Intelligenza artificiale (IA)
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we have observed of AI agents executing attacks from initial access to data exfiltration.
Save to Folio
Key takeaways
- TrendAI™ Research has identified two emerging campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, that leveraged agentic AI to assist in their intrusion operations against governments and financial organizations in Latin America.
- SHADOW-AETHER-040 and SHADOW-AETHER-064 independently deployed agentic AI with strikingly similar tactics, suggesting AI-assisted attacks are emerging as a broader trend across threat actor groups.
- Both campaigns established traffic tunnels to victim systems, enabling AI agent to conduct malicious attacks directly into victim internal network environments via ProxyChains and SSH.
- The AI agents dynamically generated multiple hacking tools and scripts, rather than relying on pre-built hacking tools. This reduced the likelihood of detection by traditional security solutions that rely on known tool signatures.
- Despite sharing tools and tactics, including Chisel, Neo-reGeorg, CrackMapExec, and Impacket, SHADOW-AETHER-040 and SHADOW-AETHER-064 appear to be distinct groups, separated primarily by language: Spanish and Portuguese respectively.
Threat actors using AI is an unsurprising and even long-predicted development. In a case in point, TrendAI™ Research has identified two emerging threat campaigns that used agentic AI to drive intrusion operations against government entities and financial organizations across several countries in Latin America.
Though evidence suggests that the two groups are likely separate entities, they share strikingly similar tactics, as we detail in this report. This degree of overlap suggests that AI-assisted attacks are becoming a broader pattern among threat actor groups.
The first campaign
Beginning in late 2025, we observed a threat campaign targeting countries in Latin America. Primary targets were government entities but also private-sector organizations in the financial, aviation, and retail industries. The attacker compromised these organizations to exfiltrate large volumes of data. We have been tracking this campaign and named it “SHADOW-AETHER-040.”
During our investigation, we identified a command-and-control (C&C) server operated by the campaign that exposed attack-related data due to improper operational security (OPSEC) settings. The exposed data revealed the operational details of this campaign, including the conversations between the actor and their AI agent on an agentic command-line tool, as well as how the campaign leveraged agentic AI capabilities to drive attack operations.
According to the leaked conversations, SHADOW-AETHER-040 compromised six government entities in Mexico between December 27, 2025, and January 4, 2026. It executed activities across the full cyber kill chains—from initial access to lateral movement stages—with the support of the AI agent. In some cases, it ultimately led to the successful theft of targeted data.
A recent news report described a hacker group compromising government entities with assistance from an AI agent; the operational details from this report aligned precisely with the activities of SHADOW-AETHER-040. A subsequent and more comprehensive report further detailed the intrusion activity and provided indicators of compromise (IoCs) which allowed us to confirm that the group described in both reports is the same group we track as SHADOW-AETHER-040.
The second campaign
Meanwhile, since this April, we identified another threat campaign targeting financial organizations in Brazil that also employed agentic AI to conduct attacks. This new campaign shared similar patterns of attack as SHADOW-AETHER-040, including significant overlaps in their selection of hacking tools and a shared interest in developing customized SOCKS5 tooling. These findings initially led us to consider that these two campaigns as possibly related.
However, upon further investigation, we found the new campaign is likely operated by Portuguese speakers, whereas SHADOW-AETHER-040 operators were observed to be Spanish-speaking. The true relationship between them remains unknown and the overlap may just be coincidental. We therefore consider them as separate campaigns and track this newer campaign as “SHADOW-AETHER-064.”
We share the technical details of these two emerging threat campaigns and how they leveraged agentic AI to conduct their operations in the next sections. This includes previously unreported details, analysis of AI-generated backdoors, and our observations from these AI agents' attack activities.
The AI agent-augmented attacks of SHADOW-AETHER-040
SHADOW-AETHER-040 primarily leveraged an agentic command-line interface (CLI) tool to conduct its operations. The CLI tool sent the attacker's prompts to a large language model (LLM) service, Anthropic's Claude in this case, and executed attack commands based on the AI model's responses. The campaign used vulnerability scanners to identify vulnerabilities on targeted servers and then deploy webshells, such as Neo-reGeorg, to establish their initial access. The actors then commanded their AI agent to use these webshells to deploy additional backdoors or traffic tunneling tools, such as Chisel, to establish a SOCKS5 tunnel on compromised servers. This tunnel enabled the AI agent to use ProxyChains to create SSH connections and operate other servers inside the internal network for lateral movement.
Besides the use of the foundational AI model, SHADOW-AETHER-040 enabled their AI agent to access other infosec services, such as Shodan and VulDB. Shodan served as a search engine for identifying the attack surface of the targeted organizations, while VulDB provided information on application vulnerabilities. These integrations enhanced the AI agent's offensive capabilities through the intelligence obtained from these infosec services.
SHADOW-AETHER-040 created dedicated folders for each victim and instructed the AI agent to document the attack workflow and all collected information as Markdown files within the different directories, forming their operational knowledge base. This allowed the AI agent to understand previously completed actions, restore the prior operational context by reading through the Markdown files inside a given folder, and continue work on the unfinished tasks at any time.
For jailbreaking, the campaign attempted to deceive the AI agent by claiming that they were conducting an authorized red team exercise—a tactic designed to trick the model into assisting with malicious activities. This deception was not always effective. When the prompt explicitly identified the target as a government entity, the AI agent exhibited caution and frequently refused the actor's requests. However, after multiple iterative attempts, the actor ultimately succeeded in bypassing the safeguards by framing the operation as part of a legitimate red team testing operation.
SHADOW-AETHER-040 didn't fully delegate operations to the AI agent. Instead, they utilized the AI agent primarily as an assistant to support various tasks and supervise over its behavior. Whenever the agent deviated from the intended direction, they interrupted and corrected the agent's actions. We observed that the campaign assigned the AI agent to help on the following notable tasks.
| Tasks | AI agent actions |
|---|---|
Establishing tunnel |
Downloaded Chisel and established a SOCKS5 tunnel connecting back to the C&C server. |
Deploying backdoor |
Renamed the backdoor binary as |
Maintaining backdoor persistence |
Created a cron job or modified the |
Investigating logs |
Inspected |
Investigating configurations |
Inspected server configuration files and application code ( |
Internal network reconnaissance |
Generated a shell script to conduct scanning across an internal network. |
Generating exploit scripts |
Generated exploitation scripts to execute commands based on the vulnerabilities identified by Vulmap. |
Checking EDR and antivirus services |
Executed |
Collecting SSH key |
Used the |
Implanting backdoor SSH key |
Wrote the attacker's SSH key into the |
Privilege escalation via vulnerabilities |
Attempted to exploit vulnerabilities such as Dirty COW and PwnKit for privilege escalation. |
Privilege escalation via misconfigurations |
Leveraged cron jobs running with root privileges to escalate privileges. |
Credential access |
Performed an SMB Relay attack using PetitPotam. |
Password spraying |
Utilized previously collected credentials to conduct password spraying attacks against the Domain Controller with tools such as CrackMapExec or Impacket. |
Searching for sensitive information in databases |
Explored databases using SQL queries to locate tables containing credential information. |
Exfiltrating data |
Used SQL commands to back up databases and downloaded the backup files with the |
Table 1. The tasks SHADOW-AETHER-040 delegated to the AI agent
AI-generated backdoor
We observed that SHADOW-AETHER-040 deployed a Python-based backdoor called implante_http which has not been discussed in previous reports. The threat actor instructed the AI agent to package this Python backdoor using PyInstaller into a standalone ELF binary and deploy it to victim servers. We also identified a backdoor sample on VirusTotal that had been packaged by PyInstaller as a Windows executable. This backdoor is likely to have been developed with AI assistance. Multiple indicators of AI-generated code were identified within the source code, including:
- Explanatory comments typical of AI clarifying its code to users
- Extensive comments explaining changes made before and after modifications—a strong characteristic of iterative "vibe coding" sessions
- Emoji icons used in program messages
- Perfect error handling implementation
This backdoor utilizes HTTP protocol for C&C communication and employs WebSocket as the tunnel to relay TCP/UDP traffic. The backdoor implements functions including executing system commands, changing and listing the current working directory, uploading or downloading arbitrary files, and creating an interactive PTY terminal session. In addition, it developed several advanced capabilities that indicate the backdoor was developed to support lateral movement and data exfiltration, including:
- Establishing SSH connection to other servers from the backdoor process.
- Establishing a WebSocket tunnel, enabling the actor to forward TCP/UDP traffic received from the SOCKS5 server listening on the C&C server.
- A chunked data download mechanism designed to facilitate the exfiltration of large files over the C&C channel.
| Command | Function |
|---|---|
|
Uploads a local file from the victim machine to the C&C server (large files via chunked binary POST; small files are encoded in Base64). |
|
Uploads all files in the current directory to the C&C server. |
|
Receives a small file from the C&C server (Base64-encoded). |
|
Chunked reception of large files from C&C server. |
|
Streaming download of large files from the C&C server. |
|
Changes the current working directory. |
|
Establishes an SSH connection to an internal host and bridges the session back to the C&C server. |
|
Spawns an interactive PTY shell. |
|
Lists directory structure in JSON format. |
|
Establishes a TCP connection to the specified address and port. |
|
Establishes a UDP connection to the specified address and port. |
|
Terminates the current session. |
|
Executes any system command. |
Table 2. Commands supported by the "implante_http" backdoor
Another emerging campaign: SHADOW-AETHER-064
During April 2026, we identified a second threat campaign, SHADOW-AETHER-064, targeting financial organizations in Brazil with a primary objective on the exfiltration of financial related data. During our investigation, we identified several attack scripts used by this campaign that show clear indicators of AI agent utilization during their operation. For example, some scripts contain the descriptions of self-reasoning and autonomous decision-making processes, which are characteristic behaviors of AI agents. These appear to be on-the-fly scripts generated to accomplish subtasks during the AI agent's execution. For this case, we couldn't identify which LLM service was abused in the campaign.
What drew our attention was the significant tactical overlap with SHADOW-AETHER-040. Both campaigns employed an identical approach by leveraging ProxyChains, SOCKS5 tunneling, and SSH to enable their AI agents to remotely command compromised servers. Their toolsets also overlapped notably, such as their use of Chisel, Neo-reGeorg, CrackMapExec, and Impacket. Furthermore, both adversaries have developed custom backdoors capable of establishing reverse tunnels for traffic forwarding from a SOCKS5 proxy.
However, a key differentiator emerged from the samples, leading us to cluster these two campaigns separately. Attack scripts and compiled binaries used by SHADOW-AETHER-064 contain Portuguese-language content, suggesting that the actor behind the campaign is a Portuguese-speaking individual or group. In contrast, SHADOW-AETHER-040 was identified to be a Spanish-speaking individual or group.
In the cases we observed, SHADOW-AETHER-064 targeted vulnerable JBoss AS servers, successfully compromised them, and deployed webshells. The campaign further deployed tools such as Chisel and other proxy utilities through these webshells, enabling the actor to operate their AI agent to conduct attack activities through SOCKS5 tunnels. We observed the actor used the AI agent to carry out the following tasks.
| Tasks | AI agent actions |
|---|---|
Attack surface scanning |
Scanned port 443 and 8443 across the target's network ranges to identify exposed web services. |
SQL injection attempts |
Tested multiple SQL injection payloads to assess whether servers were vulnerable. |
Establishing tunnel |
Downloaded Chisel and established a SOCKS5 tunnel connecting back to the C&C server. |
Internal network reconnaissance |
Generated a shell script to perform connection scanning across the internal network. |
Credential gathering |
Inspected application configuration files on compromised servers to extract embedded credentials. |
Password spraying |
Utilized previously collected credentials to conduct SSH-based password spraying attacks. |
Creating account |
Created unauthorized service accounts, specifically identified as |
Privilege escalation |
Modified Group Policy Preferences (GPP) to add the attacker-controlled accounts into administrative groups. |
Access restriction removal |
Modified Group Policy Objects (GPO) to remove Domain Admins from the |
Deploying backdoor |
Used stolen NTLM hashes to perform Pass-the-Hash over SMB and deploy backdoor. Used stolen SSH credentials to execute commands to deploy backdoor. |
Exfiltrating Data |
Accessed and exfiltrated data from victim's databases via SQL queries. |
Table 3. Tasks SHADOW-AETHER-064 delegated to the AI agent
SHADOW-AETHER-064 developed multiple custom tools, most related to the establishment of SOCKS5 tunnels. Two tools were used most frequently in their operations.
The first tool, referred to as “POW” (likely an abbreviation for “Proxy over Web”), enabled the actor to forward SOCKS5 traffic from C&C servers into the internal network by encapsulating the malicious traffic within HTTP POST requests and responses, forwarding it through a JSP-based webshell. This tool used the following HTTP POST headers to control the traffic sessions:
| HTTP header | Function |
|---|---|
|
Controlling traffic sessions with commands including |
|
A unique string used as a traffic session ID, generated as a random hexadecimal string by the webshell. |
|
The destination host address of the connection. |
|
The destination port of the connection. |
|
A return value to indicate whether the request succeeded or failed. |
Table 4. The HTTP POST headers used in the POW tool
The second tool, “SOCKTZ, “ is a reverse SOCKS5 tunneling tool written in Go. In its initial version, the tool established a connection to a C&C server and periodically polled for instructions to create new TCP connections for traffic forwarding. We observed that the campaign continuously updated this tool. In the latest version (Version 9), it retained its original reverse SOCKS5 tunneling capability and added a new one, a remote command execution functionality on compromised servers. We also noticed that the backdoor leveraged a compromised website as a relay C&C infrastructure.
The server-side controllers for these tools were both implemented as Python-based servers. The Python source code contained comprehensive comments, structured error handling, and clear evidence of iterative development, leading us to assess that the campaign likely also used vibe coding in developing these tools.
Observations and security implications
The SHADOW-AETHER-040 and SHADOW-AETHER-064 cases demonstrate how the threat actors used agentic AI to support their malicious operations. By employing AI agents in their offensive operations, actors were not only able to automate tasks that previously required manual execution, but also demonstrated the advantages of generative AI technologies in some areas.
First, AI agents were able to rapidly analyze source code, configuration files, and log data to identify misconfigurations or exposed information such as the internal IP addresses, usernames, and even embedded credentials. Historically, this type of task would have required manual review and time-intensive analysis. With AI support, it can now be completed almost immediately. Any small oversight can be identified and weaponized quickly by AI-driven threat actors.
Second, AI agents were able to dynamically generate commands and scripts on demand. Rather than relying on an arsenal of previously developed hacking tools, AI agents in these campaigns directly generated the commands and scripts required to complete each task. These included malicious activities such as internal network scanning, password spraying, and vulnerability exploitation. Once the underlying logic of the attack is established, the AI agent could immediately produce complex commands or scripts to execute it without old tooling. Because these dynamically generated commands, scripts, and code differ with each execution, they effectively replace open-source hacking tools that are more likely to be detected, reducing the possibility of detection by traditional security solutions.
Conclusion
Using AI agents to execute parallel attack operations enhances threat actors' efficiency. However, the adoption of agentic AI does not mean that attackers can successfully compromise every environment. We observed some cases in which the actors still ultimately failed even with the help of an AI agent because it could not identify any feasible path for lateral movement. In those cases, the targeted victims maintained strong security configurations, which prevented further compromise and limited the potential of additional damage.
As we have observed a growing number of attacks leveraging agentic AI in recent months, foundational defensive measures have become more critical than ever. It is worth noting that while AI agents can accelerate attacks, they cannot conjure vulnerabilities and misconfigurations. Against an environment with strong security fundamentals, even AI-augmented campaigns will struggle to find a way through. Timely patching, properly implemented zero-trust access controls, and comprehensive monitoring of environmental activity will be increasingly important in defending against this evolving threat landscape.
TrendAI™ Research will continue tracking SHADOW-AETHER-040, SHADOW-AETHER-064, and related campaigns, delivering actionable intelligence to help organizations stay ahead of emerging threats. Our threat intelligence, paired with advanced detection capabilities, helps keep your organization protected against sophisticated AI-assisted attacks targeting government entities, financial institutions, and other critical sectors.
TrendAI Vision One™ customers are protected from the IoCs listed in the table below.
