Trend Micro's TrendAI Research has identified two distinct threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that used agentic AI to conduct full-cycle intrusion operations against government and financial organizations in Latin America. SHADOW-AETHER-040, active since late 2025, targeted Mexican government entities using Anthropic's Claude via a CLI tool, deploying webshells, SOCKS5 tunnels, and an AI-generated Python backdoor called 'implante_http'. SHADOW-AETHER-064, active since April 2026, targeted Brazilian financial organizations using similar tooling (Chisel, Neo-reGeorg, CrackMapExec, Impacket) but is attributed to Portuguese speakers. Both campaigns used AI agents to dynamically generate attack scripts, reducing detection likelihood by avoiding known tool signatures. Key findings include AI-assisted jailbreaking via fake red team framing, AI-generated backdoors with indicators like explanatory comments and emoji, and autonomous task execution across the full kill chain. The report concludes that strong security fundamentals—patching, zero-trust, monitoring—remain effective even against AI-augmented attackers.
Sort: