Find notable cyber news and cases, enriched with sources, timelines, and signals.

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

An AI-generated PowerShell script was used in a real Windows intrusion, showing how one-off malware can automate Active Directory reconnaissance and evade signature-based detection. The attacker logged in with stolen credentials, then used the script to enumerate directory data and stage it for theft. The activity expanded from reconnaissance into spreadsheet-based collection and exfiltration, increasing the risk of internal environment exposure. The script’s unusual, LLM-shaped code also made traditional file-hash and signature defenses ineffective.

Related Happenings

Fake AI study guide AsyncRAT lure campaign targeting Windows users

Campaign
H score33 First: 11.06.2026 17:00 Last: 11.06.2026 17:00 Sources 1

About this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
H score37 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
H score35 First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
H score19 First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
H score33 First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

Timeline

  1. 09.07.2026 17:00 2 articles · 7h ago

    Attacker uses AI-generated PowerShell script to map Active Directory at the affected organization

    Exploitation Observed

    An attacker logged in over RDP with stolen credentials at the affected organization, staged tools in a Windows folder, and ran an AI-generated PowerShell script to map the Active Directory environment, enumerate users, computers, groups and trusts, and collect the results into spreadsheets before exfiltrating them with s5cmd and SharpShares.

    Show sources
  2. 09.07.2026 17:00 1 articles · 7h ago

    Huntress analyzes AI-generated PowerShell script used against the affected organization

    Technical Analysis Update

    Huntress published analysis of the June 3 intrusion, saying it recovered and rebuilt the one-off PowerShell tool titled "100% Working AD Information Gathering Script - FULLY FIXED." The script showed LLM-like hallmarks including a placeholder server name, five fallback methods for finding the domain controller, colorful console output, and useless hashes and signatures, leading Huntress to recommend behavioral analytics over rigid signature-based detection.

    Show sources