{"id":227464,"date":"2026-03-18T11:21:55","date_gmt":"2026-03-18T18:21:55","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=227464"},"modified":"2026-03-18T11:21:55","modified_gmt":"2026-03-18T18:21:55","slug":"ai-written-malware-vibe-coded-campaign","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/","title":{"rendered":"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign"},"content":{"rendered":"

Authored by Aayush Tyagi\u00a0<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

Background<\/span>\u00a0<\/span><\/h2>\n

The term \u2018Vibe coding,\u2019 first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of \u201cVibe Coders\u201d, while others labelled it as the fundamental shift in software development and the future of coding. <\/span>\u00a0<\/span><\/p>\n

Vibe\u00a0Coding\u00a0is\u00a0an approach\u00a0where the\u00a0AI does\u00a0heavy\u00a0lifting, rather than the user<\/strong>. Instead of manually writing code or implementing algorithms, users describe their intent through text-based\u00a0prompt,\u00a0and the LLMs\u00a0respond\u00a0with\u00a0fully functional code\u00a0and\u00a0explanation.\u00a0Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate \u201cperfect\u201d code.<\/span>\u00a0<\/span><\/p>\n

Given the ease of generating fully functional code,\u00a0McAfee Labs\u00a0has\u00a0also seen a rise in vibe-coded malware. In these campaigns, certain components\u00a0of the kill chain\u00a0contain\u00a0AI-generated code, significantly reducing the effort\u00a0and knowledge\u00a0required\u00a0to execute new malware\u00a0campaigns.\u00a0This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors.<\/span>\u00a0<\/span><\/p>\n

Executive summary<\/span>\u00a0<\/span><\/h2>\n

In January 2026,\u00a0McAfee Labs\u00a0observed\u00a0443\u00a0malicious\u00a0zip\u00a0files<\/strong> impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding\u00a0tools, game hacks,\u00a0graphics card\u00a0and USB\u00a0drivers,\u00a0ransomware\u00a0decryptors,\u00a0VPNs,\u00a0emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.\u00a0<\/span>\u00a0<\/span><\/p>\n

Across the\u00a0440+ zip files, we\u00a0observed\u00a048\u00a0unique\u00a0malicious\u00a0WinUpdateHelper.dll\u00a0variants<\/strong>, responsible for the infections. <\/span>McAfee\u00a0has been\u00a0detecting variants\u00a0of this threat\u00a0since\u00a0December\u00a02024,\u00a0although the vibe coding\u00a0observed\u00a0in certain components appears to be a recent addition.\u00a0These files are distributed through various legitimate\u00a0content delivery network (CDN)\u00a0services and file-hosting websites, such as Discord,\u00a0SourceForge,\u00a0FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was\u00a0mydofiles[.]com.<\/span>\u00a0<\/span><\/p>\n

Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 1: Attack Vector<\/em><\/figcaption><\/figure>\n

This attack begins\u00a0when\u00a0users\u00a0surf\u00a0the internet looking for\u00a0tools and\u00a0software\u00a0that promise to simplify their tasks.\u00a0Instead,\u00a0they encounter\u00a0trojanized\u00a0zip files.\u00a0<\/span>\u00a0<\/span><\/p>\n

We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on\u00a0SourceForge, and 15 on\u00a0mydofiles[.]com.<\/span>\u00a0<\/span><\/p>\n

On running the\u00a0executable,\u00a0it loads a malicious\u00a0WinUpdateHelper.dll\u00a0file,\u00a0which\u00a0redirects the user to file-hosting websites, under the\u00a0disguise\u00a0that they are missing\u00a0crucial dependencies and\u00a0tricks\u00a0them\u00a0into installing\u00a0unrelated software, which is a distraction. Meanwhile,\u00a0the\u00a0DLL\u00a0has already requested and executed a malicious PowerShell script\u00a0from a\u00a0command-and-control (C2)\u00a0server.\u00a0<\/span>\u00a0<\/span><\/p>\n

This script\u00a0infects the user\u2019s\u00a0system\u00a0and\u00a0downloads\u00a0additional\u00a0mining software,\u00a0and\u00a0abuses\u00a0the system\u2019s resources,\u00a0or\u00a0it\u00a0downloads\u00a0additional\u00a0payloads such as\u00a0<\/span>SalatStealer<\/span><\/i>\u00a0or\u00a0<\/span>Mesh Agent<\/span><\/i>, depending on the\u00a0WinUpdateHelper.dll\u00a0sample which infected the user.\u00a0<\/span>\u00a0<\/span><\/p>\n

In this PowerShell script,\u00a0the presence of explanatory comments and\u00a0structured\u00a0sections strongly\u00a0indicates\u00a0the use\u00a0of\u00a0LLM models to generate this code.\u00a0<\/span><\/p>\n

Read more\u00a0about\u00a0this\u00a0in\u00a0the\u00a0<\/span>Using AI to generate malware?<\/strong><\/em> section below. <\/span>\u00a0<\/span><\/p>\n

So far,\u00a0we\u2019ve\u00a0observed\u00a0the mining of\u00a0<\/span>Ravencoin<\/span>,\u00a0<\/span><\/b>Zephyr,\u00a0Monero, Bitcoin\u00a0Gold,\u00a0Ergo,\u00a0<\/span>and<\/span>\u00a0<\/span><\/b>Clore<\/span>\u00a0<\/span><\/b>cryptocurrencies.\u00a0<\/span>\u00a0\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and\u00a0identify\u00a0wallets\u00a0containing\u00a0over $4,500\u00a0USD that are part of this campaign.\u00a0<\/span>\u00a0<\/span><\/p>\n

Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr,\u00a0<\/span>Ravencoin<\/span>\u00a0and Monero,\u00a0the real\u00a0financial impact\u00a0is likely\u00a0to be nearly\u00a0double the amount\u00a0identified\u00a0through Bitcoin tracing alone.\u00a0<\/span>\u00a0<\/span><\/p>\n

Geographical Prevalence<\/span>\u00a0<\/span><\/h2>\n
\n
\"Figure\u00a02:\u00a0Geographical
Figure\u00a02:\u00a0Geographical Prevalence\u202f\u00a0<\/em><\/figcaption><\/figure>\n<\/div>\n

This malware campaign has\u00a0specifically targeted users in the following\u00a0counties,\u00a0ranked by\u00a0prevalence: The\u00a0United States of America,\u00a0followed by United Kingdom, India, Brazil, France,\u00a0Canada,\u00a0Australia.<\/span>\u00a0<\/span><\/p>\n

Bottom Line<\/span><\/h2>\n

The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment,\u00a0making malware deployment increasingly accessible.<\/span>\u00a0<\/span><\/p>\n

At McAfee Labs, we have been doing\u00a0hard work\u00a0so that you\u00a0don\u2019t\u00a0need to worry. But it always helps to be informed\u00a0and\u00a0educated\u00a0on the latest threat\u00a0that steps into the threat landscape.\u00a0<\/span>
\nWe will continue\u00a0monitoring\u00a0these\u00a0campaigns to ensure our customers\u00a0remain\u00a0informed and protected across platforms.<\/span>\u00a0<\/span><\/p>\n

Technical Analysis\u202f<\/span>\u00a0<\/span><\/h2>\n

Impersonated Applications<\/span><\/h3>\n

Here we see\u00a0malware distribution at a large scale\u00a0and\u00a0by analyzing\u00a0the filenames of\u00a0these\u00a0ZIP archives, we can\u00a0infer to\u00a0the users that are being targeted.\u00a0These are some of the names\u00a0we\u2019ve\u00a0witnessed\u00a0in the wild.<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 3: Malware Impersonating gaming software<\/em><\/figcaption><\/figure>\n

The attackers\u00a0are actively\u00a0impersonating\u00a0video game cheats and game mods\u00a0for popular\u00a0titles,\u00a0and\u00a0well-known\u00a0script executors for Roblox, such as Delta Executor and Solara\u00a0as seen above.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 4: Malware Impersonating tools,\u00a0malware\u00a0and\u00a0drivers<\/em><\/figcaption><\/figure>\n

Names such\u00a0as\u00a0Panther-Stealer and\u00a0Zerotrace-Stealer\u00a0indicate\u00a0that\u00a0even\u00a0users looking for malware on the internet are not safe either,\u00a0reinforcing the notion that there is truly no honor among thieves.<\/span>\u00a0<\/span><\/p>\n

The campaign also\u00a0leverages\u00a0drivers and AI-themed tools as part of its lure portfolio\u00a0among other tools.\u00a0Interestingly,\u00a0we see the name \u2018DeepSeek.zip\u2019,\u00a0where\u00a0attackers are exploiting\u00a0a\u00a0prominent\u00a0LLM model,\u00a0DeepSeek.\u00a0McAfee had\u00a0encountered\u00a0these types of attacks\u00a0in early 2025\u00a0and covered them extensively.\u00a0<\/span>\u00a0<\/span><\/p>\n

Read the\u00a0previous\u00a0blog here:\u00a0Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users<\/a>\u00a0\u00a0<\/strong><\/p>\n

Stage 1 Payload\u00a0\u2013\u00a0Misleading Installation\u00a0<\/span>\u00a0<\/span><\/h3>\n

Once the user downloads\u00a0the\u00a0ZIP archive\u00a0from Discord or any other\u00a0website. They get the following set of files.<\/span><\/p>\n

\"Figure\u00a05:\u00a0Files\u00a0within
Figure\u00a05:\u00a0Files\u00a0within the zip archive.<\/figcaption><\/figure>\n

Here, the executable named \u2018<\/span>gta-5-online-mod-menu.exe<\/span><\/b>\u2019\u00a0(Highlighted in Blue)\u00a0is a\u00a0legitimate and\u00a0clean\u00a0file.\u00a0Whereas\u00a0the file named \u2018<\/span>WinUpdateHelper.dll<\/span><\/b>\u2019 (Highlighted in Red)\u00a0is\u00a0malicious.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 6: Command Prompt misinforming the user<\/em><\/figcaption><\/figure>\n

On executing \u2018<\/span>gta-5-online-mod-menu.exe\u2019<\/span><\/b>,\u00a0the\u00a0malicious DLL is loaded.\u00a0The\u00a0user\u00a0is informed\u00a0that they are missing\u00a0dependencies,\u00a0and\u00a0they\u2019re\u00a0redirected to the following URL\u00a0via default browser.\u00a0<\/span>\u00a0<\/span><\/p>\n

hxxps:\/\/igk[.]filexspace.com\/getfile\/XKQLPSK?title=DependencyCore&tracker=gta-5-online-mod-menu<\/span><\/b>\u00a0<\/span><\/p>\n

Here,\u00a0within the URL, a tracker variable is\u00a0used\u00a0to\u00a0identify\u00a0which\u00a0malware has infected the user. In this instance, it was\u00a0\u2018gta-5-online-mod-menu\u2019.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure\u00a07:\u00a0Website
Figure\u00a07:\u00a0Website prompting users to download dependencycore.zip<\/em><\/figcaption><\/figure>\n

Dependecycore.zip\u00a0is a setup\u00a0file.\u00a0On execution, it installs unrelated 3<\/span>rd<\/span>\u00a0party software on the\u00a0victim\u2019s\u00a0system.<\/span>\u00a0<\/span><\/p>\n

\"Figure\u00a08:\u00a0Files
Figure\u00a08:\u00a0Files dropped by Dependecycore.zip in\u00a0temp\u00a0folder<\/em><\/figcaption><\/figure>\n

In this instance,\u00a0iTop\u00a0Easy Desktop was installed.<\/span>\u00a0<\/span><\/p>\n

This\u00a0unwanted\u00a0installation\u00a0is meant to\u00a0subvert users\u2019 attention. As,\u00a0the\u00a0WinUpdateHelper.dll\u00a0has already connected to the C2 server\u00a0and infected the system.\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

Stage 1 Payload\u00a0\u2013\u00a0Malicious Functionality\u00a0<\/span>\u00a0<\/span><\/h3>\n

Once the redirection code is executed, the\u00a0malware executes the malicious code.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure\u00a09:
Figure\u00a09: Malicious code within\u00a0WinUpdateHelper.dll<\/em><\/figcaption><\/figure>\n

In the above\u00a0code\u00a0snippet,\u00a0which is present in\u00a0the WinUpdateHelper.dll, we can see that a new service has been created under the name \u201c<\/span>Microsoft Console Host<\/span><\/b>\u201d to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.<\/span><\/p>\n

The service executes a PowerShell\u00a0command\u00a0that dynamically generates the C2 domain\u00a0using the UNIX time stamp.\u00a0<\/span>\u00a0<\/span><\/p>\n

Using the following code,\u00a0<\/span>
\n$([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() \/ 5000000) * 5000000).xyz<\/span><\/b>\u00a0<\/span><\/p>\n

It\u00a0generates a domain\u00a0name\u00a0that changes\u00a0once\u00a0every\u00a05,000,000 seconds or 58 days.\u00a0<\/span><\/p>\n

The latest C2 domain\u00a0we\u2019ve\u00a0discovered\u00a0that is up and running is\u00a0<\/span>
\n1770000000[.]xyz\/script?id=fA9zQk2L0M&tag=WinUpdateHelper<\/span><\/b><\/p>\n

During\u00a0our\u00a0analysis we\u00a0observed\u00a0the following domain\u00a0<\/span>
\n1765000000[.]xyz\/script?id=fA9zQk2L0M&tag=WinUpdateHelper,\u00a0<\/span><\/b>which is present in the following images.\u00a0<\/span>\u00a0<\/span><\/p>\n

Here the\u00a0<\/span>id=fA9zQk2L0M<\/span><\/b>\u00a0is\u00a0randomly\u00a0generated, to\u00a0uniquely\u00a0identify\u00a0the\u00a0user\u00a0and\u00a0<\/span>tag=WinUpdateHelper\u00a0<\/span><\/b>is used to\u00a0identify\u00a0the malware campaign.\u00a0<\/span>\u00a0<\/span><\/p>\n

The\u00a0malware connects to the\u00a0above-mentioned\u00a0C2\u00a0server to download\u00a0a PowerShell\u00a0script and\u00a0execute\u00a0it in memory. This fileless execution ensures\u00a0improved evasion against\u00a0signature-based detections.<\/span>\u00a0<\/span><\/p>\n

Stage 2 Payload \u2013 PowerShell Script\u00a0<\/span>\u00a0<\/span><\/h3>\n
\"Figure\u00a010:
Figure\u00a010: PowerShell downloaded from the C2 server<\/em><\/figcaption><\/figure>\n

It is funny to note here, that the\u00a0first comment\u00a0of this script says\u00a0<\/span>\u201c# I am forever sorry\u201d\u00a0<\/span><\/b>which\u00a0indicates\u00a0that\u00a0the\u00a0attacks do carry some guilt\u00a0regarding\u00a0their actions, but not enough to\u00a0stop\u00a0the campaign. We found similar comments, such as\u00a0<\/span>\u201c# sorry lol\u201d<\/span><\/b>,\u00a0across multiple PowerShell scripts we\u00a0discovered.\u00a0<\/span>\u00a0<\/span><\/p>\n

