Threat actors in Latin America have begun to use AI agents to facilitate their entire attack chains, from assisting with initial access to generating penetration tools on the fly — and organizations need to prepare accordingly.
Trend Micro’s TrendAI Research team yesterday published research concerning two threat actors in the region using AI agents — and specifically vibe-coded hacking, or “vibe-hacking” — to compromise government organizations and other entities.
The first campaign, “Shadow-Aether-040,” was first identified in late 2025. An attacker was targeting Latin American organizations in the public sector, along with organizations in financial services, aviation, and retail. TrendAI researchers identified a command-and-control (C2) server used by the campaign that lacked operational security, and were thus able to suss out details on how the attack was conducted.
Based on TrendAI researchers’ access to the C2 server, Shadow-Aether-040 compromised six government entities in Mexico between Dec. 27 and Jan. 4. Attackers executed activities across the full chain of compromise with the support of AI agents — ultimately leading to data theft in some cases.
Trend AI Research tracked the second campaign, “Shadow-Aether-064,” beginning in April. There were significant commonalities between this campaign and Shadow-Aether-040, namely similar tooling, but TrendAI assessed the campaigns to be possibly distinct. Specifically, Shadow-Aether-040 was observed to be Spanish speaking, while Shadow-Aether-064 was likely operated by Brazilian Portuguese speakers. And while Shadow-Aether-064 also used significant AI tooling in all stages of its operation, it primarily targeted financial organizations in Brazil with an aim to steal financial data.
Vibe Hacking Across a Complete AI Cyberattack Chain
Shadow-Aether-040 was able to jailbreak the AI agent and make it do their bidding by claiming instructions were for an “authorized red-team exercise.” While AI agents generally have safeguards to prevent this kind of thing, multiple iterative attempts enabled the attacker to succeed.
Shadow-Aether-040 leveraged an agentic command line interface (CLI) to target organizations, and the CLI sent prompts to Anthropic’s Claude. This campaign treated the agent as a kind of assistant that would be given tasks to help support the operation.
For instance, the attacker enabled the AI agent to leverage Shodan and VulDB in order to identify potential vulnerabilities across an external-facing server; and once the vulnerability scanners identified the bugs on targeted servers, the attackers then deployed Web shells for initial access.
After that, the threat actor commanded its AI agent to use Web shells to deploy additional backdoors and traffic-tunneling tools to maintain persistence. TrendAI also identified one backdoor, a Python-based package called “implante_http,” that was likely created with AI assistance.
Along the way, Shadow-Aether-040 instructed the AI to document the workflow of the attack and organize collected information into different directories as Markdown files.
“This allowed the AI agent to understand previously completed actions, restore the prior operational context by reading through the Markdown files inside a given folder, and continue work on the unfinished tasks at any time,” the researchers’ blog post read.
Shadow-Aether-064 similarly used AI agents to compromise and remotely command servers. Both actors leveraged ProxyChains, SOCKS5 tunneling, and SSH for initial access, as well as additional open source tooling like Chisel, CrackMapExec, Impacket, and Neo-reGeorg.
But most striking here is that both campaigns also created custom, dynamically generated hacking tools and scripts using AI, making it harder for traditional security solutions to detect, since they rely on known signatures. The tools were used to support network scanning, password spraying, and vulnerability exploitation. Both also created “custom backdoors capable of establishing reverse tunnels for traffic forwarding from a SOCKS5 proxy,” according to the research.
“Because these dynamically generated commands, scripts, and code differ with each execution, they effectively replace open source hacking tools that are more likely to be detected, reducing the possibility of detection by traditional security solutions,” TrendAI explained.
Vibe Hacking Is Imperfect; Position Now for Defense
Shadow-Aether-040 and Shadow-Aether-064 are the latest examples of threat actors using AI agents for front-to-back threat activities, and this won’t be the last time security professionals will hear about this kind of thing, in Latin America and beyond. As AI assistants capable of complex technical tasks become more accessible to threat actors, stories like this will almost certainly become more common.
Stephen Hilt, principal threat researcher at TrendAI, tells Dark Reading that the way these attacks were conducted goes beyond a simple smash and grab.
“What AI enabled in both cases was the operational tempo to pursue those objectives faster and with less manual overhead,” he says. “Threat actors will always take the path of least resistance and right now AI is that path, but the motivation driving these campaigns goes deeper than just convenience.”
But there’s good news, because vibe hacking isn’t quite ready for prime time, which gives defenders a chance to position for resilience. ‘Ransomvibing’ recently infested the Visual Studio Extension Market, but the malicious VS Code extension failed to remove obvious signs of its malicious nature. Pakistan’s APT36 nation-state group has begun using vibe-coding to churn out malware at scale, but the results so far are mediocre at best. And the vibe-coded Sicarii ransomware entered the scene last year, but has poorly designed code and can’t be decrypted.
TrendAI researchers noted in the report that they identified cases where vibe-hacking threat actors failed because the AI agent couldn’t determine a clear path for lateral movement. In these cases, the targets had stronger security configurations. This is where doing the security basics comes in handy.
“Against an environment with strong security fundamentals, even AI-augmented campaigns will struggle to find a way through,” the research blog post read. “Timely patching, properly implemented zero-trust access controls, and comprehensive monitoring of environmental activity will be increasingly important in defending against this evolving threat landscape.”
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!
No responses yet