Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration.

“The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt,” Huntress researchers Jevon Ang and Dray Agha said.

The attack chain involved the threat actor establishing Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server with a set of pre-compromised credentials, followed by staging the tools in the “C:\ProgramData\” folder. The incident took place in early June 2026.

This included an artificial intelligence (AI)-generated payload to map the Active Directory environment. The assessment is based on various telltale signs, such as the prompt iteration title, placeholder strings, over-engineered code that features multiple methods to find a Domain Controller, and beautified console output using cyan, green, red, and yellow.

Huntress described the bespoke PowerShell script as “highly aggressive” and “noisy,” making use of a “five-step cascading fallback mechanism” to enable reconnaissance and discovery. It’s titled “100% Working AD Information Gathering Script – FULLY FIXED,” suggesting a back-and-forth with a large language model (LLM).

Once the primary Domain Controller is located, it initiates a data collection routine to systematically harvest AD users, computers, groups, organizational units (OUs), and trusts, and store the details in a staging directory.

About 30 minutes later, the attacker moved to deploy a s5cmd, a legitimate tool used for bulk file operations, along with SharpShares, a C#-based network shares enumeration utility, to look for user-accessible data repositories.

In the final stage, the data is said into CSV files, archived, and exfiltrated to a remote server, but not before creating an HTML file summarizing the data theft in the form of an Active Directory Inventory Report.

“It’s likely a ‘helpful’ inject from the LLM that the attacker simply went along with, rather than being intentionally authored into the script,” the researchers explained.

The development is yet another sign that threat actors are augmenting their arsenal with vibe-coded malware generated with assistance from AI models, even if the technology isn’t being abused in ways not seen before. What it does change is that it lowers the barrier to entry for cybercrime, permitting less-skilled actors to come up with highly capable, evasive tooling with minimal effort.

“The underlying attack chain still resembles the tried-and-tested smash-and-grab playbook we’ve seen for years,” Huntress said. “This core methodology has remained consistent, but it is now being selectively augmented by AI. This hybrid approach prioritises aggression and speed over stealth, allowing threat actors to execute…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 13, 2026