A Pakistan-linked threat group is overwhelming Indian government networks with a new breed of disposable, AI-generated malware in a campaign that marks a concerning shift in the digital conflict between the two nations.
According to research from Bitdefender, the threat actor APT36 (also known as Transparent Tribe) has shifted away from sophisticated, carefully crafted tools toward what researchers call “Vibeware”—a wave of mediocre, AI-generated code designed to overwhelm security systems through sheer volume rather than technical sophistication.
The Vibeware Strategy: Quantity Over Quality
The attackers are using AI to rapidly develop software in niche programming languages like Nim, Zig, and Crystal—languages that help evade traditional antivirus scanners due to their relative obscurity. However, the quality of the output is often extremely low.
In one notable example, hackers deployed a tool meant to steal browser data but forgot to include the web address to send the stolen information to—effectively creating a tool that “phoned home to nowhere.”
This represents a tactical shift Bitdefender calls “Distributed Denial of Detection”—instead of building a few sophisticated tools, APT36 is throwing thousands of cheap, AI-made malware variants at the door, hoping some will eventually bypass defenses while exhausting security teams with a constant flood of low-grade threats.
False Flag Operations and Psychological Warfare
The campaign includes deliberate deception attempts. Researchers found a common Hindu name, “Kumar,” hidden inside the code’s file paths, suggesting the developers are planting digital breadcrumbs to trick investigators into looking for a culprit within India itself. They even named a Discord server “Jinwoo’s Server,” a nod to popular anime, to blend in with regular internet culture.
Malware Capabilities: LuminousCookies and BackupSpy
Despite the errors, some tools are genuinely sophisticated. A tool called LuminousCookies was caught attempting to bypass App-Bound Encryption—a security mechanism used by Chrome and Edge to protect saved passwords. Rather than cracking the lock externally, the malware forces itself into the browser’s own memory, pretending to be a legitimate component to extract encryption keys.
The group also exploits user trust by modifying desktop shortcuts for Google Chrome and Microsoft Edge. When a victim clicks their browser icon, they silently launch a background spy. Initial infection often starts with a fake resume PDF that tricks users into clicking a “Download” button that installs the malware.
Another tool, BackupSpy, acts as a digital dragnet—scanning every drive and USB stick for 16 specific file types including Office documents (.docx, .xlsx), PDFs, and images (.png, .jpg). It maintains an inventory list to track exactly what has been stolen.
Living Off Legitimate Services
APT36 is also leveraging legitimate cloud services to hide malicious activity. The group uses Google Sheets for command-and-control instructions and Slack or Discord to exfiltrate stolen files. By using these platforms, their malicious activity resembles normal office workers updating spreadsheets—making detection significantly more difficult.
Implications for Defenders
This campaign demonstrates an evolving threat landscape where AI enables even moderately skilled threat actors to generate massive volumes of malware variants. For security teams, this means dealing with a steady flood of low-grade threats while still trying to identify the handful that actually work.
The use of obscure programming languages combined with legitimate cloud services for C2 infrastructure further complicates detection efforts. Organizations should ensure their security tools can analyze binaries from non-standard languages and maintain visibility into cloud service API calls.
Source: Hackread / Bitdefender
