75%
Reduction in attacker time-to-exfiltration for the fastest AI-assisted intrusions (Unit 42 2026 IR Report)
89%
Increase in AI-enabled adversary attacks year-over-year (CrowdStrike 2026 Global Threat Report)
30 min
Total time from RDP access to complete Active Directory enumeration and S3 exfiltration in the June 3 intrusion
0
Antivirus detections on the vibe-coded script: every AI-generated tool arrives with a unique, never-indexed hash

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A low-skilled threat actor used a large language model to generate a fully functional Active Directory reconnaissance tool during a confirmed network intrusion on June 3, 2026, creating a bespoke script with zero antivirus detections because it had never existed before. Huntress researchers recovered the script from the live incident and published their technical breakdown on July 8, making this the first detailed case study of AI-generated malware caught doing real damage in the wild, not in a lab or a red-team exercise.

The script's internal title said everything about how it was built: "100% Working AD Information Gathering Script - FULLY FIXED." That phrase captures the iterative AI prompting cycle where attackers paste error output back into a large language model until the code runs without exceptions. The attacker needed no programming background. The AI handled every line of code.

The capability that vibe-coded malware unlocks is not technical sophistication. The script used standard, documented Active Directory enumeration methods that defenders have tracked for years. What it unlocked was uniqueness on demand: every AI-generated script is produced fresh for each attack, meaning file hashes, YARA signatures, and code patterns that antivirus and endpoint detection tools depend on as lookup keys are structurally useless against it.

The attacker gained initial access through pre-compromised RDP credentials and executed the script within minutes of establishing the session. Within 30 minutes, the script had enumerated every user, computer, group, organizational unit, subnet, and trust relationship in the domain and packaged the results into a zip archive. The attacker then deployed Amazon's legitimate s5cmd.exe utility to exfiltrate the archive to an external S3 bucket.

AI-generated Active Directory mapping attacks are operational today, confirmed against real targets, and accessible to any threat actor who can type a request into an AI interface. The skill floor for building bespoke, signature-evading reconnaissance tools is gone.

How Does AI-Generated Malware Eliminate the Skill Barrier?

Vibe coding is the process of generating functional software by iteratively prompting an AI in plain language until the output performs the desired task. In software development, this approach has made programming accessible to non-developers. In cyberattacks, it hands any criminal the ability to build bespoke, one-off attack tools without any programming background.

The critical operational advantage vibe-coded attack tools provide is not capability. Most of what an AI generates follows well-documented attack patterns already captured in threat databases. The advantage is uniqueness. Every AI-generated script is written from scratch on each iteration, meaning no two instances share identical code structure, variable names, function signatures, or logic flow. File hashes, YARA signatures, and code patterns that antivirus and endpoint detection tools use as lookup keys are useless. A vibe-coded tool arrives at every target as a brand-new executable no database has ever indexed.

Unit 42's 2026 Global Incident Response Report documents the practical result: the fastest 25% of intrusions now reach data exfiltration in 1.2 hours, down from 4.8 hours the prior year, a 75% reduction driven primarily by AI-assisted reconnaissance and lateral movement automation. Attackers using AI-generated tools no longer need to adapt generic malware frameworks, debug compiled binaries, or wait for forum access to purchase an exploit kit.

The attacker provides the objective. The AI writes the tool. The attacker pastes and executes.

CrowdStrike's 2026 Global Threat Report documents an 89% increase in attacks by AI-enabled adversaries year-over-year, with attackers moving from experimental AI use to routine operational deployment. The Huntress incident confirms the bottom end of this trend: even commodity attackers without technical backgrounds are now vibe-coding their entire toolsets.

Inside the June 3 Intrusion: The Vibe-Coded Script at Work

The threat actor had already obtained valid RDP credentials before deploying the vibe-coded script. The original source of those credentials was not confirmed by Huntress, though VPN credential compromise is the leading hypothesis based on the attack pattern. Once the attacker established an RDP session on a domain-joined Windows Server, the AI-generated script was staged to "C:\ProgramData\Untitled1.ps1" and executed within minutes.

