- Huntress analyzed the AI-generated malware “Untitled1.ps1,” a noisy custom AD enumeration tool likely built by low-skilled attackers using generative AI.
- Attackers combined it with s5cmd for rapid data exfiltration and SharpShares.exe for enumerating shares before being detected and deleted.
- A report warns that AI “dynamic coding” reduces barriers to cybercrime, producing unique payloads that evade signature-based defenses, requiring behavioral analytics to detect attack lifecycles.
“Unsophisticated” cybercriminals can now easily write malicious code using artificial intelligence (AI) and quickly launch devastating data breach attacks, forcing defenders to rethink their strategies, researchers have claimed.
Security experts Huntress extensively investigated AI-written malware and explained how the AI-generated bespoke payload was a “very aggressive, noisy and personalized bespoke AD enumeration tool”.
Since cybercriminals are typically careful not to make too much noise and attempt to carry out their orders without raising an alarm, researchers suggest this is the work of a low-skilled attacker.
A significant challenge
The malware, titled Untitled1.ps1, was designed to map the Active Directory environment and apparently it did its job well. In the next step, the crooks deployed a legitimate high-speed command line tool for Amazon S3 operations called s5cmd which Huntress says is often used for data exfiltration.
Before being spotted and kicked out, the attackers also deployed a known enumeration tool called SharpShares.exe, filtering common administrative shares while searching for other user-accessible data repositories.
The move from off-the-shelf frameworks to personalized, bespoke AI tools poses a “significant challenge” for defenders, Huntress warns.
“Historically, AV and EDR platforms have relied heavily on file hashes and static string signatures,” they say. “Vibe encoded scripts are inherently unique. Untitled1.ps1 has never existed before and will likely never compile in this exact configuration again.”
As a result, defenders should focus on the “fundamental behaviors of the attack lifecycle.” AI can change the syntax of code, they say, but cannot change the underlying mechanisms of Active Directory enumeration.
“Vibe coding lowers the barrier to entry into cybercrime, allowing unsophisticated actors to generate high-performance, evasive tools on the fly,” the researchers concluded. “While the code itself may be complicated, over-engineered, and filled with AI features like left-out feedback, the threat it poses is very real. To combat this, defenders must abandon rigid signature-based thinking and embrace behavioral analysis to detect underlying actions that no LLM can hide.”

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




