Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

What Happened

Cybersecurity researchers have discovered two new hacking campaigns targeting government and financial organizations in Latin America. The hackers are using artificial intelligence (AI) assistants to help them break into networks, write custom hacking tools on the fly, and steal sensitive data. This is significant because the AI allows the hackers to work faster and avoid traditional security defenses that look for known hacking tools. Organizations should ensure their systems are fully patched, use strong access controls, and monitor their networks closely to defend against these advanced, AI-assisted attacks.

Key Takeaways

• Two distinct campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, utilized agentic AI to facilitate intrusions against Latin American government and financial sectors.
• Threat actors leveraged AI to dynamically generate scripts and tools on-the-fly, bypassing traditional signature-based detection.
• Both campaigns heavily relied on SOCKS5 tunneling via tools like Chisel and custom backdoors (implante_http, SOCKTZ) for lateral movement and C2.
• AI agents were integrated with external services like Shodan and VulDB to enhance reconnaissance and vulnerability exploitation capabilities.

Affected Systems

• Government entities in Mexico, Colombia, and Ecuador
• Financial organizations in Brazil
• JBoss AS servers
• Linux servers
• Windows Active Directory environments

Vulnerabilities (CVEs)

• Dirty COW
• PwnKit

Attack Chain

The attackers gain initial access by exploiting public-facing applications, such as vulnerable JBoss AS servers, and deploying webshells like Neo-reGeorg. They then use an AI agent via a CLI tool to dynamically generate scripts for reconnaissance, credential harvesting, and privilege escalation. The AI assists in deploying tunneling tools like Chisel and custom backdoors (implante_http, SOCKTZ) to establish SOCKS5 proxies back to the C2 infrastructure. Finally, the attackers use ProxyChains and SSH through these tunnels to move laterally, access databases, and exfiltrate sensitive data.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Trend Micro Vision One

The article provides specific Trend Micro Vision One hunting queries to detect C&C communications associated with both SHADOW-AETHER campaigns.

Detection Engineering Assessment

EDR Visibility: Medium — While dynamic script generation evades static signatures, behavioral monitoring of proxychains, sshpass, and unusual child processes from web servers can detect the activity. Network Visibility: High — Heavy reliance on SOCKS5 tunneling, WebSocket traffic, and specific HTTP headers for custom proxy tools provides strong network-level indicators. Detection Difficulty: Moderate — Although the tools are dynamically generated by AI, the underlying behaviors—such as web servers spawning shells, proxychains usage, and SOCKS5 tunneling—are well-known and detectable with behavioral rules.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• Web Server Access Logs
• SSH Authentication Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Web server processes (e.g., JBoss, Apache) are spawning unusual child processes like chisel, proxychains, or shell interpreters.	Process Creation	Execution	Low
HTTP POST requests contain custom headers X-Act, X-Sid, and X-Host, indicative of the POW tunneling tool.	Web Server Access Logs / Network Traffic	Command and Control	Low
Excessive sshpass executions combined with proxychains are occurring, indicating automated lateral movement attempts.	Process Creation	Lateral Movement	Medium
Hidden directories or files are being created in unusual locations, such as ~/.pgsql/logs/.	File Creation	Persistence	Low

Control Gaps

• Signature-based Antivirus
• Static Code Analysis

Key Behavioral Indicators

• Webshell spawning proxy tools
• Custom HTTP headers (X-Act, X-Sid)
• Dynamic script execution from temp directories
• SSH connections originating from non-standard user contexts

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known C2 IP addresses and domains associated with SHADOW-AETHER campaigns.
• Hunt for indicators of compromise, specifically looking for custom HTTP headers and unauthorized SOCKS5 tunnels.

Infrastructure Hardening

• Patch public-facing applications, particularly JBoss AS servers, against known vulnerabilities.
• Implement strict network segmentation to limit lateral movement via SSH and SMB.
• Restrict outbound connections from web servers to prevent reverse tunneling.

User Protection

• Enforce multi-factor authentication (MFA) for all remote access and administrative accounts.
• Monitor and restrict the use of administrative tools like CrackMapExec and Impacket.

Security Awareness

• Educate security teams on the emerging threat of AI-augmented attacks and the shift towards dynamic, signature-evasive tooling.

MITRE ATT&CK Mapping

• T1590 - Gather Victim Network Information
• T1588.007 - Obtain Capabilities: Artificial Intelligence
• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter
• T1203 - Exploitation for Client Execution
• T1053 - Scheduled Task/Job
• T1068 - Exploitation for Privilege Escalation
• T1036 - Masquerading
• T1003 - OS Credential Dumping
• T1187 - Forced Authentication
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1110.003 - Brute Force: Password Spraying
• T1087 - Account Discovery
• T1482 - Domain Trust Discovery
• T1654 - Log Enumeration
• T1046 - Network Service Discovery
• T1018 - Remote System Discovery
• T1057 - Process Discovery
• T1082 - System Information Discovery
• T1210 - Exploitation of Remote Services
• T1021.004 - Remote Services: SSH
• T1213 - Data from Information Repositories
• T1090 - Proxy
• T1572 - Protocol Tunneling
• T1071 - Application Layer Protocol
• T1020 - Automated Exfiltration
• T1041 - Exfiltration Over C2 Channel
• T1595 - Active Scanning
• T1136.001 - Create Account: Local Account
• T1136.002 - Create Account: Domain Account
• T1484.001 - Domain or Tenant Policy Modification: Group Policy Modification
• T1550.002 - Use Alternate Authentication Material: Pass the Hash
• T1021.002 - Remote Services: SMB/Windows Admin Shares

Additional IOCs

• Ips:
  • 62[.]171[.]185[.]97 - SHADOW-AETHER-040 C2 server
  • 167[.]172[.]38[.]123 - SHADOW-AETHER-040 C2 server
  • 155[.]133[.]27[.]198 - SHADOW-AETHER-040 C2 server
  • 209[.]99[.]185[.]223 - SHADOW-AETHER-064 C2 server
  • 167[.]148[.]195[.]53 - SHADOW-AETHER-064 C2 server
• File Paths:
  • ~/.pgsql/logs/pg_stat_worker - Location used to hide the implante_http backdoor
  • ~/.ssh/authorized_keys - Modified to implant attacker SSH keys for persistence
  • /tmp/proxychains_5571.conf - Configuration file generated for ProxyChains tunneling
• Command Lines:
  • Purpose: Establish SSH connection through a SOCKS proxy for lateral movement | Tools: proxychains4, sshpass, ssh | Stage: Lateral Movement | proxychains4 -q -f /tmp/proxychains_5571.conf sshpass -p <password> ssh -o
  • Purpose: Identify potential EDR or antivirus processes running on the system | Tools: ps | Stage: Discovery | ps -fade
  • Purpose: Search for private SSH keys on compromised servers | Tools: find | Stage: Credential Access | find / -name "id_*" -o -name "*.pem" -o -name "*_rsa"
• Other:
  • X-Act - HTTP POST header used by the POW tool to control traffic sessions
  • X-Sid - HTTP POST header used by the POW tool for session IDs
  • X-Host - HTTP POST header used by the POW tool for destination host
  • X-Port - HTTP POST header used by the POW tool for destination port