SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Ai malware attack shadow figure targeting india australia maps
#
Malware
#
Firewalls
#
Network Security

Bitdefender warns of AI 'vibeware' targeting India

Fri, 6th Mar 2026
Author image
By Sean Mitchell, Publisher

Bitdefender has disclosed what it calls a new AI-driven attack model that generates large numbers of disposable malware variants across multiple programming languages. It has dubbed the tactic "vibeware".

Bitdefender links the activity, with medium confidence, to APT36 (Transparent Tribe), which it describes as a Pakistan-aligned threat actor that has historically targeted Indian government bodies and diplomatic missions. The company adds that related activity has affected organisations elsewhere in the Asia-Pacific region.

The research suggests a shift in the economics of intrusion campaigns. Rather than relying on a small set of carefully engineered tools, attackers can produce frequent iterations designed to outpace defensive tuning and signature creation. In Bitdefender's view, the approach prioritises scale over sophistication.

Polyglot malware

At the centre of the vibeware model is the rapid rewriting of similar malicious logic across multiple languages. Bitdefender observed samples written in Nim, Zig and Crystal, alongside more widely used systems languages such as Rust and Go.

Using less common languages can disrupt many organisations' defensive posture. Detection rules, static analysis pipelines and analyst familiarity often focus on common malware formats and languages. A pivot to niche languages can create gaps early on, even if the underlying behaviour remains similar.

Bitdefender observed new variants emerging at a near-daily cadence, with artefacts and errors it says are consistent with large language model-assisted development. It also noted coding flaws and incomplete logic in several samples.

Detection pressure

Beyond the volume of new builds, the research describes an operating pattern in which multiple implants land on a victim at the same time. These implants may be written in different languages and use separate communications methods.

Bitdefender calls this a "Distributed Denial of Detection" approach. It can increase the workload for incident response teams because remediation must identify and remove more than one foothold. It also raises the chances that at least one channel remains available if defenders disrupt another.

Trusted platforms

The research also highlights a growing reliance on "Living Off Trusted Services", in which command-and-control traffic is blended into legitimate online platforms. Bitdefender cites Slack, Discord, Google Sheets and Supabase as examples used to conceal communications.

For defenders, traffic flowing through widely used business tools can complicate triage. Security teams must separate legitimate use from malicious automation, and blocking a major platform may be impractical-especially when the service is owned by the business rather than the security function.

Trusted services also change an attacker's infrastructure footprint. Instead of running dedicated servers that defenders can identify and take down, adversaries can shift activity into accounts and workspaces hosted by large providers. That move can reduce the value of domain and IP blocklists as a standalone control.

Regional focus

Bitdefender says the primary victims it observed were linked to Indian government institutions and embassies. It also reports secondary targeting of organisations connected to defence, foreign affairs and strategic policy.

Bitdefender argues the implications extend beyond South Asia, particularly for organisations with diplomatic, defence and commercial ties across the region. Australia's links across South Asia and the wider APAC region can increase exposure through supply chains, shared service providers and cross-border collaboration between agencies and partners.

Even when individual malware samples contain errors, a high-volume strategy can still succeed. Large numbers of attempts increase the odds that at least one variant slips through, particularly in environments that rely heavily on static signatures or narrowly tuned behavioural detections.

Bitdefender says the shift it observed is centred on production rather than technical sophistication. "The real shift is not in malware sophistication, but in malware production. AI is lowering the barrier to entry for experimenting with new languages and delivery mechanisms. Even imperfect code can become operationally successful when deployed at scale," it said.

For APAC organisations, the findings reinforce defensive priorities long under debate. These include monitoring for unusual use of trusted cloud services, strengthening anomaly detection for identity and access activity, and focusing on suspicious process behaviour rather than relying mainly on file signatures.

Bitdefender says its full report includes technical analysis, indicators of compromise and defensive recommendations, and it expects the approach to spread as more threat groups integrate AI-assisted development into routine operations.

Related stories
Small alert, big defense: Inside a SOC's early-morning response
Haast raises $17.2 million to automate compliance checks
Remote acquires Bravas to add identity & device management
TechnologyOne launches InvoiceIQ to curb council fraud
MSPs face AI adoption hurdle over governance rules

Top stories

AI agents expose major API security gap, Salt warns
Certes launches v7 with quantum-safe edge protection
OPSWAT launches AI file screening engine for MetaDefender
From DSPM to data protection: Closing the last mile on sensitive data in the era of AI
Yokogawa lands cyber certification for plant control systems