then generated a tidy HTML report summarizing the theft, a flourish the researchers believed the LLM had added on its own.
Read more on AI-generated malware in the wild: AI-Enabled Malware Now Actively Deployed, Says Google
The Same Playbook, Faster
Despite the novelty of such attacks, Huntress stressed that "AI isn't changing the game." The intrusion followed a familiar smash-and-grab: the attacker logged in over RDP with stolen credentials, staged tools in a common Windows folder and ran the vibe-coded script to scout the network.
Legitimate cloud tools, such as s5cmd and the utility SharpShares, then handled data exfiltration.
The catch for defenders is detection, Huntress warned. Because the script was one of a kind, never seen before and unlikely to appear again in the same form, the file hashes and signatures that antivirus tools rely on were useless against it.
"Vibe coding lowers the barrier to entry for cybercrime, allowing unsophisticated actors to generate highly capable, evasive tooling on the fly," the company said.
"While the code itself may be messy, over-engineered, and filled with AI hallmarks like left-behind comments, the threat it poses is very real. To combat this, defenders must abandon rigid, signature-based thinking and embrace behavioral analytics to catch the underlying actions that no LLM can hide."
