← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
WHITE SHADOW-AETHER-040, SHADOW-AETHER-064 AlienVault 2026-05-12 Modified: 2026-05-12
25
IOCs
MEDIUM VOLUME
Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...
socktzchiselneo-regeorgimplante_httpgovernment targetingfinancial sectorwebshell deploymentagentic aipowsocks5 tunnelingdata exfiltrationlatin americacredential harvesting
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
Neo-reGeorg Chisel implante_http PowerDuke - S0139 SOCKTZ
Indicators of Compromise (25)
All FileHash-SHA256 IPv4 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 1c37a58df996dd62449a76e49dd700d9d5fc70739179a92f3a86b6bdf4e1d87e 2026-05-12
FileHash-SHA256 2dbf48e7da928f88d37d5f3560838987a277eafed85612ad841b4edfa59944f3 2026-05-12
FileHash-SHA256 3b72ef13049bea56198134de13ee54bfb3b327a19dcec20e2d70719bd4379e63 2026-05-12
FileHash-SHA256 46b3efe9877f9d3e4fc4b9547ec213e75938397fdc30828857155238335973e7 2026-05-12
FileHash-SHA256 5209edb0076bbb0d08bfeb24fcd1eed714aa1038fe4c30921059bd3c95f83b72 2026-05-12
FileHash-SHA256 5f04fc6c7bc19155ac2b47405b58f0cb41ffe68f513f710d1cc0dd0ba324014e 2026-05-12
FileHash-SHA256 669df5863f0d47a377b0f772334c935fb523cabf37a7547f6a717dcb41ccf067 2026-05-12
FileHash-SHA256 72640620e674d9236843b7e8bfe0e4f626eea3d7a954bb95b9d93d0474ff1212 2026-05-12
FileHash-SHA256 8d510a62ad31724672a648b8bdb7114d8e42b918f9d0dff7a63b91be24d66341 2026-05-12
FileHash-SHA256 97f7a1a84d3d1aca5048f433d5689e3af1289597acae7e432fac2fc5f2c64341 2026-05-12
FileHash-SHA256 98432af9273c1e0486661626e0c156211fcf4b2d88b64e1ad2410c785bb321b8 2026-05-12
FileHash-SHA256 a5c00451eb50fbafd0440d629fe153ed3e833d9df10d9932a273628438b8088d 2026-05-12
FileHash-SHA256 aa0f56f1004632397a1f1633769e4469a370705418f649fe9057a7f9046eb999 2026-05-12
FileHash-SHA256 abef3c0c62b7dd68ff0837e52b1c5f787003303d920dfbaec03e4a2d8946ee93 2026-05-12
FileHash-SHA256 c8905b274cee69d74ed34afc2c1384551b9ad988dd6819a0e79a0a17c170c6de 2026-05-12
FileHash-SHA256 d0c7d66206de5739315030dc580fce4fb9c39e0b48b10f49bf9d887be872fb20 2026-05-12
FileHash-SHA256 ead16af4f7e31c34b2167628c5499f8e108bf63bd08ac78f18cf0a6d92f6d86d 2026-05-12
FileHash-SHA256 eb0fe48c75e689077a346a6bdf2b7368fb6ae5fe82020f2e969e04729e1c4f54 2026-05-12
FileHash-SHA256 f530985e9d7c9cafb2c30913a5de893fd01d40712b8bf171e3b62423b15f8f62 2026-05-12
FileHash-SHA256 ffe640442e49edece4d459bcee26be2c6814a099a62679c63a152c56bc48848a 2026-05-12
IPv4 167.148.195.53 2026-05-12
IPv4 209.99.185.221 2026-05-12
IPv4 209.99.185.223 2026-05-12
domain cloudservbr.com 2026-05-12
domain infra-telemetry.com 2026-05-12
References (1)
↗ https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html