AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign

    Monday, March 23, 2026 In: Threat Research Print

    Date: 03/23/2026

    Severity: High

    Summary

    A large-scale malware campaign leveraged AI-driven “vibe coding” to generate malicious code components, lowering the barrier for threat actors to create and distribute malware. The campaign used hundreds of malicious ZIP files impersonating popular software—such as AI tools, game mods, and utilities—to deliver multiple variants of the WinUpdateHelper.dll payload. Distributed via legitimate platforms like Discord, SourceForge, and MediaFire, the operation relied on volume-based tactics to maximize infections, highlighting how AI-assisted development is accelerating malware creation and broadening the threat landscape.

    Indicators of Compromise (IOC) List

    URLs/Domains

    http://85.235.75.242/script.ps11

    http://41.216.188.184/downloads/loader.ps1

    http://46.151.182.238:6969/script

    https://mydofiles.com/script.ps1

    http://45.141.119.191/jjj.txt

    https://getthishasg.live/cz8wl3k.php?cnv_id=cee43wfhqb7b81&payout=1

    https://gocrazy.gg/script?id=fA9zQk2L0M`&tag=schtasks

    https://dystoria.cc/mon

    http://85.235.75.242/script.ps1

    https://github.com/dextamoggan4-sudo/shineex/releases/download/python/script.ps1

    http://45.141.119.191/gg.txt

    https://codeberg.org/Yesdev123/load/raw/branch/main/testfile.txt

    http://45.141.119.191/jjjj.tt

    https://kenovn.net/script

    https://1765000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper

    http://46.151.182.238:6969/scrpt

    http://46.151.182.238:6969/script

    https://cutt.ly/ke0WRr70

    https://cutt.ly/pe0WRidw

    https://1770000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper

    http://150.241.64.28/panfish

    https://github.com/gaescmo-ai/justin/releases/download/son/xmrig.exe

    https://github.com/gaescmo-ai/justin/

    releases/download/son/ethminer.exe

    http://41.216.188.184/downloads/windows-service.zip

    http://46.151.182.238:6969/exe/rat.exe

    http://46.151.182.238:6969/exe/miner.exe

    http://46.151.182.238:6969/exe/titledetector.exe

    https://github.com/jimbrock44/filezilla2025/raw/refs/heads/main/sc.msi

    https://github.com/softwarelouv/software/raw/refs/heads/main/scvhosts.exe

    https://github.com/softwarelouv/software/raw/refs/heads/main/cvtres.exe

    http://109.120.177.217:8082/download

    http://45.141.119.191/fontdrvhost.exe

    https://codeberg.org/Yesdev123/load/raw/branch/main/source.exe

    https://1765000000.xyz/download/xbhgjahddaa

    https://1765000000.xyz/download/ebhgjahddaa

    http://46.151.182.238:6969/autoexec

    http://62.113.112.203/adm.exe

    https://evilmods.com/api/nothingtoseehere.exe

    https://evilmods.com/api/nothingbeme.exe

    https://evilmods.com/DependencyCore2

    https://evilmods.com/DependencyCore

    http://www.mydofiles.com/MultiClicker.zip

    http://www.mydofiles.com/ProCheatsInstaller.zip

    http://www.mydofiles.com/RobloxCheatEngine.zip

    http://www.mydofiles.com/ST-Bot.zip

    https://sourceforge.net/projects/delta-executor-for-pc/files/latest/download

    https://ixpeering.dl.sourceforge.net/project/delta-executor-for-pc/DeltaExecutor.zip?viasf=1

    https://sourceforge.net/projects/delta-executor-for-pc/files/DeltaExecutor.zip/download

    https://cdn.discordapp.com/attachments/1436383055471185961/1454995091423887442/Keyser.zip?ex=6953c606&is=69527486&hm=e3ba56d122cc6b6228d787d29c6b5db31709fd16be119fa8d3a09d92cb0291e4&

    https://cdn.discordapp.com/attachments/1436746541669945409/1454995359754358875/Matcha.zip?ex=6953c646&is=695274c6&hm=1bae58927d0bcd6a1971b604644035ad938c1d53561f7d4e951fdf5454d52f8d&

    https://cdn.discordapp.com/attachments/1437009916224209018/1454995174328500318/CheatLoverz.zip?ex=69531d5a&is=6951cbda&hm=f1ac26bebf4394c43cbf21ed531f5dfdf7d31f30853b126611c1a39b970b81bc&

    https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=69531d65&is=6951cbe5&hm=b66d9539c0d487fc63125982db773e42eee01dfc4bc5a28dc1a7a773134a7bc6&

    https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=6953c625&is=695274a5&hm=0d6ba0e247e275a9824a838969ee06452e188310c434c5d852141bfad3eedff2&

    https://cdndownloads.com/download?clickid=277af8wcia4d4b

    https://cdndownloads.com/download?clickid=53ba0myoj8p617

    https://download.fosshub.com/Protected/expiretime=1735860643;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/db8e43d66065dd656635ff00c50d96369d2fc4dddad18f52c5d0005f868649b8/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe

    https://download.fosshub.com/Protected/expiretime=1738877220;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/bd26b0ced684ddb98f194568d7f05c81971932a5bfb323ed73296940dd8ec74d/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe

    Hash

    CD1B15644BF0D7CBF270E8F21CEAE5E6

    7d18257b55588bccb52159d261f9cd7f

    A518FB6B9D2689737CE668675EEDE98F

    E3BB21152BA90990E3CCBC1A05842F8B

    A6BC4C6A58AC533D3DB5F96D24DDE0EF

    FA24733F5A6A6F44D0E65D7D98B84AA6

    CDB67B1C54903F223F7DCCA14AEA67DF

    e07a76cc4258c6b4b3f85451ea2174d5

    d32395a3a340e033e11bd89acddaa9cd

    14f1de874c78221e7b6889af7463de69

    47c8731b2526613e1e3bc61a88680cd0

    fbac126407b5735583dac5ea7cf519b3

    4dc93730ebe04a9b508a9f9dae74ae09

    90e10b510144719613b1017abe227b87

    8dadf8a4b77a340fcbb402789f9a07db

    4c8e8e2fdc23bb7b24e6b410eb69fb4a

    79ea41812bd3310e11fc95403504f048

    1b1bd2783d4e8d1c2d444ffa8689677b

    16b70d148b66c20c709b7eed70100a96

    e2af5595c9a0b7feaa9291b405d4c991

    b133229ed0be8788c84a975656a7339c

    754b581c7e3593446f0a06852031564a

    a7400236ffab02ae5af5c9a0f61e7300

    d7d34c0559b3f6ba70be089e4cc6172c

    02a4d24d0cdaa6f9a3ecf4b71e3f2eec

    2a153877acc9270406d676403e999490

    77f491c1c50e224d0c61ed608445d8a9

    c60a3307d21840d1e15ee78b07d3eb04

    d17b85de54d0c438c092c1e889b8c63f

    e35c04a7c31f8641757374404edea395

    fa8b5b5a302c0e353f4983973cf4b37e

    d2ad87a1fd1e8812c5ba4b259de4f885

    94de957259c8e23f635989dd793cdfd058883834672b2c8ac0a3e80784fce819

    db8afdafbe39637fec3572829dd0a1a2f00c9b50f947f1eb544ede75e499dca7

    f15098661d99a436c460f8a6f839a6903aebd2d8f1445c3bccfc9bf64868f3b0

    3abf66e0a886ec0454d0382369dd6d23c036c0dd5d413093c16c43c72b8ccb0b

    767b63d11cee8cfb401a9b72d7bcca23b949149f2a9d7456e6e16553afcef169

    12850f78fc497e845e9bf9f10314c4ecc6a659dcd90e79ef5bd357004021ba78

    0a8a58d18adc86977b7386416c6be8db850a3384949b6750a6c6b2136138684a

    1a60852904ff9c710cd754fa187ce58cb18c69e35ea4962a8639953abe380f64