The script performed a systematic sweep of the Active Directory environment through a five-step cascading fallback mechanism for domain controller discovery: DNS queries, nltest, the Active Directory PowerShell module, environment variables, and a hardcoded placeholder hostname. After locating the domain controller, it enumerated every user account, computer object, group and group membership, organizational unit, subnet, and domain trust relationship. It saved eight separate CSV files to a timestamped output directory and generated a polished HTML summary report measuring enumeration success. The entire output was then packaged into a zip file.

Approximately 30 minutes after the script executed, the attacker deployed "C:\ProgramData\s5cmd.exe," a legitimate Amazon S3 command-line utility, to exfiltrate the zip archive to an attacker-controlled S3 bucket. The attacker also ran "SharpShares.exe" to identify user-accessible file shares beyond standard administrative shares, extending the reconnaissance to the organization's file storage layer.

The same pattern of AI-assisted tooling appeared two weeks earlier at the nation-state level. APT28's LAMEHUG malware used a live LLM API to generate command-and-control instructions mid-operation, demonstrating that AI-generated tooling has spread from ransomware operators to state-sponsored actors and now to opportunistic criminals with no group affiliation. The attack surface for AI-generated offensive tooling spans the entire threat actor spectrum.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

AI Hallmarks: Five Technical Signs That Exposed the Script

The script betrayed its AI origin through five technical artifacts that Huntress researchers documented as replicable detection indicators for blue teams.

The first was the title. "100% Working AD Information Gathering Script - FULLY FIXED" reflects the iterative error-correction cycle visible in any AI coding session. No human developer names a production attack tool with this phrasing; it reads like the AI's response summary after a debugging loop.

The second was an unedited placeholder. The domain controller discovery fallback contained a literal example hostname from the LLM's training data that the attacker never replaced before execution. The script ran with the example hostname embedded, meaning it would have fallen back to a non-existent value in any environment where the primary discovery methods failed.

The third was over-engineering. The DC discovery mechanism used five distinct methods in sequence. A human developer with knowledge of the target environment would write one or two optimal methods. LLMs reproduce all approaches from training data simultaneously rather than selecting the correct one.

The fourth was decorative output. The script contained saturated colored "Write-Host" commands producing cyan headers, green success indicators, red failures, and yellow warnings. Human attackers writing disposable reconnaissance tools do not add color schemes. LLMs add them because they appear in training data for user-friendly terminal applications.

The fifth was the HTML report. A polished HTML summary was generated automatically with formatted tables measuring enumeration success. The attacker did not need this report for operational purposes. The LLM added it as a "helpful" feature beyond what was requested, a behavior pattern consistent across LLM-generated tooling.

These artifacts are not just evidence of AI authorship. They are behavioral detection anchors that remain consistent regardless of how the underlying code is restructured.

Who Is Exposed: AI Removed the Skill Floor

Every organization running Active Directory is a potential target for AI-generated reconnaissance at this threat level. The specific capability that vibe coding unlocks is not technical sophistication. It is entry-level access to bespoke tool generation for any attacker who can type a request.

Signature-based antivirus and endpoint detection tools protect against known threats. AI-generated malware is unknown by construction. The AI-built ransomware toolkit that bypassed 70-plus EDR controls in a live campaign documented in June 2026 demonstrated the same principle at the payload level: AI-iteratively-refined code eventually produces variants that evade any static signature set. The vibe-coded reconnaissance script demonstrates identical evasion at the reconnaissance phase.

The threat extends beyond the specific script Huntress analyzed. Any attacker who can follow instructions can now generate a custom Active Directory enumeration script, a custom process injector, a custom data stager, or a custom persistence mechanism. Each generation produces a unique artifact with no prior detection record.

