Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
Pakistan-aligned Transparent Tribe and the VOID#GEIST campaign demonstrate how threat actors are operationalizing AI to mass-produce malware and accelerate attack chains. Microsoft reports North Korean groups like Jasper Sleet are similarly adopting AI tradecraft to scale malicious operations.
Multiple active threat campaigns leveraging AI for malware production represent a significant escalation in threat actor capabilities, with confirmed targeting of India and deployment of multiple RAT families.
Threat actors continue expanding their use of artificial intelligence to automate and scale malicious operations. Recent campaigns from state-aligned groups and criminal actors demonstrate how AI is becoming integrated into core attack methodologies.
The Pakistan-aligned threat actor Transparent Tribe has adopted AI-powered coding tools to generate what researchers describe as a "high-volume, mediocre mass of implants" targeting India. The campaign utilizes lesser-known programming languages including Nim, Zig, and Crystal, likely to evade traditional detection mechanisms.
The group's approach represents a quantity-over-quality strategy, using AI to rapidly produce numerous variants rather than crafting sophisticated individual payloads. This methodology enables broader targeting while complicating signature-based detection efforts.
Securonix Threat Research has identified a multi-stage malware campaign dubbed VOID#GEIST that uses obfuscated batch scripts to deliver encrypted remote access trojan payloads. The campaign deploys XWorm, AsyncRAT, and Xeno RAT through a sophisticated infection chain.
The attack begins with batch scripts that deploy secondary payloads, demonstrating how attackers are layering obfuscation techniques to avoid detection during initial compromise phases.
Microsoft reports that North Korean threat groups, including Jasper Sleet and Coral Sleet (formerly Storm-1877), are operationalizing AI to scale and sustain malicious activities. The integration of AI into established threat actor tradecraft represents an acceleration of attack capabilities that increases risk for defenders.
The research indicates threat actors are moving beyond experimental AI usage toward systematic integration into their operational workflows.
YARA-X version 1.14.0 has been released with four improvements and two bugfixes. The malware detection rule engine continues evolving to address emerging threat patterns and improve performance for security teams.
Microsoft has published information for two CVEs. CVE-2025-68146 affects the filelock library, involving a time-of-check to time-of-use race condition that enables symlink attacks during lock file creation. CVE-2026-26122 addresses an information disclosure vulnerability in Microsoft ACI Confidential Containers, with Microsoft adding FAQ information to existing guidance.
Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates