← Back to Security Blog
Threat Intelligence 2026년 3월 7일 8분 읽기

AI 지원 악성코드 산업화: Transparent Tribe의 Vibeware 캠페인

Transparent Tribe weaponizes AI coding tools to mass-produce disposable polyglot 악성코드 at unprecedented scale. Bitdefender researchers coin the term "vibeware" — AI-assisted, throwaway implants written in Nim, Zig, and Crystal that evade traditional detection. Meanwhile, MuddyWater deploys a new 백도어 targeting US critical infrastructure, and fake Claude Code installers push infostealers.


🎯 Transparent Tribe: AI 기반 악성코드 공장

⚠️ Active Campaign — Targets Expanding

Pakistan-aligned APT group Transparent Tribe (APT36) has industrialized 악성코드 production using AI coding assistants. Bitdefender's threat research team identified over 200 unique implant variants generated in a single week — a volume impossible through manual development.

What Is Vibeware?

Bitdefender researchers have coined the term "vibeware" to describe this new class of AI-assisted 악성코드. The concept is simple but devastating: use AI coding tools to rapidly generate a high volume of mediocre but functional implants across multiple programming languages. Each implant is disposable — designed for a single campaign or even a single target.

💡 Vibeware Defined

Vibeware (n.): AI-generated, disposable 악성코드 produced at industrial scale using coding assistants. Characterized by polyglot implementation, mediocre code quality, and high volume that overwhelms traditional signature-based detection.

Campaign Technical Details

Attribute Details
Threat Actor Transparent Tribe (APT36)
Attribution Pakistan-aligned, suspected ISI-linked
Primary Targets Indian government, military, diplomatic entities
Languages Used Nim, Zig, Crystal, Go, Rust
Implant Volume 200+ unique variants per week
C2 Infrastructure Slack, Discord, Supabase, Google Sheets
Detection Rate <15% on initial submission (VirusTotal)
AI Tools Abused Multiple coding assistants (unnamed)

Why Lesser-Known Languages?

Transparent Tribe deliberately chooses languages like Nim, Zig, and Crystal for several strategic reasons:

Abusing Trusted Services for C2

Perhaps the most insidious aspect of 이 캠페인은 is the abuse of legitimate cloud services as 명령 및 제어(C2) infrastructure:

Service C2 Usage Detection Difficulty
Slack Webhook-based command delivery 높음 — blends with legitimate traffic
Discord Bot API for 데이터 유출 높음 — encrypted, widespread usage
Supabase Database-as-C2 for implant configuration Very 높음 — novel technique
Google Sheets Spreadsheet cells as command queues Very 높음 — HTTPS to Google domains

🇮🇷 MuddyWater, 미국 대상에 "Dindoor" 백도어 배포

⚠️ US 치명적 Infrastructure Targeted

MuddyWater (Iran/MOIS-affiliated) is actively targeting US 금융 기관 and airport systems with a previously undocumented 백도어 designated "Dindoor".

Dindoor Backdoor Profile

Attribute Details
Threat Actor MuddyWater (MOIS / APT34 overlap)
Backdoor Name Dindoor
Targets US banks, airport operational systems
초기 접근 Spear-피싱 with weaponized job offers
Persistence WMI event subscriptions, scheduled tasks
Communication DNS-over-HTTPS tunneling
Capabilities Keylogging, screen capture, 자격 증명 harvesting, 횡적 이동

The Dindoor 백도어 represents an evolution of MuddyWater's toolkit, featuring DNS-over-HTTPS (DoH) tunneling for C2 communication — making it extremely difficult to detect at the network level. The targeting of banking and aviation infrastructure raises significant concerns about potential disruptive operations.


📱 CISA, iOS 취약점 패치 명령 — Coruna 익스플로잇 키트

⚠️ Emergency Directive Issued

CISA has issued an emergency directive ordering federal agencies to patch actively 익스플로잇ed iOS 취약점 being weaponized through the Coruna 익스플로잇 kit. Deadline: March 14, 2026.