    4ab63b5ccd60dfd66c7510d1b3bc1f45f0c31c2d4c16b63b523d05ccac3fcb9d

    1390e61a45dd81fa245a3078a3b305e3c7cdeb5fa1e63d9daca22096b699f9e8

    a0c3de95e5bf84cb616fe1ee1791e96ff5753778b36201610e6730d025a6cb12

    ea65298d8d8ce4b868511a1026f8657abcc6b2e333854f4fc1bd498463b24084

    6ea34fd213674f31a83c0eee2fb521303d2a7c23e324bbdfa1a8edd7b6b6b6f1

    7bec5e37777e6a2ca50e765b07e8cb65e88f4822ab19d98c32f1c69444228e5c

    64c96f0251363aaf35c3709c134aab52b981508b0ce9445e42774d151e43686b

    393f6c6b307aecfe46acc603da812cc17f0ebf24b66632660a2e533dfa4f463f

    94077065d049e821803986316408b82edad43fcd5a154f6807b4382eece705c3

    a206ff592aea155d2bb42231afc3f060494ffa8f3de8f25aaf8881639c500b44

    cb2eebf27def80261eef6b80d898e06f443294371463accd45ca24ce132fad98

    3fea0a031ffd78c8d08f6499c2bbc6a9edac5dc88b9ba224921f8f142e5a9adb

    4fe5d461aaa752b94d016ca4e742e02d30d3d4848a32787ce3564b5393017d77

    04399f9f3ef87d8dd15556628532a84d63d628eaae0ed81166d6efbee428cdba

    dd37cd62fa18af798018a706f20a91a537f0993f0254a0c84d64097c6480afb2

    1d85ffe28d065780c9327078941cb762915c69c69012303e45eee44c092f8046

    86e14dd0ab29ee0eab21874811b7e450d609feb606f77206627b62cccbd58afa

    17704d58fb9c4e68c54a56fa97cd32599792d00da53691b8bdb58e49296b7feb

    491019e31af8f1489aea8d4c0f9816813698def0301a2abb88e5248b37753d2b

    c0ab89c3d9c7b9a04df5169eb175d5173c6de08a4ef3674cd6d7f9a925d63151

    df0ca0f15926964040bb43978f97faccc00bae5f6a00d8bd7d105d8c7d32efb1

    e40f2628b2981226b1afe16c1cf3796b9482b2ac070adac999707fc09909327c

    f6093084196acded1179d3a1466908beb966dceaba03e1dfeb02a2628fdb0423

    fcc512630ee95d3f4c31e3aabc75ad2e29dfacb4d4bcce7a12abe9a516979dbd

    fe02d8d7a6b8f66624b238665d63094a2bcd19c44a3f9c449788cadbb1b741a6

    1967f6f42710b43506a0784a28ca8785af91b84dfa8629ec5be92be8eec564c6

    5280b0ecb6c7246db84a9b194f5c85cc303c028475900b558306fdd4e51f4fc3

    ce06d83adb53c8b9d240202193ca4c04d0163994dad707aed0f0e67fdd2a42fe

    13976bdc28d3b3ae88ed92fcf49ff9e083b0ce5fd53e60680df00cd92bdfb33b

    4135754b26dfac10cd19dcf6e03677b537244cf69fdce9c4138589e59449b443

    7d69eca36c0f69b3007cdbf908f15545e95611acf4bad8b9e30e54687a6d33bb

    085dc279b422d761729374b01eae1e22375ef9538a6c4bc7cc35e8a812450f93

    99ff2045d1377db7342420160eb254b7b09cc4ce41a97b6bf0ec4d3f65d9ede6

    396f397099a459f3adeba057788aa3d34882eea7d1665c828449f205a86dc80f

    908d35e6afd90da2e7c71cf82c8a61b553410ca920e67dba1bae35c2b6b19bad

    7029d68969814f1473e4e4a22abd4be85678a03bbe4c0f6194f3b7e421872ab3

    d3ba17aa83748c539c75cee7eedb03a483f2e86af10b69da3f0c8e549f014ac3

    d758820962ead89d5eaf7e45930a5eb6ab11d5508988087faf84d8d7524408f1

    e863f45099f3dc057a5aee5990fabfb4e8ea8849cd5bc895092ff0a305a3f85d

    0db26e9a1213d09521fc0dbfe15f807c9960f62bc1cf4071001f58f210c53e9c

    94de957259c8e23f635989dd793cdfd058883834672b2c8ac0a3e80784fce819

    001cdd8e978b8233a958cfb81b20272a5d3a9c53ce2eb9dda28f0755f95f3e14

    00226d16b97c2a2201ca806491f5a6df3650a70c19e82b791740aaef7cf93e72

    00d70985e5e73cba934ffc7b886cea5df2d9f04c72b80f1e653ae709910666da

    0165aa283b6dd66db66d5865907e753acc68b894fc8086bffe106ac3d550d0df

    020b6449605713404d9ea6bd332df47f815663f239b39c368208158b1411efb2

    04d3477a22a0693c3278c5a86f9c88289a7ccc2565cb61f8a78c9b269666baff

    054d2da6e959466490cb0c3cdc2acb9602e47ac56b977a3d365b4d1728eb2dd5

    057121dd0ecbb242f7a26ec2772496147ae2ec2ee03abd6e79a2bfb5a6ac60e9

    063d5400db74f7e064141e3cb9bdc6e71fec88956560de94c280cf59bbc65c78

    3be99fb0b3bcaa125583bd176353721634c090233dd018e56cd3fa8ac89c3aee

    07aa31bd8b220f79acd6b26accfb84ab6b67f1e6b1baa57ad2f48c5db6771ec5

    1097bc1ed1dd2e46f65fe16f18f431a1539cf73f97599aec2b81d1ad07f2e485

    112c08db627e759a499ab96e7964425f721fda8b56029e15ab27c762bf1d91cc

    113c38d3c1b6d6a87bc99dcfda402024547ecdbdc1d7577a4c0cb3a88569582a

    116760f2d7d0b138a2d62683bc08d462087dbd278e491177ae9c978e1fddb1a0

    11b129c8373b6621343dbfe837e21c016f6fe1f9bdbb2a40283c15cc046fd0ba

    1217e31084df1dbe3fb37cd2b0c65bc70ec20278ab11471f0adafe845ed482d9

    12e5890426baa26062077ec41d407ddfcd8df88480cce6308c0b4064530e767f

    1366f9bf45a11fed9ec6a2f40a571f2736615233567c3d91bb1b09916bf5068c

    140c985db532c9085b2de4adcc885a67199dac2c36a465afd7a2655b4f797b17

    14df8e6e7aadab0866e1a7b17adb247014343f5e3143249e78a6846051b1e620

    152914827e68584725b0890a46d62e45122789d1341e50f134b586aa7e139d3c

    179e55bb20de0def4f9a5272397a11b7cb5b4c55a24539da22720f64738a95eb

    17e0302f15475a90e807550ea4abe57fe75a3630fbcc6d9b8feec4c645b7c31b

    17eff164be5859f8ed5b4c4d9969f9384523f4ac9a8bd1b6e73ee2ea7d1761e2

    188148aae3bdf973ba88b387db68feaeda58daf3a70477766ac34f3b125651a9

    19c6d61936af8a650eebe50b7a21260cbc365cb09e27b9104a095eda3dbc85a9

    1aa12327f111d30f0a973070e2a941322b07710b9c90c02b0c5c0eda26c902cc

    1baea27d6148bf630d85c28b24d5aa9114ad32800d10f2977acecd7845275ecf

    1cdd70b8b8aac60584f17b9396c5f8086105c92e630fcb81649d395c461c71f9

    1db8d6d66ab97ed3e1415a02b356a05d8ec846d69e5fa533f443b8d5d29949ef

    206265f971c6b6bea2b74ceef0ec1417e7954d2cb83261ffa1b63f82964e5792

    347601eae5851ef7a6cf5a6b7f93ae6078969bafd191f6a8812a20fa6bf43996

    35aa1d44c71bdac70faa11b51fc29c13348e99cf981faa7119861df3ab7e50ba

    36b339f53a8bf65b030bedf5ad3bfde04ebdad3b150ec75ebb77f4a4b3c0cdd7

    37aead580cea7b82a1e76cb642a9269b9ad1dcdb60f36660e59ee5f8e00cc7b8

    42b0ba7953a014a56a27c07cb8c97c0109a1b38b78f34f230ea356f9403007ee

    3a02d75900ba42443c40667182711584b83844911fdf212747b1e087269d3632

    3dafa158ccb63f989aaab41541ea9c02d2cf1a2b5f50c5a7b98abc1bcadd73f1

    Wallet Address

    46NgyMUVMf6Xzsao9XRC6BTjJpjUJFfA12F8BPmD86Y7biz4gZdjCWsSXMUZomtuUs8crujryAvhRFMyvhzbs6naMKucHFi

    ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hooNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf

    bc1qyy0cv8snz7zqummg0yucdfzpxv2a5syu7xzsdq

    bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd

    bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp

    bc1qxnkkpnuhydckmpx8fmkp73e38dfed93uhfh68l

    bc1qrtztxnqnjk9q4d5hupnla245c7620ncj3tzp7h

    bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r

    bc1q97yd574m9znar99fa0u799rvm55tnjzkw9l33w

    RJe6FfyoWDq6M4i3b17LxvjdT2fSNTLTYA

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://www.mydofiles.com/MultiClicker.zip" or siteurl like "http://www.mydofiles.com/MultiClicker.zip" or url like "http://www.mydofiles.com/MultiClicker.zip" or domainname like "https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=69531d65&is=6951cbe5&hm=b66d9539c0d487fc63125982db773e42eee01dfc4bc5a28dc1a7a773134a7bc6&" or siteurl like "https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=69531d65&is=6951cbe5&hm=b66d9539c0d487fc63125982db773e42eee01dfc4bc5a28dc1a7a773134a7bc6&" or url like "https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=69531d65&is=6951cbe5&hm=b66d9539c0d487fc63125982db773e42eee01dfc4bc5a28dc1a7a773134a7bc6&" or domainname like "http://46.151.182.238:6969/exe/titledetector.exe" or siteurl like "http://46.151.182.238:6969/exe/titledetector.exe" or url like "http://46.151.182.238:6969/exe/titledetector.exe" or domainname like "http://85.235.75.242/script.ps11" or siteurl like "http://85.235.75.242/script.ps11" or url like "http://85.235.75.242/script.ps11" or domainname like "https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=6953c625&is=695274a5&hm=0d6ba0e247e275a9824a838969ee06452e188310c434c5d852141bfad3eedff2&" or siteurl like "https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=6953c625&is=695274a5&hm=0d6ba0e247e275a9824a838969ee06452e188310c434c5d852141bfad3eedff2&" or url like "https://cdn.discordapp.com/attachments/1438966596222849134/1454995223171170386/Complex.zip?ex=6953c625&is=695274a5&hm=0d6ba0e247e275a9824a838969ee06452e188310c434c5d852141bfad3eedff2&" or domainname like "http://www.mydofiles.com/ProCheatsInstaller.zip" or siteurl like "http://www.mydofiles.com/ProCheatsInstaller.zip" or url like "http://www.mydofiles.com/ProCheatsInstaller.zip" or domainname like "https://1765000000.xyz/download/xbhgjahddaa" or siteurl like "https://1765000000.xyz/download/xbhgjahddaa" or url like "https://1765000000.xyz/download/xbhgjahddaa" or domainname like "http://45.141.119.191/fontdrvhost.exe" or siteurl like "http://45.141.119.191/fontdrvhost.exe" or url like "http://45.141.119.191/fontdrvhost.exe" or domainname like "http://46.151.182.238:6969/autoexec" or siteurl like "http://46.151.182.238:6969/autoexec" or url like "http://46.151.182.238:6969/autoexec" or domainname like "http://46.151.182.238:6969/script" or siteurl like "http://46.151.182.238:6969/script" or url like "http://46.151.182.238:6969/script" or domainname like "http://62.113.112.203/adm.exe" or siteurl like "http://62.113.112.203/adm.exe" or url like "http://62.113.112.203/adm.exe" or domainname like "https://kenovn.net/script" or siteurl like "https://kenovn.net/script" or url like "https://kenovn.net/script" or domainname like "http://46.151.182.238:6969/exe/miner.exe" or siteurl like "http://46.151.182.238:6969/exe/miner.exe" or url like "http://46.151.182.238:6969/exe/miner.exe" or domainname like "https://dystoria.cc/mon" or siteurl like "https://dystoria.cc/mon" or url like "https://dystoria.cc/mon" or domainname like "https://cdndownloads.com/download?clickid=53ba0myoj8p617" or siteurl like "https://cdndownloads.com/download?clickid=53ba0myoj8p617" or url like "https://cdndownloads.com/download?clickid=53ba0myoj8p617" or domainname like "https://cutt.ly/pe0WRidw" or siteurl like "https://cutt.ly/pe0WRidw" or url like "https://cutt.ly/pe0WRidw" or domainname like "https://evilmods.com/api/nothingbeme.exe" or siteurl like "https://evilmods.com/api/nothingbeme.exe" or url like "https://evilmods.com/api/nothingbeme.exe" or domainname like "http://41.216.188.184/downloads/windows-service.zip" or siteurl like "http://41.216.188.184/downloads/windows-service.zip" or url like "http://41.216.188.184/downloads/windows-service.zip" or domainname like "https://getthishasg.live/cz8wl3k.php?cnv_id=cee43wfhqb7b81&payout=1" or siteurl like "https://getthishasg.live/cz8wl3k.php?cnv_id=cee43wfhqb7b81&payout=1" or url like "https://getthishasg.live/cz8wl3k.php?cnv_id=cee43wfhqb7b81&payout=1" or domainname like "https://download.fosshub.com/Protected/expiretime=1735860643;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/db8e43d66065dd656635ff00c50d96369d2fc4dddad18f52c5d0005f868649b8/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe" or siteurl like "https://download.fosshub.com/Protected/expiretime=1735860643;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/db8e43d66065dd656635ff00c50d96369d2fc4dddad18f52c5d0005f868649b8/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe" or url like "https://download.fosshub.com/Protected/expiretime=1735860643;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/db8e43d66065dd656635ff00c50d96369d2fc4dddad18f52c5d0005f868649b8/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe"

    Detection Query 2 :

    domainname like "https://1765000000.xyz/download/ebhgjahddaa" or siteurl like "https://1765000000.xyz/download/ebhgjahddaa" or url like "https://1765000000.xyz/download/ebhgjahddaa" or domainname like "http://www.mydofiles.com/RobloxCheatEngine.zip" or siteurl like "http://www.mydofiles.com/RobloxCheatEngine.zip" or url like "http://www.mydofiles.com/RobloxCheatEngine.zip" or domainname like "http://150.241.64.28/panfish" or siteurl like "http://150.241.64.28/panfish" or url like "http://150.241.64.28/panfish" or domainname like "http://46.151.182.238:6969/exe/rat.exe" or siteurl like "http://46.151.182.238:6969/exe/rat.exe" or url like "http://46.151.182.238:6969/exe/rat.exe" or domainname like "https://cdn.discordapp.com/attachments/1436746541669945409/1454995359754358875/Matcha.zip?ex=6953c646&is=695274c6&hm=1bae58927d0bcd6a1971b604644035ad938c1d53561f7d4e951fdf5454d52f8d&" or siteurl like "https://cdn.discordapp.com/attachments/1436746541669945409/1454995359754358875/Matcha.zip?ex=6953c646&is=695274c6&hm=1bae58927d0bcd6a1971b604644035ad938c1d53561f7d4e951fdf5454d52f8d&" or url like "https://cdn.discordapp.com/attachments/1436746541669945409/1454995359754358875/Matcha.zip?ex=6953c646&is=695274c6&hm=1bae58927d0bcd6a1971b604644035ad938c1d53561f7d4e951fdf5454d52f8d&" or domainname like "https://cdndownloads.com/download?clickid=277af8wcia4d4b" or siteurl like "https://cdndownloads.com/download?clickid=277af8wcia4d4b" or url like "https://cdndownloads.com/download?clickid=277af8wcia4d4b" or domainname like "https://cutt.ly/ke0WRr70" or siteurl like "https://cutt.ly/ke0WRr70" or url like "https://cutt.ly/ke0WRr70" or domainname like "http://www.mydofiles.com/ST-Bot.zip" or siteurl like "http://www.mydofiles.com/ST-Bot.zip" or url like "http://www.mydofiles.com/ST-Bot.zip" or domainname like "http://45.141.119.191/jjjj.tt" or siteurl like "http://45.141.119.191/jjjj.tt" or url like "http://45.141.119.191/jjjj.tt" or domainname like "https://github.com/jimbrock44/filezilla2025/raw/refs/heads/main/sc.msi" or siteurl like "https://github.com/jimbrock44/filezilla2025/raw/refs/heads/main/sc.msi" or url like "https://github.com/jimbrock44/filezilla2025/raw/refs/heads/main/sc.msi" or domainname like "http://41.216.188.184/downloads/loader.ps1" or siteurl like "http://41.216.188.184/downloads/loader.ps1" or url like "http://41.216.188.184/downloads/loader.ps1" or domainname like "https://github.com/softwarelouv/software/raw/refs/heads/main/scvhosts.exe" or siteurl like "https://github.com/softwarelouv/software/raw/refs/heads/main/scvhosts.exe" or url like "https://github.com/softwarelouv/software/raw/refs/heads/main/scvhosts.exe" or domainname like "https://github.com/softwarelouv/software/raw/refs/heads/main/cvtres.exe" or siteurl like "https://github.com/softwarelouv/software/raw/refs/heads/main/cvtres.exe" or url like "https://github.com/softwarelouv/software/raw/refs/heads/main/cvtres.exe" or domainname like "https://evilmods.com/api/nothingtoseehere.exe" or siteurl like "https://evilmods.com/api/nothingtoseehere.exe" or url like "https://evilmods.com/api/nothingtoseehere.exe" or domainname like "http://45.141.119.191/gg.txt" or siteurl like "http://45.141.119.191/gg.txt" or url like "http://45.141.119.191/gg.txt" or domainname like "https://mydofiles.com/script.ps1" or siteurl like "https://mydofiles.com/script.ps1" or url like "https://mydofiles.com/script.ps1" or domainname like "http://45.141.119.191/jjj.txt" or siteurl like "http://45.141.119.191/jjj.txt" or url like "http://45.141.119.191/jjj.txt" or domainname like "http://46.151.182.238:6969/scrpt" or siteurl like "http://46.151.182.238:6969/scrpt" or url like "http://46.151.182.238:6969/scrpt" or domainname like "https://evilmods.com/DependencyCore2" or siteurl like "https://evilmods.com/DependencyCore2" or url like "https://evilmods.com/DependencyCore2" or domainname like "https://github.com/gaescmo-ai/justin/releases/download/son/xmrig.exe" or siteurl like "https://github.com/gaescmo-ai/justin/releases/download/son/xmrig.exe" or url like "https://github.com/gaescmo-ai/justin/releases/download/son/xmrig.exe" or domainname like "https://download.fosshub.com/Protected/expiretime=1738877220;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/bd26b0ced684ddb98f194568d7f05c81971932a5bfb323ed73296940dd8ec74d/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe" or siteurl like "https://download.fosshub.com/Protected/expiretime=1738877220;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/bd26b0ced684ddb98f194568d7f05c81971932a5bfb323ed73296940dd8ec74d/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe" or url like "https://download.fosshub.com/Protected/expiretime=1738877220;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVVuaW5zdGFsbGVyLmh0bWw=/bd26b0ced684ddb98f194568d7f05c81971932a5bfb323ed73296940dd8ec74d/5b964d315dc7e865ea596350/673508bbeeeeed04938b399f/BCUninstaller_5.8.2_setup.exe"

