The Pakistan-aligned advanced persistent threat group Transparent Tribe (APT36) has adopted artificial intelligence (AI) tools to mass-produce malicious software implants. According to a new report from Bitdefender, the group is leveraging AI-powered coding to generate a high volume of what researchers term "mediocre" implants. These implants are written in less common programming languages like Nim, Zig, and Crystal and use legitimate services such as Slack, Discord, Supabase, and Google Sheets for command and control, helping them evade detection.
Security researchers at Bitdefender describe this shift as a move toward "AI-assisted malware industrialization." Rather than focusing on technical sophistication, the group's strategy is to overwhelm target environments with a flood of disposable, "polyglot" binaries—each potentially using a different language and communication protocol. This tactic, dubbed "Distributed Denial of Detection" (DDoD), aims to complicate analysis and detection by security tools through sheer volume and variety.
Large language models (LLMs) are a key enabler for this approach, significantly lowering the barrier to entry for cybercriminals. These AI tools allow threat actors with limited expertise to generate functional code in unfamiliar programming languages, either from scratch or by porting existing logic. This collapses the traditional skill gap and accelerates malware development.
The campaign has primarily targeted the Indian government and its embassies abroad, with APT36 using platforms like LinkedIn to identify high-value targets. The Afghan government and some private businesses have also been affected, though to a lesser degree. The infection chain is believed to start with phishing emails containing ZIP archives that harbor malicious Windows shortcut (LNK) files, initiating the compromise.