The Coruna 익스플로잇 kit, first identified in February 2026, has expanded its capabilities to target multiple iOS WebKit and kernel 취약점. The kit is being sold on underground forums for $150,000 per license and is primarily used for:

Affected iOS Versions

All iOS versions prior to 18.3.2 영향을 받습니다. 조직은 해야 합니다 ensure all corporate and BYOD Apple devices are updated immediately.


🔍 FBI, 감시/도청 시스템 침해 조사 중

🏛️ Law Enforcement Systems Compromised

The FBI has confirmed an active investigation into a breach of federal surveillance and wiretap systems. While details remain classified, sources indicate that unauthorized access may have compromised ongoing investigations and revealed surveillance targets.

The breach reportedly affects systems used under CALEA (Communications Assistance for Law Enforcement Act) and FISA court orders. Key concerns include:


🐍 가짜 Claude Code 설치 프로그램으로 인포스틸러 유포

⚠️ Developers Targeted via ClickFix 소셜 엔지니어링

A campaign using fake Claude Code installation guides is distributing infostealers through an "InstallFix" variant of the ClickFix 소셜 엔지니어링 technique.

Attack Flow

  1. SEO poisoning — Fake "Claude Code install guide" pages rank in search results
  2. ClickFix trigger — Page displays fake error: "Installation failed — run this fix command"
  3. Clipboard hijack — Malicious PowerShell/bash command copied to clipboard
  4. Infostealer deployment — Command downloads and executes 자격 증명-stealing 악성코드
  5. 데이터 유출 — Browser passwords, SSH keys, API tokens, crypto wallets harvested

What Gets Stolen

Data Type 위험 수준 영향
Browser passwords 🔴 치명적 Full account takeover across services
SSH keys 🔴 치명적 Server/infrastructure access
API tokens 🔴 치명적 Cloud infrastructure compromise
Crypto wallets 🟠 높음 Immediate financial loss
.env files 🔴 치명적 Database 자격 증명s, API secrets

🛡️ Protection Advice

Always install developer tools from official sources only. Claude Code is available exclusively via Anthropic's official channels. Never run commands from random web pages, especially those claiming to "fix" installation errors.


🛡️ 완화 권고 사항

Against Vibeware / AI-Generated Malware

  1. Deploy behavioral detection — Signature-based AV cannot keep pace with AI-generated variants
  2. 모니터링 trusted service abuse — Flag unusual API calls to Slack, Discord, Supabase, Google Sheets
  3. Implement application allowlisting — Block execution of unknown binaries, especially from uncommon compilers
  4. Enhance DNS monitoring — Watch for DoH tunneling and unusual domain patterns
  5. Threat hunt proactively — Look for Nim/Zig/Crystal compiled binaries in your environment

Against 소셜 엔지니어링 (ClickFix)

  1. Security awareness training — Educate developers about clipboard-hijacking attacks
  2. Disable PowerShell for standard users where possible
  3. 모니터링 clipboard activity — EDR tools can detect suspicious clipboard-to-execution chains
  4. Use official package managers — Only install tools via verified channels

📊 위협 환경 요약

Threat Actor Severity Action Required
Vibeware campaign Transparent Tribe 🔴 치명적 Deploy behavioral detection, monitor trusted services
Dindoor 백도어 MuddyWater 🔴 치명적 Patch, monitor DoH traffic, review spear-피싱 defenses
iOS Coruna 익스플로잇s Multiple 🟠 높음 Update all iOS devices to 18.3.2+
Wiretap system breach Unknown 🔴 치명적 모니터링 for downstream intelligence exposure
Fake Claude Code installers Cybercriminals 🟠 높음 Developer awareness, verify installation sources

Detect AI-Generated Malware Variants

KENSAI's continuous automated scanning detects behavioral anomalies and AI-generated 악성코드 patterns that signature-based tools miss.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Threat Intelligence Team