Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
Two AI-augmented cyber campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have targeted government and financial sectors in Latin America. SHADOW-AETHER-040 compromised six Mexican government entities between December 2025 and January 2026, while SHADOW-AETHER-064 targeted Brazilian financial institutions starting April 2026. Both campaigns use SOCKS5 tunnels via ProxyChains and SSH to enable AI agents to execute commands within victim networks. These AI agents dynamically generate hacking tools and scripts on-demand, evading signature-based detection. The campaigns share toolsets such as Chisel, Neo-reGeorg, CrackMapExec, and Impacket but operate separately, distinguished mainly by language. This represents an emerging use of agentic AI in cyber intrusions. No known exploits or patches are documented for these campaigns.
AI Analysis
Technical Summary
Two distinct threat actor groups, SHADOW-AETHER-040 (Spanish-speaking) and SHADOW-AETHER-064 (Portuguese-speaking), have conducted AI-augmented cyber intrusions targeting government entities in Mexico and financial institutions in Brazil, respectively. These campaigns leverage SOCKS5 tunnels established via ProxyChains and SSH to facilitate AI agents executing commands directly on compromised networks. The AI agents dynamically generate hacking tools and scripts, reducing detection by traditional signature-based security solutions. Shared tools include Chisel, Neo-reGeorg, CrackMapExec, and Impacket. The campaigns are separate but share tactical similarities. This activity illustrates the evolving threat landscape involving agentic AI in cyber operations.
Potential Impact
The campaigns have successfully compromised multiple government and financial sector targets in Latin America, enabling persistent access and command execution within victim networks. The use of AI agents to dynamically generate tools and scripts complicates detection and response efforts. The operations facilitate credential harvesting, data exfiltration, and deployment of webshells, increasing the risk of sensitive data loss and operational disruption. No known exploits or patches are available, indicating ongoing active threats.
Mitigation Recommendations
No official patches or vendor advisories are available for these campaigns. Organizations in the affected sectors should enhance monitoring for unusual SOCKS5 tunneling activity, ProxyChains, SSH anomalies, and the presence of tools like Chisel, Neo-reGeorg, CrackMapExec, and Impacket. Employ behavioral detection methods to identify AI-generated scripts and commands. Incident response plans should consider the novel use of agentic AI in intrusions. Regular threat intelligence updates from trusted sources are recommended to track developments. Since no official fixes exist, proactive detection and containment are critical.
Affected Countries
Mexico, Brazil
Indicators of Compromise
- ip: 209.99.185.223
- domain: infra-telemetry.com
- domain: cloudservbr.com
- ip: 167.148.195.53
- hash: a5c00451eb50fbafd0440d629fe153ed3e833d9df10d9932a273628438b8088d
- hash: 46b3efe9877f9d3e4fc4b9547ec213e75938397fdc30828857155238335973e7
- ip: 209.99.185.221
- hash: 1c37a58df996dd62449a76e49dd700d9d5fc70739179a92f3a86b6bdf4e1d87e
- hash: 2dbf48e7da928f88d37d5f3560838987a277eafed85612ad841b4edfa59944f3
- hash: 3b72ef13049bea56198134de13ee54bfb3b327a19dcec20e2d70719bd4379e63
- hash: 5209edb0076bbb0d08bfeb24fcd1eed714aa1038fe4c30921059bd3c95f83b72
- hash: 5f04fc6c7bc19155ac2b47405b58f0cb41ffe68f513f710d1cc0dd0ba324014e
- hash: 669df5863f0d47a377b0f772334c935fb523cabf37a7547f6a717dcb41ccf067
- hash: 72640620e674d9236843b7e8bfe0e4f626eea3d7a954bb95b9d93d0474ff1212
- hash: 8d510a62ad31724672a648b8bdb7114d8e42b918f9d0dff7a63b91be24d66341
- hash: 97f7a1a84d3d1aca5048f433d5689e3af1289597acae7e432fac2fc5f2c64341
- hash: 98432af9273c1e0486661626e0c156211fcf4b2d88b64e1ad2410c785bb321b8
- hash: aa0f56f1004632397a1f1633769e4469a370705418f649fe9057a7f9046eb999
- hash: abef3c0c62b7dd68ff0837e52b1c5f787003303d920dfbaec03e4a2d8946ee93
- hash: c8905b274cee69d74ed34afc2c1384551b9ad988dd6819a0e79a0a17c170c6de
- hash: d0c7d66206de5739315030dc580fce4fb9c39e0b48b10f49bf9d887be872fb20
- hash: ead16af4f7e31c34b2167628c5499f8e108bf63bd08ac78f18cf0a6d92f6d86d
- hash: eb0fe48c75e689077a346a6bdf2b7368fb6ae5fe82020f2e969e04729e1c4f54
- hash: f530985e9d7c9cafb2c30913a5de893fd01d40712b8bf171e3b62423b15f8f62
- hash: ffe640442e49edece4d459bcee26be2c6814a099a62679c63a152c56bc48848a
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
Description
Two AI-augmented cyber campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have targeted government and financial sectors in Latin America. SHADOW-AETHER-040 compromised six Mexican government entities between December 2025 and January 2026, while SHADOW-AETHER-064 targeted Brazilian financial institutions starting April 2026. Both campaigns use SOCKS5 tunnels via ProxyChains and SSH to enable AI agents to execute commands within victim networks. These AI agents dynamically generate hacking tools and scripts on-demand, evading signature-based detection. The campaigns share toolsets such as Chisel, Neo-reGeorg, CrackMapExec, and Impacket but operate separately, distinguished mainly by language. This represents an emerging use of agentic AI in cyber intrusions. No known exploits or patches are documented for these campaigns.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Two distinct threat actor groups, SHADOW-AETHER-040 (Spanish-speaking) and SHADOW-AETHER-064 (Portuguese-speaking), have conducted AI-augmented cyber intrusions targeting government entities in Mexico and financial institutions in Brazil, respectively. These campaigns leverage SOCKS5 tunnels established via ProxyChains and SSH to facilitate AI agents executing commands directly on compromised networks. The AI agents dynamically generate hacking tools and scripts, reducing detection by traditional signature-based security solutions. Shared tools include Chisel, Neo-reGeorg, CrackMapExec, and Impacket. The campaigns are separate but share tactical similarities. This activity illustrates the evolving threat landscape involving agentic AI in cyber operations.