The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system.\u00a0<\/span><\/p>\n

The second set of commands (Highlighted in Red) are\u00a0registry modifications, that adds\u00a0<\/span>\u201cC:\\ProgramData\u201d<\/span><\/b>\u00a0to\u00a0Windows Defender exclusion paths.\u00a0That is,\u00a0ProgramData\u00a0Folder\u00a0won\u2019t\u00a0be scanned by Windows Defender\u00a0anymore. This exclusion allows malware to drop\u00a0additional\u00a0payloads\u00a0to disk, without the\u00a0risk\u00a0of them being detected and removed.\u00a0<\/span>\u00a0<\/span><\/p>\n

The third set of commands (Highlighted in Blue)\u00a0does exactly that.\u00a0It downloads\u00a0the\u00a0next level payload from the URL\u00a0<\/span>\u201chxxps:\/\/1765000000[.]xyz\/download\/xbhgjahddaa”\u00a0<\/span><\/b>and stored it\u00a0at this path\u00a0<\/span>\u201cC:\\ProgramData\\fontdrvhost.exe\u201d<\/span><\/b>.<\/span><\/p>\n

Again the name\u00a0<\/span>\u2018fontdrvhost.exe\u2019<\/span><\/b>\u00a0imitates a legitimate Windows binary, to masquerade its true intent.\u00a0After the download, the file is\u00a0decoded\u00a0using a simple arithmetic\u00a0decryption routine. This provides protection\u00a0against static signature detection and network detection.<\/span>\u00a0<\/span><\/p>\n

The payload\u00a0is\u00a0an XMRIG\u00a0miner\u00a0sample.\u00a0In the next command, the miner is\u00a0initialized and executed.\u00a0Here, we see the\u00a0miner connecting to\u00a0\u201c<\/span>solo-zeph.2miners.com:4444<\/span><\/b>\u201d and start CPU based\u00a0<\/span>Zephyr coin<\/span><\/b>\u00a0mining\u00a0using the following wallet address:<\/span> \u2018ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4ho<\/span><\/b>NKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf\u2019<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

\"Figure\u00a011:
Figure 11: PowerShell downloaded from the C2 server continued<\/figcaption><\/figure>\n

In the second half of the script, we see another miner being\u00a0set up\u00a0and executed\u00a0using the same technique\u00a0(Highlighted in Red).\u00a0This time\u00a0the file is stored as\u00a0<\/span>\u201cRuntimeBroker.exe\u201d\u00a0<\/span><\/b>in the\u00a0ProgramData\u00a0folder.\u00a0The miner is connecting to\u00a0<\/span>\u201csolo-rvn.2miners.com:7070\u201d\u00a0<\/span><\/b>to mine\u00a0<\/span>Ravencoin\u00a0<\/span><\/b>and\u00a0it\u00a0is\u00a0using\u00a0the system\u2019s\u00a0GPU instead of the CPU for mining\u00a0(Highlighted in Blue).\u00a0<\/span>\u00a0<\/span><\/p>\n

This is the wallet address used for mining in this instance <\/span>\u2018bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r\u2019.\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

Hence,\u00a0we see a dual coin-mining\u00a0deployment\u00a0infrastructure\u00a0utilizing\u00a0both CPU and GPU\u00a0resources\u00a0to\u00a0optimize\u00a0mining efficiency.<\/span>\u00a0<\/span><\/p>\n

Bitcoin?\u00a0<\/span>Interesting…\u00a0<\/span>\u00a0<\/span><\/h2>\n

What is interesting here is that attackers have used a bitcoin\u00a0wallet address for mining\u00a0Ravencoin, which\u00a0indicates\u00a0they are\u00a0using multi-coin pools for mining.\u00a0The attackers are using the\u00a0victims’\u00a0machine to mine\u00a0Ravencoin\u00a0and\u00a0automatically\u00a0convert\u00a0the mining rewards to\u00a0Bitcoin before\u00a0the\u00a0payout.\u00a0<\/span>\u00a0<\/span><\/p>\n

This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has\u00a0broader acceptance, but most importantly,\u00a0Ravencoin\u00a0is computationally easier and economically\u00a0viable\u00a0to mine on victim\u2019s system.\u00a0Bitcoin\u00a0requires specialized\u00a0ASIC hardware\u00a0for profitable mining\u00a0and\u00a0attempting\u00a0to mine Bitcoin directly on infected systems would generate negligible returns.\u00a0We\u2019ve\u00a0seen the same\u00a0behaviour\u00a0in multiple samples.\u00a0<\/span><\/p>\n

This is\u00a0a\u00a0smoking gun.\u00a0Unlike Zephyr coin\u00a0or Monero,\u00a0Bitcoin\u2019s blockchain is fully traceable.\u00a0Every Satoshi, the smallest unit of Bitcoin,\u00a0can be traced across the blockchain from the moment it was mined to its current holder.\u00a0From there, it becomes easy to\u00a0determine\u00a0how much cryptocurrency the threat actor is receiving.\u00a0More on this later.\u00a0<\/span>\u00a0<\/span><\/p>\n

Anti-Analysis Techniques<\/span>\u00a0<\/span><\/h2>\n

The attackers\u00a0have\u00a0meticulously designed the campaign and\u00a0have\u00a0implemented various anti-analysis techniques to\u00a0thwart researchers.\u00a0<\/span>\u00a0<\/span><\/p>\n

The PowerShell\u00a0script\u00a0we\u2019ve\u00a0seen\u00a0above\u00a0is responsible for\u00a0downloading and\u00a0initializing the coin miner samples.\u00a0It is only accessible\u00a0via PowerShell.\u00a0If we try to access the server via\u00a0Curl, we get the following response.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 12:\u00a0301 Response from the server<\/em><\/figcaption><\/figure>\n

\u00a0<\/span>This\u00a0indicates\u00a0that the server is actively\u00a0monitoring\u00a0the\u00a0User-Agent\u00a0of\u00a0incoming\u00a0requests\u00a0and deploys the payload only when the request originates from PowerShell.<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span>Similarly, the URLs\u00a0embedded within\u00a0the PowerShell script that\u00a0download\u00a0the\u00a0next\u00a0payload\u00a0are unique to\u00a0each\u00a0victim and\u00a0remain\u00a0active for 60 seconds.\u00a0After that, they return a 404 Not Found error.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 13: URLs within the PowerShell<\/em><\/figcaption><\/figure>\n

These techniques are meant to\u00a0confuse and\u00a0disorient researchers, making the analysis difficult.\u00a0<\/span>\u00a0<\/span><\/p>\n

Using AI to generate malware?\u00a0<\/span>\u00a0<\/span><\/h2>\n

While working\u00a0on this malware campaign, we came across over 440 unique zip files.\u00a0These same zip files were\u00a0distributed\u00a0with over 1700 different names, targeting various software.<\/span>\u00a0<\/span><\/p>\n

Across these\u00a0440 zip files, we noticed\u00a048 unique variants of\u00a0WinUpdateHelper.dll.\u00a0These 48 files can be\u00a0clustered\u00a0together into\u00a017\u00a0distinct kill chains, each\u00a0featuring\u00a0their own\u00a0C2\u00a0infrastructure,\u00a0misleading installation setups,\u00a0second-stage PowerShell scripts\u00a0and final payloads,\u00a0yet the\u00a0cryptocurrency wallet credentials\u00a0remain\u00a0similar.\u00a0<\/span><\/p>\n