MITRE ATT&CK techniques of SHADOW-AETHER-040
| Tactic | Technique | ID |
|---|---|---|
Reconnaissance |
Gather Victim Network Information |
T1590 |
Resource Development |
Obtain Capabilities: Artificial Intelligence |
T1588.007 |
Initial Access |
Exploit Public-Facing Application |
T1190 |
Execution |
Command and Scripting Interpreter |
T1059 |
Execution |
Exploitation for Client Execution |
T1203 |
Persistence |
Scheduled Task/Job |
T1053 |
Privilege Escalation |
Exploitation for Privilege Escalation |
T1068 |
Defense Evasion |
Masquerading |
T1036 |
Credential Access |
OS Credential Dumping |
T1003 |
Credential Access |
Forced Authentication |
T1187 |
Credential Access |
Unsecured Credentials: Credentials In Files |
T1552.001 |
Credential Access |
Brute Force: Password Spraying |
T1110.003 |
Discovery |
Account Discovery |
T1087 |
Discovery |
Domain Trust Discovery |
T1482 |
Discovery |
Log Enumeration |
T1654 |
Discovery |
Network Service Discovery |
T1046 |
Discovery |
Remote System Discovery |
T1018 |
Discovery |
Process Discovery |
T1057 |
Discovery |
System Information Discovery |
T1082 |
Lateral Movement |
Exploitation of Remote Services |
T1210 |
Lateral Movement |
Remote Services: SSH |
T1021.004 |
Collection |
Data from Information Repositories |
T1213 |
Command and Control |
Proxy |
T1090 |
Command and Control |
Protocol Tunneling |
T1572 |
Command and Control |
Application Layer Protocol |
T1071 |
Exfiltration |
Automated Exfiltration |
T1020 |
Exfiltration |
Exfiltration Over C2 Channel |
T1041 |
Table 5. SHADOW-AETHER-040 MITRE ATT&CK TTPs
MITRE ATT&CK Techniques of SHADOW-AETHER-064
| Tactic | Technique | ID |
|---|---|---|
Reconnaissance |
Active Scanning |
T1595 |
Resource Development |
Obtain Capabilities: Artificial Intelligence |
T1588.007 |
Initial Access |
Exploit Public-Facing Application |
T1190 |
Persistence |
Create Account: Local Account |
T1136.001 |
Persistence |
Create Account: Domain Account |
T1136.002 |
Privilege Escalation |
Domain or Tenant Policy Modification: Group Policy Modification |
T1484.001 |
Credential Access |
Unsecured Credentials: Credentials In Files |
T1552.001 |
Credential Access |
Brute Force: Password Spraying |
T1110.003 |
Discovery |
Network Service Discovery |
T1046 |
Lateral Movement |
Use Alternate Authentication Material: Pass the Hash |
T1550.002 |
Lateral Movement |
Remote Services: SMB/Windows Admin Shares |
T1021.002 |
Lateral Movement |
Remote Services: SSH |
T1021.004 |
Collection |
Data from Information Repositories |
T1213 |
Command and Control |
Proxy |
T1090 |
Command and Control |
Protocol Tunneling |
T1572 |
Command and Control |
Application Layer Protocol |
T1071 |
Exfiltration |
Exfiltration Over C2 Channel |
T1041 |
Table 6. SHADOW-AETHER-064 MITRE ATT&CK TTPs
TrendAI Vision One™ Threat Intelligence Hub
TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.
Emerging threats: Vibe Hacking: Emerging Threat Campaigns Leveraged Agentic AI to Infiltrate Organizations in Latin America
Threat actors:
TrendAI Vision One™ Intelligence Reports (IOC sweeping)
Hunting queries
TrendAI Vision One™ Search App
TrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
C&C communications of SHADOW-AETHER-040
eventSubId: 204 AND (dst: 165.22.184.26 OR dst: 159.65.202.204 OR dst: 62.171.185.97 OR dst: 167.172.38.123 OR dst: 155.133.27.198 )
C&C communications of SHADOW-AETHER-064
eventSubId: 204 AND (dst: 209.99.185.221 OR dst: 209.99.185.223 OR dst: 167.148.195.53)
C&C domain communications of SHADOW-AETHER-064
eventSubId: 301 AND (hostName: cloudservbr.com OR hostName: infra-telemetry.com)
More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled.
Indicators of Compromise (IoCs)
The indicators of compromise for this entry can be found here.