Organizations that have historically categorized low-skilled threat actors as lower-priority risks based on their limited tooling access need to update that assessment. The tooling barrier no longer exists. A criminal with an API key and a clear objective can produce functional, signature-evading attack tools for any phase of an intrusion.

The sectors most exposed are those where Active Directory is the backbone of identity infrastructure and where incident response teams lack the behavioral detection maturity to catch what hashes cannot flag: healthcare, financial services, critical infrastructure, and government agencies.

Sigma Detection Rules for AI-Generated Active Directory Enumeration

No CVE-specific Sigma rule exists for vibe-coded malware because this threat class has no CVE identifier. AI-generated attack tools are not a software vulnerability; they are a technique for producing novel offensive tooling. Detection focuses on the behaviors these tools produce rather than the tools themselves.

The two core log sources for detection are Microsoft-Windows-LDAP-Client/Debug ETW logging, which captures LDAP search filter patterns consistent with Active Directory enumeration, and Windows PowerShell Script Block Logging (Event ID 4104), which records the full content of every PowerShell script executed regardless of obfuscation or uniqueness. Script Block Logging is what allowed Huntress to recover and analyze the vibe-coded script after execution. Without it, the script would have left no recoverable artifact.

The third detection layer covers the exfiltration phase. Cloud CLI tools like s5cmd, rclone, AzCopy, and AWS CLI, when executed from non-IT accounts or from directories like C:\ProgramData, represent a behavioral anomaly that SIEM rules can catch regardless of the specific binary name. The Rclone detection rule below covers the same exfiltration-via-cloud-CLI behavior pattern that s5cmd represents, applied to any cloud sync utility appearing outside approved tooling.

Use sigma-cli to convert the YAML below to Splunk SPL, Microsoft Sentinel KQL, or Elastic ESQL. Deploy the LDAP and PowerShell rules to domain controllers first; deploy the cloud CLI exfiltration rule across all endpoints.

Subscribe to unlock Sigma Detection Rules

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

IOCs and Behavioral Indicators from the June 3 Attack

The June 3, 2026 intrusion produced no network-layer IOCs suitable for blocklist deployment. The attacker used legitimate cloud infrastructure for exfiltration, making the destination indistinguishable from authorized Amazon S3 traffic at the network level.

The actionable detection artifacts are behavioral and filesystem-based.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Detect AI-Generated Malware When Signatures Fail

Behavioral and telemetry-based detection is the only reliable control against AI-generated attack tooling. Signature-based detection cannot index code that did not exist before this attack.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

AI-generated malware Active Directory attacks are confirmed in the wild: a real attacker vibe-coded a PowerShell script that mapped an entire domain in 30 minutes, exfiltrated the results with zero antivirus detections, and left no recoverable hash for threat intelligence feeds to catch. Every traditional signature-based defense fails against this attack class by design. Three actions before end of business today: enable PowerShell Script Block Logging (Event ID 4104) on all domain-joined servers, deploy behavioral SIEM alerts for AD enumeration patterns and cloud CLI tool execution by non-IT accounts, and audit every RDP-accessible server for pre-compromised credentials using breach monitoring.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is vibe-coded malware?

Vibe-coded malware is attack tooling generated by a large language model through iterative natural-language prompting rather than manual scripting. The attacker describes the desired attack capability in plain English, the AI generates functional code, and the attacker tests and re-prompts until the tool works. Each generation produces unique code with a hash value that has never appeared in any threat database, making signature-based antivirus and endpoint detection structurally ineffective against it. The term mirrors vibe coding from software development, where non-developers use AI to generate working software.

How does an attacker use AI to generate cyberattack tools?

The attacker submits a plain-language request describing the attack capability needed, for example, write a PowerShell script that enumerates all Active Directory users and exports them to a CSV. The AI returns working code. When the code fails, the attacker pastes the error message back into the AI and asks it to fix the problem. This iterative cycle continues until the tool executes successfully. No programming knowledge is required; the entire process mirrors fixing a software bug with AI assistance. The script recovered by Huntress from the June 3, 2026 intrusion still contained the AI's error-correction language in its title.