In the above technical analysis,\u00a0we\u2019ve\u00a0only covered 1 kill chain.\u00a0Yet, across these 17 kill chains,\u00a0we\u2019ve\u00a0noticed the\u00a0flow remain the same.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 14:\u00a0PowerShell Script with LLM-Generated Comments<\/em><\/figcaption><\/figure>\n

Across multiple second stage payloads, we\u00a0encounter\u00a0multiple comments such as\u00a0the following,\u00a0embedded\u00a0within the code:<\/span><\/p>\n

# === Create and execute run.bat in C:\\ProgramData ===<\/span><\/b><\/p>\n

::\u00a0This batch file:<\/span><\/b><\/p>\n

::\u00a0– Creates the hidden folder C:\\ProgramData\\cvtres if it\u00a0doesn”t\u00a0exist (using CMD\u00a0attrib\u00a0for hidden + system)<\/span><\/b><\/p>\n

::\u00a0– Downloads cvtres.exe from your GitHub URL<\/span><\/b><\/p>\n

::\u00a0– Saves it to C:\\ProgramData\\cvtres\\cvtres.exe<\/span><\/b><\/p>\n

::\u00a0– Executes it\u00a0immediately<\/span><\/b><\/p>\n

::\u00a0– Runs completely hidden\/minimized (no window visible)<\/span><\/b><\/p><\/blockquote>\n

The presence of such explanatory-style comments\u00a0indicates\u00a0that large language models were\u00a0likely used\u00a0during the development of these scripts.\u00a0Especially, the\u00a0comment \u201c<\/span>Downloads cvtres.exe from your GitHub URL\u201d,\u00a0<\/span><\/b>where \u2018<\/span>Your GitHub URL<\/span><\/b>\u2019 refers to the threat actor\u2019s GitHub repository that is hosting the\u00a0malware,\u00a0which\u00a0indicates\u00a0potential vibe coding.\u00a0<\/span>\u00a0<\/span><\/p>\n

Tracking Bitcoin Across the Blockchain<\/span>\u00a0<\/span><\/h2>\n

During analysis of\u00a0this malware campaign, we came across\u00a0few\u00a0instances where the final payload\u00a0was\u00a0Infostealer malware.\u00a0In most cases it was coin miner samples.\u00a0<\/span>
\nIn these cases, we\u00a0encountered\u00a0wallet credentials and mining pool URLs\u00a0for several alternative cryptocurrencies\u00a0such as\u00a0<\/span>Ravencoin<\/span>,\u00a0<\/span><\/b>Zephyr,\u00a0Monero, which\u00a0aren\u2019t\u00a0traceable.\u00a0<\/span>\u00a0<\/span><\/p>\n

Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency.<\/span>\u00a0<\/span><\/p>\n

bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r\u00a0\u00a0\u00a0\u00a0 bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd<\/span><\/b>\u00a0<\/span><\/p>\n

bc1qyy0cv8snz7zqummg0yucdfzpxv2a5syu7xzsdq\u00a0\u00a0\u00a0 bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp<\/span><\/b>\u00a0<\/span><\/p>\n

bc1qxnkkpnuhydckmpx8fmkp73e38dfed93uhfh68l\u00a0\u00a0\u00a0 bc1qrtztxnqnjk9q4d5hupnla245c7620ncj3tzp7h<\/span><\/b>\u00a0<\/span><\/p>\n

bc1q97yd574m9znar99fa0u799rvm55tnjzkw9l33w<\/span><\/b>\u00a0<\/span><\/p><\/blockquote>\n

As\u00a0of\u00a0writing this blog, these wallets\u00a0contain\u00a0Bitcoin valued at approximately $4,536.20 USD.<\/span>\u00a0<\/span><\/p>\n

\n
\"Figure
Figure 15:\u00a0Wallet Snapshot\u00a0displaying the total value\u00a0\u00a0<\/em><\/figcaption><\/figure>\n<\/div>\n

These wallets have seen regular withdrawals,\u00a0with\u00a0total\u00a0funds\u00a0received amounting to\u00a0approximately $11,497.7\u00a0USD.<\/span>\u00a0<\/span><\/p>\n

McAfee Coverage<\/span>\u202f<\/span><\/h2>\n

McAfee has extensive coverage\u00a0for this\u00a0Coinminer\u00a0Malware Campaign.\u00a0We\u2019re\u00a0proactively covering new\u00a0samples\u00a0observed\u00a0in the wild.<\/span>\u00a0<\/span><\/p>\n

Trojan:Win\/Phishing.AP<\/span>\u00a0<\/span><\/p>\n

Trojan:Script\/Coinminer.AT<\/span>\u00a0<\/span><\/p>\n

Trojan:Win\/Dropper.AT<\/span>\u00a0<\/span><\/p>\n

Indicator of Compromise(s)<\/span><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
File Type<\/span><\/b>\u00a0<\/span><\/td>\nSHA256\/URLs<\/span><\/b>\u00a0<\/span><\/td>\nFile Name<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
SHA256<\/span><\/b>\u00a0<\/span><\/td>\n94de957259c8e23f635989dd793cd<\/span><\/p>\n

fd058883834672b2c8ac0a3e80784fce819<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ndb8afdafbe39637fec3572829dd0a<\/span><\/p>\n

1a2f00c9b50f947f1eb544ede75e499dca7<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nf15098661d99a436c460f8a6f839<\/span><\/p>\n

a6903aebd2d8f1445c3bccfc9bf64868f3b0<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n3abf66e0a886ec0454d0382369dd6<\/span><\/p>\n

d23c036c0dd5d413093c16c43c72b8ccb0b<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n767b63d11cee8cfb401a9b72d7bcc<\/span><\/p>\n

a23b949149f2a9d7456e6e16553afcef169<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n12850f78fc497e845e9bf9f10314c4ecc<\/span><\/p>\n

6a659dcd90e79ef5bd357004021ba78<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n0a8a58d18adc86977b7386416c6be8db<\/span><\/p>\n

850a3384949b6750a6c6b2136138684a<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1a60852904ff9c710cd754fa187ce58cb18c69<\/span><\/p>\n

e35ea4962a8639953abe380f64<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n4ab63b5ccd60dfd66c7510d1b3bc1f45f0<\/span><\/p>\n

c31c2d4c16b63b523d05ccac3fcb9d<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1390e61a45dd81fa245a3078a3b305<\/span><\/p>\n

e3c7cdeb5fa1e63d9daca22096b699f9e8<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\na0c3de95e5bf84cb616fe1ee1791e96ff57<\/span><\/p>\n

53778b36201610e6730d025a6cb12<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nea65298d8d8ce4b868511a1026f8657abcc<\/span><\/p>\n

6b2e333854f4fc1bd498463b24084<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n6ea34fd213674f31a83c0eee2fb521303d2<\/span><\/p>\n

a7c23e324bbdfa1a8edd7b6b6b6f1<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n7bec5e37777e6a2ca50e765b07e8cb<\/span><\/p>\n

65e88f4822ab19d98c32f1c69444228e5c<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n64c96f0251363aaf35c3709c134aab52b9<\/span><\/p>\n

81508b0ce9445e42774d151e43686b<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n393f6c6b307aecfe46acc603da812cc17f<\/span><\/p>\n

0ebf24b66632660a2e533dfa4f463f<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n94077065d049e821803986316408b<\/span><\/p>\n

