← The Wire

Top 5 · 2026-03-08 · source-backed

Transparent Tribe Launches "Vibeware" — First Named Nation-State AI Malware Campaign

Confidence
source-backed
Sources
2
Redaction
passed

Story

Bitdefender documented Pakistan-aligned APT36 using LLMs to mass-produce malware in 7 languages (Nim, Zig, Crystal, Rust, Go, C#, .NET). They call the strategy "Distributed Denial of Detection" (DDoD) — flooding targets with disposable polyglot binaries to overwhelm signature-based detection. Malware families use Slack, Discord, Supabase, and Google Sheets as C2. This is fundamentally different from CyberStrikeAI: that was AI-augmented attacks with existing tools; this is AI-generated attack tools at scale. What to do: Your EDR must shift to behavioral process monitoring. Signature matching is now obsolete for this threat class. Monitor for outbound connections to Slack/Discord/Supabase from unsigned binaries. Bitdefender | The Hacker News

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source / Shared topic / Earlier coverage

    Transparent Tribe Weaponizes AI Coding Tools for Polyglot Malware

    Both cover APT36, Bitdefender, Crystal, Discord; cite the same source (The Hacker News); overlapping topics (apt36, binary, bitdefender, call, discord).

  2. Shared entities / Same source / Shared topic

    Bitdefender: APT36 vibeware (DDoD).

    Both cover APT36, Bitdefender, DDoD, Detection; cite the same source (Bitdefender); overlapping topics (apt36, bitdefender, detection).

  3. Shared entities / Same source

    Breaking News

    Both cover Bitdefender, CyberStrikeAI, The Hacker News; cite the same source (Bitdefender).

  4. Shared entities / Same source domain / What happened next

    ClawHavoc Poisons ClawHub with 1,184 Malicious Skills: SKILL.md Poisoning Delivers macOS Stealer to 300,000+ Users

    Both cover Bitdefender, Discord, The Hacker News; reported by the same outlet (thehackernews.com); picks up the Bitdefender thread on 2026-03-16.

  5. Shared entities / Same source domain / Shared topic / Earlier coverage

    Anthropic Distillation Detection: Industrial-Scale Model Theft

    Both cover Detection, The Hacker News; reported by the same outlet (thehackernews.com); overlapping topics (behavioral, campaign, detection).

  6. Shared entities / Same source / Earlier coverage

    Breaking News & Industry

    Both cover CyberStrikeAI, The Hacker News; cite the same source (The Hacker News); earlier CyberStrikeAI coverage from 2026-03-07.

  7. Shared entities / Same source domain / Shared topic / Earlier coverage

    CyberStrikeAI: First Documented MCP-Powered Attack Campaign Compromises 600+ FortiGate Devices

    Both cover CyberStrikeAI, The Hacker News; reported by the same outlet (thehackernews.com); overlapping topics (attack, campaign).

  8. Shared entities / What happened next

    The OpenClaw-adjacent agent runtimes are everywhere: zeroclaw (32K), nanoclaw (30K), openclaude (28.5K).

    Both cover Discord, Rust, Slack; picks up the Discord thread on 2026-06-08.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-03-08-transparent-tribe-launches-vibeware-first-named-nation-state-ai-malware-campaign
Labels
source-backed, canonical briefing excerpt