A Pakistan-aligned hacking group known as Transparent Tribe is using artificial intelligence coding tools to produce large numbers of malware implants in a campaign primarily targeting India, according to new research from cybersecurity firm Bitdefender.
Security researchers say the activity reflects a shift in how some threat actors are developing malicious software. Instead of focusing on highly advanced malware, the group appears to be generating a large volume of implants written in multiple programming languages and distributed across different infrastructure.
Researchers said the operation is designed to create a “high-volume, mediocre mass of implants” using less common languages such as Nim, Zig and Crystal while relying on legitimate platforms including Slack, Discord, Supabase and Google Sheets to help evade detection.
“Rather than a breakthrough in technical sophistication, we are seeing a transition toward AI-assisted malware industrialization that allows the actor to flood target environments with disposable, polyglot binaries,” Bitdefender researchers said in a technical analysis of the campaign.
The strategy involves creating numerous variations of malware rather than relying on a single sophisticated tool. Bitdefender described the approach as a form of “Distributed Denial of Detection,” where attackers overwhelm security systems with large volumes of different binaries that use various communication protocols and programming languages.
Researchers say large language models have lowered the barrier for threat actors by allowing them to generate working code in unfamiliar languages or convert existing code into different formats.
That capability makes it easier to produce large numbers of malware samples with minimal expertise.
The campaign has primarily targeted Indian government organizations and diplomatic missions abroad.
Investigators said the attackers also showed interest in Afghan government entities and some private businesses.
According to the analysis, the attackers use LinkedIn to identify potential targets before launching phishing campaigns.
Victims may receive emails containing ZIP archives or ISO images that include malicious Windows shortcut files.
In other cases, victims are sent PDF documents that include a “Download Document” button directing them to attacker-controlled websites.
These websites trigger the download of malicious archives.
Once opened, the shortcut file launches PowerShell scripts that run in memory.
The scripts download a backdoor and enable additional actions inside the compromised system. Researchers said attackers sometimes deploy well-known adversary simulation tools such as Cobalt Strike and Havoc to maintain access.
Bitdefender identified a wide range of custom tools used in the campaign. These include Warcode, a shellcode loader written in Crystal designed to load a Havoc agent into memory, and NimShellcodeLoader, which deploys a Cobalt Strike beacon.
Another tool called CreepDropper installs additional malware, including SHEETCREEP, a Go-based information stealer that communicates with command servers through Microsoft Graph API, and MAILCREEP, a backdoor written in C# that uses Google Sheets for command and control.
Researchers also identified SupaServ, a Rust-based backdoor that communicates through the Supabase platform with Firebase acting as a fallback channel. The code includes Unicode emojis, which researchers said suggests it may have been generated with the help of AI.
Additional malware used in the campaign includes CrystalShell and ZigShell, backdoors written in Crystal and Zig that can run commands, collect host information and communicate with command servers through platforms such as Slack or Discord.
Other tools observed in the operation include LuminousStealer, a Rust-based information stealer that exfiltrates files to Firebase and Google Drive, and LuminousCookies, which extracts cookies, passwords and payment information from Chromium-based browsers.
Bitdefender said the attackers are also using utilities such as BackupSpy to monitor file systems for sensitive data and ZigLoader to decrypt and execute shellcode directly in memory.
Despite the large number of tools involved, researchers say the overall quality of the malware is often inconsistent.
“The transition of APT36 toward vibeware represents a technical regression,” Bitdefender said, referring to the Transparent Tribe group. “While AI-assisted development increases sample volume, the resulting tools are often unstable and riddled with logical errors.”
Still, the researchers warned that the broader trend could make cyberattacks easier to scale. By combining AI-generated code with trusted cloud services, attackers can hide malicious activity within normal network traffic.
“We are seeing a convergence of two trends that have been developing for some time the adoption of exotic programming languages and the abuse of trusted services to hide in legitimate traffic,” the researchers said.
They added that this combination allows even relatively simple malware to succeed by overwhelming traditional detection systems with sheer volume.