82edad43fcd5a154f6807b4382eece705c3<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\na206ff592aea155d2bb42231afc3f060<\/span><\/p>\n

494ffa8f3de8f25aaf8881639c500b44<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ncb2eebf27def80261eef6b80d898e06<\/span><\/p>\n

f443294371463accd45ca24ce132fad98<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n3fea0a031ffd78c8d08f6499c2bbc<\/span><\/p>\n

6a9edac5dc88b9ba224921f8f142e5a9adb<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n4fe5d461aaa752b94d016ca4e742e<\/span><\/p>\n

02d30d3d4848a32787ce3564b5393017d77<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n04399f9f3ef87d8dd15556628532a84<\/span><\/p>\n

d63d628eaae0ed81166d6efbee428cdba<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ndd37cd62fa18af798018a706f20a91a537f<\/span><\/p>\n

0993f0254a0c84d64097c6480afb2<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1d85ffe28d065780c9327078941cb76<\/span><\/p>\n

2915<\/span>c69c69012303e45eee44c092f8046<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n86e14dd0ab29ee0eab21874811b7e4<\/span><\/p>\n

50d609f<\/span>eb606f77206627b62cccbd58afa<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n17704d58fb9c4e68c54a56fa97cd32599<\/span><\/p>\n

792d00<\/span>da53691b8bdb58e49296b7feb<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n491019e31af8f1489aea8d4c0f9816<\/span><\/p>\n

813698def0<\/span>301a2abb88e5248b37753d2b<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nc0ab89c3d9c7b9a04df5169eb175d517<\/span><\/p>\n

3c6<\/span>de08a4ef3674cd6d7f9a925d63151<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ndf0ca0f15926964040bb43978f97faccc0<\/span><\/p>\n

0bae5f6a00d8bd7d105d8c7d32efb1<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ne40f2628b2981226b1afe16c1cf3796b94<\/span><\/p>\n

82b2ac070adac999707fc09909327c<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nf6093084196acded1179d3a1466908beb<\/span><\/p>\n

966dceaba03e1dfeb02a2628fdb0423<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nfcc512630ee95d3f4c31e3aabc75ad2e29<\/span><\/p>\n

dfacb4d4bcce7a12abe9a516979dbd<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nfe02d8d7a6b8f66624b238665d63094<\/span><\/p>\n

a2bcd19c44a3f9c449788cadbb1b741a6<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1967f6f42710b43506a0784a28ca8785a<\/span><\/p>\n

f91b84dfa8629ec5be92be8eec564c6<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n5280b0ecb6c7246db84a9b194f5c85cc3<\/span><\/p>\n

03c028475900b558306fdd4e51f4fc3<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nce06d83adb53c8b9d240202193ca4c04d<\/span><\/p>\n

0163994dad707aed0f0e67fdd2a42fe<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n13976bdc28d3b3ae88ed92fcf49ff9e083b<\/span><\/p>\n

0ce5fd53e60680df00cd92bdfb33b<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n4135754b26dfac10cd19dcf6e03677b53<\/span><\/p>\n

7244cf69fdce9c4138589e59449b443<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n7d69eca36c0f69b3007cdbf908f15545<\/span><\/p>\n

e95611acf4bad8b9e30e54687a6d33bb<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n085dc279b422d761729374b01eae1e2<\/span><\/p>\n

2375ef9538a6c4bc7cc35e8a812450f93<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n99ff2045d1377db7342420160eb254b7<\/span><\/p>\n

b09cc4ce41a97b6bf0ec4d3f65d9ede6<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n396f397099a459f3adeba057788aa3d3488<\/span><\/p>\n

2eea7d1665c828449f205a86dc80f<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n908d35e6afd90da2e7c71cf82c8a61b5534<\/span><\/p>\n

10ca920e67dba1bae35c2b6b19bad<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n7029d68969814f1473e4e4a22abd4be8<\/span><\/p>\n

5678a03bbe4c0f6194f3b7e421872ab3<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nd3ba17aa83748c539c75cee7eedb03a4<\/span><\/p>\n

83<\/span>f2e86af10b69da3f0c8e549f014ac3<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nd758820962ead89d5eaf7e45930a5eb<\/span><\/p>\n

6ab<\/span>11d5508988087faf84d8d7524408f1<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ne863f45099f3dc057a5aee5990fabfb4<\/span><\/p>\n

e8ea8849cd5bc895092ff0a305a3f85d<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n0db26e9a1213d09521fc0dbfe15f807c9<\/span><\/p>\n

960f62bc1cf4071001f58f210c53e9c<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n94de957259c8e23f635989dd793cdfd<\/span><\/p>\n

058883834672b2c8ac0a3e80784fce819<\/span>\u00a0<\/span><\/td>\n

WinUpdateHelper.dll<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
C2 URLs\u00a0<\/span><\/b>\u00a0<\/span><\/td>\nhxxp:\/\/85[.]235[.]75[.]242\/script[.]ps11<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/41[.]216[.]188[.]184\/downloads\/loader[.]ps1\u00a0<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/script\u00a0<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/mydofiles[.]com\/script[.]ps1<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/45[.]141[.]119[.]191\/jjj[.]txt\u00a0<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/getthishasg[.]live\/cz8wl3k[.]php?<\/span><\/p>\n

cnv_id=cee43wfhqb7b81&payout=1\u00a0<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/gocrazy[.]gg\/script?id=fA9z<\/span><\/p>\n

Qk2L0M`&tag=schtasks<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/dystoria[.]cc\/mon<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/85[.]235[.]75[.]242\/script[.]ps1<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/github[.]com\/dextamoggan4-sudo\/<\/span><\/p>\n

shineex\/releases\/download\/python\/script[.]ps1<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/45[.]141[.]119[.]191\/gg[.]txt<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/codeberg[.]org\/Yesdev123\/<\/span><\/p>\n

load\/raw\/branch\/main\/testfile[.]txt<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/45[.]141[.]119[.]191\/jjjj[.]tt<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/kenovn[.]net\/script<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/1765000000[.]xyz\/script?<\/span><\/p>\n

id=fA9zQk2L0M&tag=WinUpdateHelper<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/scrpt<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/script<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/cutt[.]ly\/ke0WRr70<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/cutt[.]ly\/pe0WRidw<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/1770000000[.]xyz\/script?id<\/span><\/p>\n

=fA9zQk2L0M&tag=WinUpdateHelper<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/150[.]241[.]64[.]28\/panfish\u00a0<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
Final Payload URLs<\/span><\/b>\u00a0<\/span><\/td>\nhxxps:\/\/github[.]com\/gaescmo-ai\/justin\/<\/span><\/p>\n

releases\/download\/son\/xmrig[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/github[.]com\/gaescmo-ai\/justin\/<\/span><\/p>\n

releases\/download\/son\/ethminer[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/41[.]216[.]188[.]184\/downloads<\/span><\/p>\n

