Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
Essential information
- Published
- 12/05/2026 10:51
- Modified
- 12/05/2026 09:29
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- agentic ai chisel credential harvesting data exfiltration financial sector government targeting implante_http latin america neo-regeorg pow socks5 tunneling socktz webshell deployment
- Tags
- 2026-05-12 agentic ai chisel credential harvesting data exfiltration financial sector government targeting implante_http latin america neo-regeorg pow socks5 tunneling socktz webshell deployment
- Related entities
- 25 indicators, 25 observables, 1 intrusion sets (apt), 5 malware, 8 others
Description
Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...