Skip to content
AI Security Wire

Published

- 5 min read

By

Huntress Finds 'Vibe-Coded' Malware Used in a Real Attack

img of Huntress Finds 'Vibe-Coded' Malware Used in a Real Attack

A PowerShell script recovered during a Huntress incident response investigation this summer has become the clearest real-world evidence yet that attackers are using AI to build custom offensive tools — one interaction at a time.

The script, which Huntress analysts found on a compromised Windows Server on June 3, wasn’t pulled from a public repository or copied from an existing offensive toolkit. It was generated through what the security community now calls “vibe coding”: iteratively prompting an AI model with natural language until the output works. Huntress published its analysis this week, and the forensic artifacts embedded in the script tell the story almost by themselves.

The Script That Gave Itself Away

The file on disk was named Untitled1.ps1. That’s what you get when you copy code out of an AI chat window and hit save without renaming it. The script’s internal title was “100% Working AD Information Gathering Script – FULLY FIXED” — a label that reveals exactly how it was built. Someone was prompting an AI, hitting errors, pasting those errors back into the chat, and eventually copying out whatever version stopped failing. Humans writing their own tools don’t name them that way. AI models iterating toward a solution do.

The technical fingerprints don’t stop there. The script locates the domain controller using five distinct methods in sequence: a DNS lookup, nltest, the Active Directory PowerShell module, environment variables, and a hardcoded fallback value. Huntress put it plainly: “A human writing this script would typically pick the best one or two methods. An LLM, when told ‘make sure it doesn’t fail to find the DC,’ will exhaustively generate every method in its training data.”

The hardcoded fallback, $dc = "Server1.HR.local", was a placeholder the AI included as an example. The attacker copied the script without editing it out. The value would only matter if all four preceding methods failed simultaneously, so it almost certainly never fired — but it was still there, unchanged, in the deployed payload. That kind of oversight is exactly what you’d expect from someone who doesn’t understand the code they’re deploying.

The Attack Itself

The underlying intrusion followed a familiar pattern. The threat actor got in through RDP using pre-compromised credentials, staged tools in C:\ProgramData, and ran the custom recon script within minutes of establishing the session. Roughly thirty minutes later, they deployed s5cmd.exe — a legitimate Amazon S3 command-line tool that Huntress has documented being repeatedly abused for data exfiltration. A second pass with SharpShares.exe followed, hunting for additional data repositories.

Once the AI-generated script located the domain controller, it ran a structured dump of Active Directory users, computers, groups, organizational units, subnets, domain trusts, DNS subnet records, and a filtered list of users with email addresses. Everything landed in a timestamped directory under C:\AD_Reports_, saved as CSV files.

The script then did something the attacker almost certainly didn’t ask for: it generated a formatted HTML summary report. Huntress’s read on this is that it was an unsolicited addition from the AI — a “helpful inject” that the attacker went along with rather than specifically requesting. The result was a nicely formatted summary of all the data theft, sitting in the staging directory, ready to be read by anyone who wanted to understand the collection. A nice touch, if unintentional.

The Detection Problem

Huntress is clear that AI isn’t fundamentally changing the attack methodology here. “The underlying attack chain still resembles the tried-and-tested smash-and-grab playbook we’ve seen for years,” the researchers write. “This core methodology has remained consistent, but it is now being selectively augmented by AI. This hybrid approach prioritises aggression and speed over stealth, allowing threat actors to execute highly damaging campaigns faster than ever.”

What it does change is the detection surface. Untitled1.ps1 has no prior hash. It didn’t match anything in any signature database. Traditional endpoint protection looking for known malicious binaries or PowerShell strings would have seen nothing to flag.

Huntress caught it through behavioral telemetry — specifically, PowerShell script block logging via Event ID 4104, which captured the script’s contents at execution time and allowed analysts to reconstruct exactly what ran. The behaviors in that log: enumerating Active Directory users and computers at scale, dumping results to CSV in a staging directory, then zipping the archive. Those behaviors are detectable regardless of whether an AI or a human wrote the script that produced them.

”Vibe coding lowers the barrier to entry for cybercrime, allowing unsophisticated actors to generate highly capable, evasive tooling on the fly,” Huntress concludes. “While the code itself may be messy, over-engineered, and filled with AI hallmarks like left-behind comments, the threat it poses is very real. To combat this, defenders must abandon rigid, signature-based thinking and embrace behavioral analytics to catch the underlying actions that no LLM can hide.”

What Changes, What Doesn’t

The Huntress case demonstrates something important about where the AI-augmented threat landscape is heading. The barrier to building custom tooling has dropped significantly. An attacker who couldn’t write PowerShell two years ago can now prompt their way to a functional AD enumeration script. The artifact quality is lower — placeholder values left in, unsolicited HTML reports included, five DC discovery methods where one would do — but the operational output is the same: a working script that maps an Active Directory environment and stages the data for exfiltration.

What AI can’t change is the fundamental structure of an attack. Enumeration happens. Data gets collected. Archives get staged. Exfiltration follows. Those sequences are detectable. PowerShell script block logging, endpoint telemetry focused on behavioral patterns rather than binary hashes, and attention to lateral movement indicators are the right controls for an environment where the specific code used in any given attack will never have been seen before.

The Untitled1.ps1 incident is probably the first of many. It won’t be the last script that arrived in an attacker’s toolkit via an AI chat window and left a staging directory full of CSV files behind.

References

Frequently Asked Questions

What is 'vibe-coded' malware?
Vibe coding is the practice of writing software by iteratively prompting an AI model with natural language until it produces working output — no manual syntax required. In the Huntress case, a threat actor used this technique to generate a custom PowerShell script for Active Directory enumeration without writing the code themselves. The name comes from the informal way developers (and now attackers) interact with AI coding tools, treating them like a collaborative tool rather than a compiler.
Why is AI-generated malware harder to detect with traditional tools?
Traditional endpoint detection and antivirus tools rely heavily on file hashes and static string signatures. A script generated fresh by an AI for a specific incident has no hash to match against — it's never existed before. This makes signature-based detection useless. Huntress's approach, catching the activity through behavioral telemetry rather than file recognition, demonstrates why defenders need to focus on what code does at runtime rather than what it looks like on disk.
What does this mean for defenders going forward?
The behaviors that matter for detection — Active Directory enumeration, bulk CSV exports, archive creation in staging directories — are the same whether a human or an AI wrote the script. Attackers can change the code; they can't easily change the underlying attack lifecycle. Defenders who focus on behavioral analytics rather than signature matching are better positioned to catch AI-generated tooling regardless of how novel the specific script is.