Potential Impact
The campaigns have successfully compromised multiple government and financial sector targets in Latin America, enabling persistent access and command execution within victim networks. The use of AI agents to dynamically generate tools and scripts complicates detection and response efforts. The operations facilitate credential harvesting, data exfiltration, and deployment of webshells, increasing the risk of sensitive data loss and operational disruption. No known exploits or patches are available, indicating ongoing active threats.
Mitigation Recommendations
No official patches or vendor advisories are available for these campaigns. Organizations in the affected sectors should enhance monitoring for unusual SOCKS5 tunneling activity, ProxyChains, SSH anomalies, and the presence of tools like Chisel, Neo-reGeorg, CrackMapExec, and Impacket. Employ behavioral detection methods to identify AI-generated scripts and commands. Incident response plans should consider the novel use of agentic AI in intrusions. Regular threat intelligence updates from trusted sources are recommended to track developments. Since no official fixes exist, proactive detection and containment are critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html"]
- Adversary
- SHADOW-AETHER-040, SHADOW-AETHER-064
- Pulse Id
- 6a02ea171e7005022d5c8a6f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip209.99.185.223 | — | |
ip167.148.195.53 | — | |
ip209.99.185.221 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaininfra-telemetry.com | — | |
domaincloudservbr.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha5c00451eb50fbafd0440d629fe153ed3e833d9df10d9932a273628438b8088d | — | |
hash46b3efe9877f9d3e4fc4b9547ec213e75938397fdc30828857155238335973e7 | — | |
hash1c37a58df996dd62449a76e49dd700d9d5fc70739179a92f3a86b6bdf4e1d87e | — | |
hash2dbf48e7da928f88d37d5f3560838987a277eafed85612ad841b4edfa59944f3 | — | |
hash3b72ef13049bea56198134de13ee54bfb3b327a19dcec20e2d70719bd4379e63 | — | |
hash5209edb0076bbb0d08bfeb24fcd1eed714aa1038fe4c30921059bd3c95f83b72 | — | |
hash5f04fc6c7bc19155ac2b47405b58f0cb41ffe68f513f710d1cc0dd0ba324014e | — | |
hash669df5863f0d47a377b0f772334c935fb523cabf37a7547f6a717dcb41ccf067 | — | |
hash72640620e674d9236843b7e8bfe0e4f626eea3d7a954bb95b9d93d0474ff1212 | — | |
hash8d510a62ad31724672a648b8bdb7114d8e42b918f9d0dff7a63b91be24d66341 | — | |
hash97f7a1a84d3d1aca5048f433d5689e3af1289597acae7e432fac2fc5f2c64341 | — | |
hash98432af9273c1e0486661626e0c156211fcf4b2d88b64e1ad2410c785bb321b8 | — | |
hashaa0f56f1004632397a1f1633769e4469a370705418f649fe9057a7f9046eb999 | — | |
hashabef3c0c62b7dd68ff0837e52b1c5f787003303d920dfbaec03e4a2d8946ee93 | — | |
hashc8905b274cee69d74ed34afc2c1384551b9ad988dd6819a0e79a0a17c170c6de | — | |
hashd0c7d66206de5739315030dc580fce4fb9c39e0b48b10f49bf9d887be872fb20 | — | |
hashead16af4f7e31c34b2167628c5499f8e108bf63bd08ac78f18cf0a6d92f6d86d | — | |
hasheb0fe48c75e689077a346a6bdf2b7368fb6ae5fe82020f2e969e04729e1c4f54 | — | |
hashf530985e9d7c9cafb2c30913a5de893fd01d40712b8bf171e3b62423b15f8f62 | — | |
hashffe640442e49edece4d459bcee26be2c6814a099a62679c63a152c56bc48848a | — |
Threat ID: 6a02f113cbff5d8610c13902
Added to database: 5/12/2026, 9:21:23 AM
Last enriched: 5/12/2026, 9:40:24 AM
Last updated: 5/12/2026, 10:37:50 PM
Views: 55
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.