In early June 2026, an unknown threat actor established Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server using pre-compromised credentials. Once inside the system, the attacker staged their toolkit within the "C:\ProgramData" folder to prepare for the next phase of the intrusion.
Among the staged tools was a bespoke and highly aggressive PowerShell script specifically designed to map the Active Directory (AD) environment. Researchers identified the payload as AI-generated due to several telltale signs, including placeholder strings, a prompt iteration title, and over-engineered code featuring a five-step cascading fallback mechanism to locate a Domain Controller. The script also included unusually beautified console output using vivid colors, and bore the title "100% Working AD Information Gathering Script - FULLY FIXED," indicating a persistent back-and-forth dialogue between the attacker and a large language model.
Once the script successfully identified the primary Domain Controller, it initiated a noisy, systematic data collection routine. The automated process harvested extensive information regarding AD users, computers, groups, organizational units, and trusts, neatly compiling the gathered details into a designated staging directory.
Roughly 30 minutes after the initial enumeration, the attacker expanded their operation by deploying additional tools to locate user-accessible data repositories. This included SharpShares, a network shares enumeration utility, alongside s5cmd, a legitimate command-line tool typically used for high-performance bulk file operations.
In the final stage of the attack, the gathered information was compiled into CSV files and archived for removal. Before exfiltrating the stolen data to a remote server, the script generated a comprehensive HTML file titled "Active Directory Inventory Report"—a summary feature that researchers believe was a helpful addition suggested by the AI which the attacker simply chose to leave intact.
Source: https://www.huntress.com/blog/ai-coded-malware-vibe-coding-active-directory


