IA, exotic languages and legitimate services: APT36's new strategy to saturate defenses

A recent report from the Bitdefender cybersecurity firm has focused on a new phase in the evolution of state-sponsored attacks: the group known as Transparent Tribe or APT36 has started to exploit artificial intelligence tools to produce large amounts of malware in unconventional languages and rely on legitimate services for their communications. It is not so much a technical revolution as a strategy to saturate the defenses. making it easier for mediocre but numerous pieces to achieve their goal by mixing with legitimate traffic.

The technical analysis published by Bitdefender describes how the actor creates programmed implants in emerging or niche languages - Nim, Zig, Crystal, Rust, Go - and uses daily use platforms such as Slack, Discord, Supabase, Firebase or Google Sheets for the command and control channel. That choice seeks that the malicious traffic does not stand out to the tools that only inspect simple signatures or patterns. You can read the original Bitdefender report here: Bitdefender: APT36 and the vibeware phenomenon.

Language models have shortened the learning curve: they allow actors with limited knowledge to generate code in languages that were previously foreign to them, or to carry the logic from a traditional binary to another development ecosystem. The result, according to researchers, is a "industrialization" of malware where scale and diversity of samples seek to erode defensive telemetry. Bitdefender notes that many of these binaries are unstable and contain logical errors, but they are still operational when they are deployed massively.

Recent campaigns have noted a particular interest in the objectives of the Indian government and its diplomatic missions abroad, while intrusions against the Afghan administration and some private companies have also been detected. The initial intrusion usually starts with phishing messages that deliver shortcuts of Windows (.LNK) into compressed files or ISO images, or with PDF documents that redirect to the download of those same files. When running, the initial access is achieved by PowerShell in memory that downloads and starts the main back door, and from there are simulation tools of adversaries such as Cobalt Strike or Havoc to ensure persistence and lateral mobility.

Researchers have identified a wide family of tools and components that exemplify the strategy: leaders written in Crystal or Zig that load shellcode in memory; experimental leaders in Nim that carry Cobalt Strike beacons; .NET components that serve as the first delivery of additional loads; and a variety of backdoors and infostealers written in Rust or Go that use APIs of cloud services and productivity for their control and control. The names in the reports include Warcode, NimShellcodeLoader, CreepDropper, SHEETCREEP, MAILCREEP, SupaServ, LuminousStealer, Crystal Shell, ZigShell, Crystal File, LuminousCookies, BackupSpy, ZigLoader and a custom variant of the GateSentinel frame. For those who want to further investigate the open source GateSentinel project, there is public documentation in GitHub: GateSentinel (GitHub).

That these components support their telemetry on legitimate channels is not a coincidence: using trust services complicate signals that abnormally fire alerts and allow attackers to "camouflage" within traffic that the teams often consider harmless. The combination of exotic languages and legitimate services such as C2 proxy reduces the visibility of traditional defenses, and that's exactly what they're looking for groups that now use LLM-based programming assistants.

From a defensive point of view, the conclusion of analysts is clear: security can no longer be based solely on lists of signatures. Behaviour-based detection, enriched telemetry and controls that limit the execution of unauthorized binaries become the most effective containment line. Many practical recommendations to harden the environment match public agency and supplier guides: strengthen mail filter and phishing detection training, apply restrictive policies on running shortcuts and downloaded files from the Internet, maintain modern EDR / antimalware with memory analysis capacity, and use multifactor authentication and strict controls on third-party tokens and APIs.

For those who manage corporate and government defenses, the U.S. Cyber Security Agency. USA (CISA) offers resources and advice on how to reduce the risk of phishing campaigns and attacks with live tools in memory; seeing your recommendations can be a good starting point: CISA - Stop.Think.Connect: Anti-phishing Guide. In parallel, Microsoft publishes documentation on good practice in the safe use of PowerShell and mitigation of memory abuse, useful material to harden execution vectors that attackers often exploit: Microsoft - PowerShell: security practices.

Beyond technical improvements, there is a broader discussion that starts to take strength: how to manage the risk that artificial intelligence tools facilitate malware creation. It is not just about blocking executables, but about understanding that the entry barriers to build and scale malicious campaigns are reduced. Companies, administrations and platform providers should work together to detect APIs abuses, restrict the use of credentials that allow C2 channels and develop heuristic signatures that detect patterns of behavior against the mere presence of an artifact.

The case of APT36 shows that the threat evolves by adapting to the care economy: inundate with surface variants and rely on noise to avoid being detected. The effective response involves modernizing controls, prioritizing phishing prevention and focusing on anomaly-based and context-based detection.

If you manage security in an organization, you should review mail settings, tighten permissions on cloud services, audit integration with Slack / Discord / Supabase / Firebase and strengthen visibility on endpoints and on the network. For more in-depth technical analysis and specific examples of the components observed, see the Bitdefender report and the complementary analyses published by cyber security industry research teams.

The lesson left by this episode is double: on the one hand, artificial intelligence facilitates the assailants to experiment and mass production; on the other, contemporary defenses have tools and tactics to mitigate this risk, provided that detection by behavior and identity management and access are updated and prioritized. In cybersecurity, as in other fields, scale and automation change the playing field, and the best response is to adapt the defenses to that new reality.