TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES CYBERSECURITY OPERATIONS THREAT INTELLIGENCE CYBER RISK NEWS Nation-State Actor Embraces AI Malware Assembly Line Pakistan's APT36 threat group has begun using vibe-coding to churn out mediocre malware, but at a scale that could overwhelm defenses. Jai Vijayan,Contributing Writer March 5, 2026 4 Min Read SOURCE: MEHANIQ VIA SHUTTERSTOCK Pakistan-linked state-sponsored threat group APT36 has begun using AI coding tools to bombard targets with mass produced malware that appears designed to overwhelm defenses not through technical quality but by sheer volume. Bitdefender dubbed the tactic as "Distributed Denial of Detection," after spotting the threat actor using vibe-coded malware in recent attacks targeting entities associated with the Indian government, its embassies across multiple countries, and other targets in South Asia. How Distributed Denial of Detection Works The security vendor found the "vibeware" to be of decidedly low quality and riddled with errors. For example, in one instance, a tool designed to steal browser credentials had a placeholder instead of a command-and-control (C2) server address, meaning it could never have actually exfiltrated any data. In another case, a backdoor’s status-reporting function reset the very timestamp it was meant to track each time it ran, causing the host to always appear online, regardless of its true state. Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL "We saw similar patterns across the rest of the fleet, where other malware components began to collapse under their own weight as soon as the logic reached a moderate level of complexity," Bitdefender researcher Radu Tudorica said in a blog post this week. These are the kinds of mistakes that occur when code is "syntactically correct but logically unfinished," he said. Even so, it's a mistake for enterprise organizations to underestimate the risks that such malware can present, if the malware is written in niche programming languages and uses legitimate services to hide C2 communications, Tudorica warned. For exmaple, APT36, aka Transparent Tribe, is using vibe-coding — the practice of using conversational, natural language prompts to develop code with AI tools — to generate malware in obscure programming languages like Nim, Zig, and Crystal. Previously, developing malware in multiple languages required considerable time and skill. But, Tudorica said, AI has made it possible even for bad actors with foundational technical skills to churn out malware in different languages with minimal effort. A Mistake to Underestimate Vibeware That's a problem, because most endpoint detection engines are tuned to detect malware written in common languages like C++ or C#. When a malicious binary arrives in a language those engines have little exposure to, it "essentially reset[s] the detection baseline," Tudorica wrote. APT36 is also leveraging AI smarts to exploit legitimate cloud platforms for C2 purposes. Bitdefender found the threat actor's vibeware collection using Slack, Discord, Google Sheets and Supabase, as channels for issuing commands to compromised machines and receiving stolen data. The combination, Tudorica observed, allows even a threat actor with mediocre tools to overwhelm standard defenses and achieve considerable operational success. Related:The Case for Why Better Breach Transparency Matters Multiple, Parallel Implants In attacks that Bitdefender analyzed, APT36 infected victims with multiple, simultaneous malware implants, each developed in a different language and using a different communication protocol. The objective is to ensure that the threat actor maintains access on a network even if one attack channel gets neutralized, the researcher noted. Bitdefender estimated the threat group is producing new malware variants daily using vice coding. "The real danger for organizations is the industrialization of mediocrity," says Martin Zugec, technical solutions director at Bitdefender. AI is allowing attackers to generate attacks at a volume that can be challenging for organizations to handle if they have not paid attention to basic security hygiene, he says. "While the industry has advocated for defense-in-depth and multilayered security for years, many environments still suffer from basic issues like flat networks, over-privileged users, and a lack of active MDR or SOC monitoring," Zugec tells Dark Reading. "Vibeware does not rely on technical brilliance. It relies on exploiting the false sense of security in organizations that have simply managed to fly under the radar until now." Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi Bitdefender assessed APT36's pivot to a vibe-coding model as something of a "technical regression for the threat group itself." But the broader trend could become concerning as the model evolves and the underlying AI tools continue to improve. "It is a common misconception that every APT group is a collection of elite cyber warriors," Zugec says. Many are bureaucratic government departments staffed by junior operators who have historically relied on adjusting open source projects or existing attack frameworks rather than developing malware from scratch. "For these actors, vibe coding is a way to scale their existing, low-level tactics." APT36 has for some time been associated with attacks on entities in India's aerospace, defense and government sectors. It's attack portfolio includes a constantly evolving list of malware for targeting Windows, Linux, and Android environments. The group is known for its extensive use of living-off-the-land binaries and legitimate cloud services to conceal attack activity. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES Cybersecurity Gaps Leave Doors Wide Open by Jai Vijayan, Contributing Writer MAR 26, 2025 CYBERATTACKS & DATA BREACHES Critical Fortinet Vuln Draws Fresh Attention by Jai Vijayan, Contributing Writer MAR 19, 2025 Editor's Choice THREAT INTELLIGENCE As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks byElizabeth Montalbano MAR 3, 2026 6 MIN READ ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking byJai Vijayan MAR 3, 2026 3 MIN READ СLOUD SECURITY AI Agent Overload: How to Solve the Workload Identity Crisis byAlexander Culafi MAR 3, 2026 4 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated