SYDNEY, 6 March 2026 – Bitdefender have uncovered a new AI-assisted malware development model dubbed “vibeware”, revealing how a Pakistan-aligned threat actor is industrialising cyberattacks across South Asia by rapidly generating large volumes of disposable malware variants.

The activity is linked with medium confidence to APT36, also known as Transparent Tribe, a threat group historically associated with targeting the Indian government, diplomatic missions and defence-related entities. The latest research shows a strategic pivot away from reliance on off-the-shelf malware toward an AI-enabled production pipeline capable of releasing new variants at a near-daily cadence.

Rather than pursuing technical sophistication, the vibeware model prioritises scale. Attackers use large language models and AI-integrated development tools to rewrite similar malicious logic across multiple programming languages, including Nim, Zig and Crystal, alongside Rust and Go. By shifting into niche or less commonly monitored languages, the group effectively resets the detection baseline for many security tools.

Bitdefender researchers describe this approach as a form of “Distributed Denial of Detection”. In several cases, victims were infected with multiple parallel implants written in different languages and using separate communication protocols. If one access path is blocked, others remain active, complicating incident response and increasing operational resilience for the attacker.

The research also highlights the growing use of “Living Off Trusted Services” techniques. Instead of relying solely on attacker-controlled infrastructure, the malware embeds command-and-control communications within legitimate platforms such as Slack, Discord, Google Sheets and Supabase. This allows malicious traffic to blend into normal business activity, making detection and disruption more difficult.

While many of the analysed samples contained coding flaws and incomplete logic consistent with AI-assisted generation, the overall strategy remains effective. The volume and diversity of variants increase the likelihood that at least one implant will evade traditional signature-based or behaviourally tuned detection engines.

The targeting remains highly focused on South Asian regional politics and national security, with primary victims linked to Indian government institutions and embassies. Secondary targets include organisations connected to defence, foreign affairs and strategic policy. However, the implications extend beyond one geography.

The real shift is not in malware sophistication, but in malware production. AI is lowering the barrier to entry for experimenting with new languages and delivery mechanisms. Even imperfect code can become operationally successful when deployed at scale.

For organisations across Australia and the broader APAC region, the findings underscore the need for layered detection strategies that prioritise behavioural analysis, anomaly detection and monitoring of trusted cloud services, rather than relying solely on static signatures.

The full report, APT36: A Nightmare of Vibeware, provides detailed technical analysis, indicators of compromise and defensive recommendations.