- Huntress analyzed AI-generated malware “Untitled1.ps1”, a noisy custom AD counting tool likely built by low-skilled attackers using generative AI
- Attackers paired it with s5cmd for fast data exfiltration and SharpShares.exe for share counting before being detected and removed
- Report warns AI “vibe coding” lowers barriers to cybercrime, produces unique payloads that evade signature-based defenses, requiring behavioral analysis to capture attack lifecycles
“Unsophisticated” cybercriminals can now easily write malicious code using artificial intelligence (AI) and run devastating data breach attacks at speed, forcing defenders to rethink their strategies, researchers have claimed.
Security experts Huntress thoroughly examined a piece of AI-written malware and explained how the custom-made, AI-generated payload was a “very aggressive, noisy, custom-built AD enumeration tool.”
As cybercriminals are generally careful not to make too much noise and try to do their bidding without sounding the alarm, the researchers suggested that this was the work of a low-skilled attacker.
Significant challenge
The malware, labeled Untitled1.ps1, was designed to map the Active Directory environment and apparently did its job well. In the next step, the crooks deployed a legitimate, high-speed command-line tool for Amazon S3 operations called s5cmd, which Huntress says is often used for data exfiltration.
Before being discovered and ejected, the attackers also deployed a known enumeration tool called SharpShares.exe that filtered common administrative shares while hunting for additional user-accessible data stores.
The move from off-the-shelf frameworks to custom, tailored AI tools is a “significant challenge” for defenders, Huntress warns.
“Historically, AVs and EDR platforms have relied heavily on file hashes and static string signatures,” they say. “Vibe-encoded scripts are inherently unique. Untitled1.ps1 has never existed before and will likely never be compiled in this exact configuration again.”
As a result, defenders must focus on the “fundamental behaviors of the attack lifecycle.” AI can change the code syntax, they say, but cannot change the underlying mechanics of Active Directory enumeration.
“Vibe coding lowers the barrier to entry for cybercriminals, enabling unsophisticated actors to generate highly capable, evasive tools on the fly,” the researchers concluded. “While the code itself may be messy, overengineered, and filled with AI hallmarks like left-behind comments, the threat it poses is very real. To combat this, defenders must abandon rigid, signature-based thinking and embrace behavioral analytics to capture the underlying actions that no LLM can hide.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