\/windows-service[.]zip\u00a0<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/exe\/rat[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/exe\/miner[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/exe\/titledetector[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/github[.]com\/jimbrock44\/filezilla2025\/<\/span><\/p>\n

raw\/refs\/heads\/main\/sc[.]msi<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/github[.]com\/softwarelouv\/software\/<\/span><\/p>\n

raw\/refs\/heads\/main\/scvhosts[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/github[.]com\/softwarelouv\/software\/<\/span><\/p>\n

raw\/refs\/heads\/main\/cvtres[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/109[.]120[.]177[.]217:8082\/download<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/45[.]141[.]119[.]191\/fontdrvhost[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/codeberg[.]org\/Yesdev123\/load\/raw\/<\/span><\/p>\n

branch\/main\/source[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/1765000000[.]xyz\/download\/xbhgjahddaa<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/1765000000[.]xyz\/download\/ebhgjahddaa<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/46[.]151[.]182[.]238:6969\/autoexec<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxp:\/\/62[.]113[.]112[.]203\/adm[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/evilmods[.]com\/api\/nothingtoseehere[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/evilmods[.]com\/api\/nothingbeme[.]exe<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/evilmods[.]com\/DependencyCore2<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhxxps:\/\/evilmods[.]com\/DependencyCore<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
Unwanted Installers<\/span><\/b>\u00a0<\/span><\/td>\nCD1B15644BF0D7CBF270E8F21CEAE5E6<\/span>\u00a0<\/span><\/td>\nDependecycore.zip<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n7d18257b55588bccb52159d261f9cd7f<\/span>\u00a0<\/span><\/td>\nDependecycore.zip<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nA518FB6B9D2689737CE668675EEDE98F<\/span>\u00a0<\/span><\/td>\niTop\u00a0Easy Desktop<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nE3BB21152BA90990E3CCBC1A05842F8B<\/span>\u00a0<\/span><\/td>\nOpera Installer<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nA6BC4C6A58AC533D3DB5F96D24DDE0EF<\/span>\u00a0<\/span><\/td>\nDocs Helper Setup<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nFA24733F5A6A6F44D0E65D7D98B84AA6<\/span>\u00a0<\/span><\/td>\nWindows Manager<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nCDB67B1C54903F223F7DCCA14AEA67DF<\/span>\u00a0<\/span><\/td>\neld4.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
Final Payloads<\/span><\/b>\u00a0<\/span><\/td>\ne07a76cc4258c6b4b3f85451ea2174d5<\/span>\u00a0<\/span><\/td>\nxmrig.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nd32395a3a340e033e11bd89acddaa9cd<\/span>\u00a0<\/span><\/td>\nethminer.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n14f1de874c78221e7b6889af7463de69<\/span>\u00a0<\/span><\/td>\nWindowsService.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n47c8731b2526613e1e3bc61a88680cd0<\/span>\u00a0<\/span><\/td>\nrat.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nfbac126407b5735583dac5ea7cf519b3<\/span>\u00a0<\/span><\/td>\nSalatStealer<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n4dc93730ebe04a9b508a9f9dae74ae09<\/span>\u00a0<\/span><\/td>\nminer.exe\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n90e10b510144719613b1017abe227b87<\/span>\u00a0<\/span><\/td>\ntitledetector.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n8dadf8a4b77a340fcbb402789f9a07db<\/span>\u00a0<\/span><\/td>\nagent<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n4c8e8e2fdc23bb7b24e6b410eb69fb4a<\/span>\u00a0<\/span><\/td>\nscvhosts.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n79ea41812bd3310e11fc95403504f048<\/span>\u00a0<\/span><\/td>\nsc.msi<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1b1bd2783d4e8d1c2d444ffa8689677b<\/span>\u00a0<\/span><\/td>\ncvtres.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n16b70d148b66c20c709b7eed70100a96<\/span>\u00a0<\/span><\/td>\nsource.exe<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ne2af5595c9a0b7feaa9291b405d4c991<\/span>\u00a0<\/span><\/td>\nXMRIG\u00a0_Miner<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nb133229ed0be8788c84a975656a7339c<\/span>\u00a0<\/span><\/td>\nCoinMiner<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n754b581c7e3593446f0a06852031564a<\/span>\u00a0<\/span><\/td>\nMeshAgent<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\na7400236ffab02ae5af5c9a0f61e7300<\/span>\u00a0<\/span><\/td>\nNiceHash\u00a0Miner<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nd7d34c0559b3f6ba70be089e4cc6172c\u00a0<\/span>\u00a0<\/span><\/td>\nlolMiner<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
PowerShell Scripts<\/span><\/b>\u00a0<\/span><\/td>\n02a4d24d0cdaa6f9a3ecf4b71e3f2eec<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n2a153877acc9270406d676403e999490<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n77f491c1c50e224d0c61ed608445d8a9<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nc60a3307d21840d1e15ee78b07d3eb04<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nd17b85de54d0c438c092c1e889b8c63f<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\ne35c04a7c31f8641757374404edea395<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nfa8b5b5a302c0e353f4983973cf4b37e<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nd2ad87a1fd1e8812c5ba4b259de4f885<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
Wallet Address<\/span><\/b>\u00a0<\/span><\/td>\n46NgyMUVMf6Xzsao9XR<\/span><\/p>\n

C6BTjJpj<\/span>UJFfA12F8<\/span>BPmD<\/span><\/p>\n

86Y7biz4gZdjCWsSXMUZ<\/span>o<\/span><\/p>\n

mtuUs8crujryAvhRFMyvhzb<\/span><\/p>\n

s6naMKucHFi<\/span>\u00a0<\/span><\/td>\n

Monero (XMR) wallet address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nRJe6FfyoWDq6M4i3b17LxvjdT2fSNTLTYA<\/span>\u00a0<\/span><\/td>\nRavencoin\u00a0(RVN) wallet address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nZEPHsCY4zbcHGgz2U8<\/span><\/p>\n

PvkEjkWjop<\/span>uPurPNv8nnSFn<\/span><\/p>\n

M5MN8hBas8kBN4hoo<\/span>NKmc7uMRfU<\/span><\/p>\n

Qh4Fc9AHyGxL6NFARnc217m2vYgbKxf<\/span>\u00a0<\/span><\/td>\n

Zephyr (ZEPH) wallet address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1qyy0cv8snz7zqummg0yucd<\/span><\/p>\n

fzpxv2a5syu7xzsdq<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1q7cpwxjatrtpa29u85tayvggs<\/span><\/p>\n

67f6fxwyggm8kd<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1qxhp6mn0h7k9r89w8amalqj<\/span><\/p>\n

n38t4j5yaa7t89rp<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1qxnkkpnuhydckmpx8fmkp73e3<\/span><\/p>\n

8dfed93uhfh68l<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1qrtztxnqnjk9q4d5hupnla245c762<\/span><\/p>\n

0ncj3tzp7h<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1q9a59scnfwkdlm6wlcu5w76zm2<\/span><\/p>\n

uesjrqdy4fr8r<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nbc1q97yd574m9znar99fa0u799rvm<\/span><\/p>\n

55tnjzkw9l33w<\/span>\u00a0<\/span><\/td>\n

Bitcoin (BTC) address<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
URL Distributing Malware<\/span><\/b>\u00a0<\/span><\/td>\nhttp:\/\/www[.]mydofiles[.]com\/<\/span><\/p>\n

MultiClicker[.]zip<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttp:\/\/www[.]mydofiles[.]com\/<\/span><\/p>\n

ProCheatsInstaller[.]zip<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttp:\/\/www[.]mydofiles[.]com\/<\/span><\/p>\n

RobloxCheatEngine[.]zip<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttp:\/\/www[.]mydofiles[.]com\/<\/span><\/p>\n

