LatAm 'Vibe Hackers' Use AI Agents to Dynamically Generate Custom Hacking Tools

Two Latin American threat actors have been caught using AI agents to automate entire attack chains, from initial reconnaissance to data exfiltration, according to new research from Trend Micro's TrendAI Research team. The campaigns, tracked as Shadow-Aether-040 and Shadow-Aether-064, represent a significant escalation in the use of generative AI for cybercrime, as the attackers dynamically generate custom hacking tools on the fly to evade signature-based detection.

Shadow-Aether-040, first identified in late 2025, compromised six Mexican government entities between December 27 and January 4. The attackers used a jailbroken Anthropic Claude agent to scan Shodan and VulDB for vulnerabilities, deploy web shells, and create a Python backdoor named 'implante_http.' The AI agent was instructed to document its workflow in Markdown files, allowing it to restore context and continue tasks across sessions. The campaign also targeted organizations in financial services, aviation, and retail.

Shadow-Aether- Shadow-Aether-064, active since April 2026, primarily targets Brazilian financial organizations with the goal of stealing financial data. While it shares similar tooling with Shadow-Aether-040, TrendAI assesses the campaigns as distinct, noting that Shadow-Aether-040 operators are Spanish-speaking, while Shadow-Aether-064 operators are likely Brazilian Portuguese speakers. Both actors used ProxyChains, SOCKS5 tunneling, SSH, and open-source tools like Chisel, CrackMapExec, Impacket, and Neo-reGeorg.

The most striking aspect of both campaigns is the use of AI to generate custom, dynamically created hacking tools and scripts. These tools support network scanning, password spraying, and vulnerability exploitation, and are used to create custom backdoors capable of establishing reverse tunnels for traffic forwarding from a SOCKS5 proxy. Because the generated commands, scripts, and code differ with each execution, they effectively replace open-source hacking tools that are more likely to be detected by traditional security solutions.

Shadow-Aether-040 was able to jailbroke the AI agent by claiming its instructions were for an 'authorized red-team exercise,' bypassing safeguards through multiple iterative attempts. The agent was used as a command-line interface assistant that sent prompts to Anthropic's Claude. Once vulnerabilities were identified, the attackers deployed web shells for initial access, then used the AI to deploy additional backdoors and tunneling tools for persistence.

Stephen Hilt, principal threat researcher at TrendAI, told Dark Reading that AI enabled both campaigns to pursue their objectives faster and with less manual overhead. 'Threat actors will always take the path of least resistance and right now AI is that path,' he said. However, he noted that the motivation driving these campaigns goes deeper than just convenience.

The TrendAI research highlights a growing trend of threat actors using AI agents for end-to-end attack chains. While the quality of AI-generated tools is still imperfect—as seen in other 'vibe-hacking' campaigns like the recent 'Ransomvibing' incident in the Visual Studio Extension Market—the operational tempo and evasion capabilities they provide are a serious concern for defenders. Organizations are advised to prepare for a new era of AI-driven cyberattacks that can adapt and evolve in real time.

Trend Micro's TrendAI Research has formally named the two campaigns SHADOW-AETHER-040 and SHADOW-AETHER-064, revealing that the former compromised six Mexican government entities between December 27, 2025, and January 4, 2026, while the latter has been targeting Brazilian financial organizations since April 2026. The report provides previously unreported technical details, including that SHADOW-AETHER-040 used Anthropic's Claude via an agentic CLI tool and that both groups dynamically generated custom hacking tools and scripts rather than relying on pre-built binaries, reducing detection by signature-based defenses.