Can AI-generated malware bypass antivirus detection?

Yes, by construction. Antivirus and endpoint detection tools rely primarily on hash-based matching against known malicious files and signature patterns identified in prior incidents. An AI-generated tool produces unique code on every generation, meaning its hash value has never appeared in any database. The specific script Huntress recovered from the June 3, 2026 intrusion had zero prior detections. AI-generated tools are not undetectable; behavioral monitoring that focuses on what code does rather than what it looks like remains effective against the underlying attack patterns regardless of how the code is structured.

What is the risk if an attacker maps my Active Directory environment?

A complete Active Directory map gives attackers every object in your identity infrastructure: every user account and its attributes, every group membership and privilege assignment, every computer object and its location, every domain trust relationship, and the full subnet topology. This data enables lateral movement planning (which accounts have admin rights to which systems), targeted phishing (email addresses with specific access levels), and persistence planning (which service accounts to compromise for durable access). Active Directory enumeration is the standard precursor to privilege escalation and ransomware deployment. Organizations that detect enumeration events have a narrow window to contain an intrusion before it escalates to full compromise.

How do I detect AI-generated PowerShell scripts in my network?

Enable PowerShell Script Block Logging (Event ID 4104) via Group Policy on all domain-joined servers. This captures the full content of every PowerShell script executed regardless of obfuscation or uniqueness, which is how Huntress recovered the vibe-coded script. Then deploy behavioral SIEM rules targeting what these scripts do rather than what they look like: high-volume LDAP queries in a single session, creation of CSV export files with AD-related naming patterns, generation of HTML reports in unexpected directories, and deployment of cloud CLI tools immediately after a PowerShell session. These behavioral patterns persist regardless of how AI restructures the underlying code.

What is s5cmd.exe and why should I monitor it for exfiltration?

s5cmd is a legitimate, high-performance Amazon S3 command-line utility used by developers and data engineers for cloud storage operations. In attack contexts, it is abused to exfiltrate large data archives to attacker-controlled S3 buckets because the outbound traffic is HTTPS to AWS infrastructure, which most organizations permit by default and network monitoring tools do not flag as suspicious. The presence of s5cmd.exe in C:\ProgramData\, executed by a non-IT user account or immediately following a PowerShell enumeration session, is a strong behavioral indicator of data staging for exfiltration. Alert on s5cmd, rclone, AzCopy, and the AWS CLI when executed outside approved IT tooling.

What does the script title '100% Working FULLY FIXED' tell defenders?

The title reflects the iterative AI prompting cycle: the attacker repeatedly pasted error output back to the AI until the script executed without failures, and the phrase FULLY FIXED was incorporated from that error-correction exchange. This artifact is a detection opportunity for defenders analyzing recovered scripts. LLM-generated code frequently contains conversational language in variable names or comments, over-engineering with multiple fallback methods, unedited example values from training data, and verbose decorative output. Security teams analyzing suspicious scripts should treat these LLM artifacts as corroborating evidence of AI-assisted attack tooling alongside behavioral indicators.

How did the attacker gain initial access in the June 3, 2026 incident?

The attacker used pre-compromised RDP credentials to establish a remote desktop session directly to a domain-joined Windows Server. Huntress did not confirm the original source of those credentials, but VPN credential compromise from a prior breach or phishing campaign is the most likely vector based on the attack pattern. This underscores a consistent finding across 2026 incidents: AI-generated tooling is deployed after initial access is established, not as the initial access method itself. Eliminating pre-compromised credentials through phishing-resistant MFA, regular credential rotation, and breach monitoring for leaked corporate passwords removes the most common entry point that AI-generated tools then exploit.

Sources & references

  1. Huntress: AI-Coded Malware: Analyzing Vibe-Coded AD Enumeration
  2. The Hacker News: Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory
  3. Unit 42: 2026 Global Incident Response Report
  4. CrowdStrike: 2026 Global Threat Report

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.