ST-Bot[.]zip<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/sourceforge[.]net\/projects\/<\/span><\/p>\n

delta-executor-fo<\/span>r-<\/span>pc\/files\/latest\/download<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/ixpeering[.]dl[.]sourceforge[.]net\/project\/<\/span><\/p>\n

delta-executor-<\/span>for-pc\/DeltaExecutor[.]zip?viasf=1<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/sourceforge[.]net\/projects\/<\/span><\/p>\n

delta-executor-for-pc\/files\/<\/span>DeltaExecutor[.]zip\/download<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdn[.]discordapp[.]com\/<\/span><\/p>\n

attachments\/1436383055471185961\/<\/span><\/p>\n

1454995091423887442\/Keyser[.]zip?<\/span><\/p>\n

ex=6953c606&is=69527486&hm=<\/span><\/p>\n

e3ba56d122cc6b6228d787d29c6b5db31<\/span><\/p>\n

709fd16be119fa8d3a09d92cb0291e4&<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdn[.]discordapp[.]com\/attachments\/<\/span><\/p>\n

1436746541669945409\/1454995359754358875\/<\/span><\/p>\n

Matcha[.]zip?<\/span>ex=6953c646&is=695274c6&hm=<\/span><\/p>\n

1bae58927d0bcd6a1971b604644035ad938c1d535<\/span><\/p>\n

61f7d4e951fdf5454d52f8d&<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdn[.]discordapp[.]com\/<\/span><\/p>\n

attachments\/1437009916224209018\/<\/span><\/p>\n

1454995174328500318\/CheatLoverz[.]zip?<\/span><\/p>\n

ex=69531d5a&is=6951cbda&hm=<\/span><\/p>\n

f1ac26bebf4394c43cbf21ed531f5dfdf7<\/span><\/p>\n

d31f30853b126611c1a39b970b81bc&<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdn[.]discordapp[.]com\/attachments\/<\/span><\/p>\n

1438966596222849134\/<\/span>1454995223171170386\/<\/span><\/p>\n

Complex[.]zip?ex=69531d65&is=6951cbe5&hm<\/span>=<\/span><\/p>\n

b66d9539c0d487fc63125982db773e42eee01dfc<\/span><\/p>\n

4bc5a28dc1a7a773134a7bc6&<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdn[.]discordapp[.]com\/attachments\/<\/span><\/p>\n

1438966596222849134\/<\/span>1454995223171170386\/<\/span><\/p>\n

Complex[.]zip?ex=6953c625&is=695274a5&hm=<\/span><\/p>\n

0d6ba0e247e275a9824a838969ee06452e188310<\/span><\/p>\n

c434c5d852141bfad3eedff2&<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdndownloads[.]com\/<\/span><\/p>\n

download?clickid=277af8wcia4d4b<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/cdndownloads[.]com\/<\/span><\/p>\n

download?clickid=53ba0myoj8p617<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/download[.]fosshub[.]com\/Protected\/<\/span><\/p>\n

expiretime=1735860643;badurl=aHR<\/span>0cHM6L<\/span><\/p>\n

y93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVV<\/span><\/p>\n

uaW5zdGFsbGVyLmh0bWw=\/db8e43d6<\/span>6065d<\/span><\/p>\n

d656635ff00c50d96369d2fc4dddad18f52c5d00<\/span><\/p>\n

05f868649b8\/5b964d315dc7e865ea596350\/67<\/span><\/p>\n

3508bbeeeee<\/span>d04938b399f\/BCUninstaller_5<\/span><\/p>\n

[.]8[.]2_setup[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\nhttps:\/\/download[.]fosshub[.]com\/<\/span><\/p>\n

Protected\/<\/span>expiretime=<\/span>1738877220;<\/span><\/p>\n

badurl=aHR0cHM6Ly93d3cuZm9z<\/span><\/p>\n

c2h1Yi5jb20vQnVsay1DcmFwLVVu<\/span><\/p>\n

aW5zdGFsbG<\/span>VyLmh0bWw=\/bd26<\/span><\/p>\n

b0ced684ddb98f194568d7<\/span>f05c<\/span>819<\/span><\/p>\n

71932a5bfb323e<\/span>d73296940dd8ec74d\/<\/span><\/p>\n

5b964d315dc7e865ea596350\/673508bb<\/span><\/p>\n

eeeeed04938b399f\/BCUninstaller_5[.]8[.]<\/span><\/p>\n

2_setup[.]exe<\/span>\u00a0<\/span><\/td>\n

\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n
Malicious ZIPs<\/span><\/b>\u00a0<\/span><\/td>\n001cdd8e978b8233a958cfb81b202<\/span><\/p>\n

72a5d3a9c53ce2eb9dda28f0755f95f3e14<\/span>\u00a0<\/span><\/td>\n

bluetoothCore.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n00226d16b97c2a2201ca806491f5a6df<\/span><\/p>\n

3650a70c19e82b791740aaef7cf93e72<\/span>\u00a0<\/span><\/td>\n

octet-stream\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n00d70985e5e73cba934ffc7b886cea5df<\/span><\/p>\n

2d9f04c72b80f1e653ae709910666da<\/span>\u00a0<\/span><\/td>\n

FreeFireForPC.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n0165aa283b6dd66db66d5865907e75<\/span><\/p>\n

3acc68b894fc8086bffe106ac3d550d0df<\/span>\u00a0<\/span><\/td>\n

AIVoiceChanger.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n020b6449605713404d9ea6bd332df47<\/span><\/p>\n

f815663f239b39c368208158b1411efb2<\/span>\u00a0<\/span><\/td>\n

r6s-multi.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n04d3477a22a0693c3278c5a86f9c882<\/span><\/p>\n

89a7ccc2565cb61f8a78c9b269666baff<\/span>\u00a0<\/span><\/td>\n

EZFN.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n054d2da6e959466490cb0c3cdc2acb9<\/span><\/p>\n

602e47ac56b977a3d365b4d1728eb2dd5<\/span>\u00a0<\/span><\/td>\n

download\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n057121dd0ecbb242f7a26ec277249614<\/span><\/p>\n

7ae2ec2ee03abd6e79a2bfb5a6ac60e9<\/span>\u00a0<\/span><\/td>\n

demonCore.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n063d5400db74f7e064141e3cb9bdc6e<\/span><\/p>\n

71fec88956560de94c280cf59bbc65c78<\/span>\u00a0<\/span><\/td>\n

Nihon-Executor.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n3be99fb0b3bcaa125583bd1763537216<\/span><\/p>\n

34c090233dd018e56cd3fa8ac89c3aee<\/span>\u00a0<\/span><\/td>\n

Panther-Stealer.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n07aa31bd8b220f79acd6b26accfb84ab<\/span><\/p>\n

6b67f1e6b1baa57ad2f48c5db6771ec5<\/span>\u00a0<\/span><\/td>\n

DeltaExecutor.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1097bc1ed1dd2e46f65fe16f18f431a1539<\/span><\/p>\n

cf73f97599aec2b81d1ad07f2e485<\/span>\u00a0<\/span><\/td>\n

gta-5-online-mod-menu.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n112c08db627e759a499ab96e7964425f7<\/span><\/p>\n

21fda8b56029e15ab27c762bf1d91cc<\/span>\u00a0<\/span><\/td>\n

DeltaExecutor.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n113c38d3c1b6d6a87bc99dcfda4020245<\/span><\/p>\n

47ecdbdc1d7577a4c0cb3a88569582a<\/span>\u00a0<\/span><\/td>\n

Fortnite-External.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n116760f2d7d0b138a2d62683bc08d4620<\/span><\/p>\n

87dbd278e491177ae9c978e1fddb1a0<\/span>\u00a0<\/span><\/td>\n

roblox-multi.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n11b129c8373b6621343dbfe837e21c016f6<\/span><\/p>\n

fe1f9bdbb2a40283c15cc046fd0ba<\/span>\u00a0<\/span><\/td>\n

Matcha.rar\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1217e31084df1dbe3fb37cd2b0c65bc70ec2<\/span><\/p>\n

