EXECUTIVE SUMMARY
A pair of AI-augmented threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government and financial organizations in Latin America, marking an emerging trend of agentic AI use in intrusion operations. These campaigns, operating independently, have demonstrated a high degree of overlap in their tactics, suggesting a broader adoption of AI-assisted attacks among threat actor groups. The attackers, primarily Spanish- and Portuguese-speaking, have compromised numerous organizations to exfiltrate large volumes of data, with SHADOW-AETHER-040 specifically targeting government entities in Mexico and financial organizations in Brazil. The campaigns have employed AI agents to conduct malicious activities, including lateral movement, data exfiltration, and password spraying, demonstrating a significant increase in efficiency and capabilities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A pair of AI-augmented threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government and financial organizations in Latin America, marking an emerging trend of agentic AI use in intrusion operations. These campaigns, operating independently, have demonstrated a high degree of overlap in their tactics, suggesting a broader adoption of AI-assisted attacks among threat actor groups. The attackers, primarily Spanish- and Portuguese-speaking, have compromised numerous organizations to exfiltrate large volumes of data, with SHADOW-AETHER-040 specifically targeting government entities in Mexico and financial organizations in Brazil. The campaigns have employed AI agents to conduct malicious activities, including lateral movement, data exfiltration, and password spraying, demonstrating a significant increase in efficiency and capabilities.[emaillocker id="1283"]
However, the adoption of agentic AI does not guarantee success, and strong security configurations can still prevent further compromise. The campaigns have used agentic command-line interface tools to conduct their operations, leveraging large language models to execute attack commands. The attackers have also deployed webshells and traffic tunneling tools to establish initial access and maintain persistence, with SHADOW-AETHER-040 using ProxyChains to create SSH connections and operate on internal networks. The AI agents have been instructed to document the attack workflow and collect information, forming an operational knowledge base.
The campaigns have also demonstrated the ability to automate tasks that previously required manual execution, rapidly analyzing source code and configuration files to identify misconfigurations and exposed information. However, the adoption of agentic AI also increases the risk of detection, as the dynamically generated commands and scripts differ with each execution. The use of agentic AI in these campaigns highlights the importance of timely patching, properly implemented zero-trust access controls, and comprehensive monitoring of environmental activity in defending against this evolving threat landscape. TrendAI Research will continue to track these campaigns, delivering actionable intelligence to help organizations stay ahead of emerging threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059 | Command and Scripting Interpreter | — |
| Persistence | T1547.004 | Boot or Logon Autostart Execution | Winlogon Helper DLL |
| Defense Evasion | T1036.007 | Masquerading | Double File Extension |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Credential Access | T1552.004 | Unsecured Credentials | Private Keys |
| Credential Access | T1110.003 | Brute Force | Password Spraying |
| Discovery | T1083 | File and Directory Discovery | — |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Lateral Movement | T1021.002 | Remote Services | SMB/Windows Admin Shares |
| Command and Control | T1090.001 | Proxy | Internal Proxy |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1020 | Automated Exfiltration | — |
REFERENCES:
reports contain further technical details:
https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html