AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
Summary
Hide ▲
Show ▼
An AI-generated PowerShell script was used in a real Windows intrusion, showing how one-off malware can automate Active Directory reconnaissance and evade signature-based detection. The attacker logged in with stolen credentials, then used the script to enumerate directory data and stage it for theft. The activity expanded from reconnaissance into spreadsheet-based collection and exfiltration, increasing the risk of internal environment exposure. The script’s unusual, LLM-shaped code also made traditional file-hash and signature defenses ineffective.
Related Happenings
Fake AI study guide AsyncRAT lure campaign targeting Windows users
Campaign
H score33
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
About this happening:
A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
CampaignAbout this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
ClickFix Windows Terminal Lumma Stealer campaign
Campaign
H score35
First: 06.03.2026 08:44
Last: 06.03.2026 08:44
Sources 1
About this happening:
A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...
ClickFix Windows Terminal Lumma Stealer campaign
CampaignAbout this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
H score19
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
H score33
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
Timeline
-
09.07.2026 17:00 2 articles · 7h ago
Attacker uses AI-generated PowerShell script to map Active Directory at the affected organization
Exploitation ObservedAn attacker logged in over RDP with stolen credentials at the affected organization, staged tools in a Windows folder, and ran an AI-generated PowerShell script to map the Active Directory environment, enumerate users, computers, groups and trusts, and collect the results into spreadsheets before exfiltrating them with s5cmd and SharpShares.
Show sources
- Vibe-Coded Malware Caught in Active Directory Attack — www.infosecurity-magazine.com — 09.07.2026 17:00
- Vibe-Coded Malware Caught in Active Directory Attack — www.infosecurity-magazine.com — 09.07.2026 17:00
-
09.07.2026 17:00 1 articles · 7h ago
Huntress analyzes AI-generated PowerShell script used against the affected organization
Technical Analysis UpdateHuntress published analysis of the June 3 intrusion, saying it recovered and rebuilt the one-off PowerShell tool titled "100% Working AD Information Gathering Script - FULLY FIXED." The script showed LLM-like hallmarks including a placeholder server name, five fallback methods for finding the domain controller, colorful console output, and useless hashes and signatures, leading Huntress to recommend behavioral analytics over rigid signature-based detection.
Show sources
- Vibe-Coded Malware Caught in Active Directory Attack — www.infosecurity-magazine.com — 09.07.2026 17:00