0278ab11471f0adafe845ed482d9<\/span>\u00a0<\/span><\/td>\n

roblox-counter-blox-multi.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n12e5890426baa26062077ec41d407ddfcd<\/span><\/p>\n

8df88480cce6308c0b4064530e767f<\/span>\u00a0<\/span><\/td>\n

AIAutoClicker.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1366f9bf45a11fed9ec6a2f40a571f273661523<\/span><\/p>\n

3567c3d91bb1b09916bf5068c<\/span>\u00a0<\/span><\/td>\n

demonCore.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n140c985db532c9085b2de4adcc885a67199dac2<\/span><\/p>\n

c36a465afd7a2655b4f797b17<\/span>\u00a0<\/span><\/td>\n

TheExecutor.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n14df8e6e7aadab0866e1a7b17adb247014343f5e31<\/span><\/p>\n

43249e78a6846051b1e620<\/span>\u00a0<\/span><\/td>\n

AIVoiceChanger.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n152914827e68584725b0890a46d62e45122789<\/span><\/p>\n

d1341e50f134b586aa7e139d3c<\/span>\u00a0<\/span><\/td>\n

TemuForPC.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n179e55bb20de0def4f9a5272397a11b7<\/span><\/p>\n

cb5b4c55a24539da22720f64738a95eb<\/span>\u00a0<\/span><\/td>\n

AutoClicker.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n17e0302f15475a90e807550ea4abe57f<\/span><\/p>\n

e75a3630fbcc6d9b8feec4c645b7c31b<\/span>\u00a0<\/span><\/td>\n

Roblox-Injector.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n17eff164be5859f8ed5b4c4d9969f9384<\/span><\/p>\n

523f4ac9a8bd1b6e73ee2ea7d1761e2<\/span>\u00a0<\/span><\/td>\n

1vqckj.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n188148aae3bdf973ba88b387db68feae<\/span><\/p>\n

da58daf3a70477766ac34f3b125651a9<\/span>\u00a0<\/span><\/td>\n

Roblox-MMap-Injector.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n19c6d61936af8a650eebe50b7a21260<\/span><\/p>\n

cbc365cb09e27b9104a095eda3dbc85a9<\/span>\u00a0<\/span><\/td>\n

release-delta-executor.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1aa12327f111d30f0a973070e2a941322b0<\/span><\/p>\n

7710b9c90c02b0c5c0eda26c902cc<\/span>\u00a0<\/span><\/td>\n

DeltaExecutor.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1baea27d6148bf630d85c28b24d5aa91<\/span><\/p>\n

14ad32800d10f2977acecd7845275ecf<\/span>\u00a0<\/span><\/td>\n

Osiris.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1cdd70b8b8aac60584f17b9396c5f8086<\/span><\/p>\n

105c92e630fcb81649d395c461c71f9<\/span>\u00a0<\/span><\/td>\n

TLifeForPC.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n1db8d6d66ab97ed3e1415a02b356a05d8<\/span><\/p>\n

ec846d69e5fa533f443b8d5d29949ef<\/span>\u00a0<\/span><\/td>\n

ProExt.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n206265f971c6b6bea2b74ceef0ec1417e79<\/span><\/p>\n

54d2cb83261ffa1b63f82964e5792<\/span>\u00a0<\/span><\/td>\n

Lo4f-Malware.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n347601eae5851ef7a6cf5a6b7f93ae6078<\/span><\/p>\n

969bafd191f6a8812a20fa6bf43996<\/span>\u00a0<\/span><\/td>\n

pubg-cheat.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n35aa1d44c71bdac70faa11b51fc29c13348e<\/span><\/p>\n

99cf981faa7119861df3ab7e50ba<\/span>\u00a0<\/span><\/td>\n

Complex.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n36b339f53a8bf65b030bedf5ad3bfde04eb<\/span><\/p>\n

dad3b150ec75ebb77f4a4b3c0cdd7<\/span>\u00a0<\/span><\/td>\n

HWIDSpoofer.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n37aead580cea7b82a1e76cb642a9269b9a<\/span><\/p>\n

d1dcdb60f36660e59ee5f8e00cc7b8<\/span>\u00a0<\/span><\/td>\n

AIVoiceChanger.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n42b0ba7953a014a56a27c07cb8c97c0109<\/span><\/p>\n

a1b38b78f34f230ea356f9403007ee<\/span>\u00a0<\/span><\/td>\n

sony-playstation-vita-emulator.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n3a02d75900ba42443c40667182711584b<\/span><\/p>\n

83844911fdf212747b1e087269d3632<\/span>\u00a0<\/span><\/td>\n

FortniteDev.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
\u00a0<\/span><\/td>\n3dafa158ccb63f989aaab41541ea9c02d2cf1a<\/span><\/p>\n

2b5f50c5a7b98abc1bcadd73f1<\/span>\u00a0<\/span><\/td>\n

r6-multi.zip\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Authored by Aayush Tyagi\u00a0\u00a0 Background\u00a0 The term \u2018Vibe coding,\u2019 first coined back in February of 2025 by OpenAI researchers, has…<\/p>\n","protected":false},"author":695,"featured_media":192031,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10661,13,1838,442],"tags":[],"coauthors":[4136],"class_list":["post-227464","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-security","category-privacy-identity-protection","category-mobile-security","category-mcafee-labs"],"acf":[],"yoast_head":"\nAI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign | McAfee Blog<\/title>\n<meta name=\"description\" content=\"McAfee Labs analyzes a malware campaign using AI-assisted code and fake software downloads. Learn how 440+ malicious ZIP files spread coin miners, infostealers, and other threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"McAfee Labs analyzes a malware campaign using AI-assisted code and fake software downloads. Learn how 440+ malicious ZIP files spread coin miners, infostealers, and other threats.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-18T18:21:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"25 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign\",\"datePublished\":\"2026-03-18T18:21:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\"},\"wordCount\":5082,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png\",\"articleSection\":[\"Internet Security\",\"Privacy & Identity Protection\",\"Mobile Security\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\",\"name\":\"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png\",\"datePublished\":\"2026-03-18T18:21:55+00:00\",\"description\":\"McAfee Labs analyzes a malware campaign using AI-assisted code and fake software downloads. Learn how 440+ malicious ZIP files spread coin miners, infostealers, and other threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign | McAfee Blog","description":"McAfee Labs analyzes a malware campaign using AI-assisted code and fake software downloads. Learn how 440+ malicious ZIP files spread coin miners, infostealers, and other threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign | McAfee Blog","og_description":"McAfee Labs analyzes a malware campaign using AI-assisted code and fake software downloads. Learn how 440+ malicious ZIP files spread coin miners, infostealers, and other threats.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2026-03-18T18:21:55+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"25 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign","datePublished":"2026-03-18T18:21:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/"},"wordCount":5082,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png","articleSection":["Internet Security","Privacy & Identity Protection","Mobile Security","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/","name":"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png","datePublished":"2026-03-18T18:21:55+00:00","description":"McAfee Labs analyzes a malware campaign using AI-assisted code and fake software downloads. Learn how 440+ malicious ZIP files spread coin miners, infostealers, and other threats.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/06\/300x200_Blog_051524.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ai-written-malware-vibe-coded-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/227464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=227464"}],"version-history":[{"count":8,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/227464\/revisions"}],"predecessor-version":[{"id":227795,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/227464\/revisions\/227795"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/192031"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=227464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=227464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=227464"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=227464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}