- Huntress analyzed the AI-generated malware “Untitled1.ps1”, a noisy custom AD enumeration tool likely created by low-skilled attackers using generative AI.
- The attackers combined it with s5cmd for quick data exfiltration and SharpShares.exe for share enumeration before being detected and removed.
- A report warns that AI “vibration coding” lowers barriers to cybercrime, producing unique payloads that evade signature-based defenses, requiring behavioral analysis to detect attack lifecycles.
“Unsophisticated” cybercriminals can now easily write malicious code using Artificial Intelligence (AI) and execute devastating data breach attacks quickly, forcing defenders to rethink their strategies, researchers say.
Security experts Huntress thoroughly investigated an AI-written malware and explained how the AI-generated payload was a “customized, noisy, highly aggressive AD enumeration tool.”
Since cybercriminals are generally careful not to make too much noise and try to carry out their orders without raising any alarms, researchers suggest that this was the work of a low-skilled attacker.
An important challenge
The malware, called Untitled1.ps1, was designed to map the Active Directory environment and apparently did its job well. In the next step, the criminals implemented a legitimate high-speed command-line tool for Amazon S3 operations called s5cmd which, according to Huntress, is often used for data exfiltration.
Before being discovered and banned, the attackers also deployed a well-known enumeration tool called SharpShares.exe, which leaked common administrative shares while searching for more data repositories accessible to users.
The move from standard frameworks to custom AI tools is a “major challenge” for defenders, Huntress warns.
“Historically, AV and EDR platforms have relied heavily on file hashes and static string signatures,” they say. “Vibe-coded scripts are inherently unique. Untitled1.ps1 has never existed before and will likely never be compiled in this exact configuration again.”
As a result, defenders should focus on “fundamental attack lifecycle behaviors.” AI can change the syntax of the code, they say, but it can’t change the underlying mechanics of Active Directory enumeration.
“Vibe encryption lowers the barrier to entry for cybercrime, allowing unsophisticated actors to generate highly capable evasive tools on the fly,” the researchers concluded. “While the code itself can be confusing, overly designed, and full of AI features such as left-behind comments, the threat it poses is very real. To combat this, defenders must abandon rigid signature-based thinking and embrace behavioral analytics to detect underlying actions that no LLM can hide.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