    Detection Query 3 :

    domainname like "https://codeberg.org/Yesdev123/load/raw/branch/main/source.exe" or siteurl like "https://codeberg.org/Yesdev123/load/raw/branch/main/source.exe" or url like "https://codeberg.org/Yesdev123/load/raw/branch/main/source.exe" or domainname like "http://85.235.75.242/script.ps1" or siteurl like "http://85.235.75.242/script.ps1" or url like "http://85.235.75.242/script.ps1" or domainname like "https://evilmods.com/DependencyCore" or siteurl like "https://evilmods.com/DependencyCore" or url like "https://evilmods.com/DependencyCore" or domainname like "https://gocrazy.gg/script?id=fA9zQk2L0M`&tag=schtasks" or siteurl like "https://gocrazy.gg/script?id=fA9zQk2L0M`&tag=schtasks" or url like "https://gocrazy.gg/script?id=fA9zQk2L0M`&tag=schtasks" or domainname like "https://github.com/dextamoggan4-sudo/shineex/releases/download/python/script.ps1" or siteurl like "https://github.com/dextamoggan4-sudo/shineex/releases/download/python/script.ps1" or url like "https://github.com/dextamoggan4-sudo/shineex/releases/download/python/script.ps1" or domainname like "https://codeberg.org/Yesdev123/load/raw/branch/main/testfile.txt" or siteurl like "https://codeberg.org/Yesdev123/load/raw/branch/main/testfile.txt" or url like "https://codeberg.org/Yesdev123/load/raw/branch/main/testfile.txt" or domainname like "https://1765000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper" or siteurl like "https://1765000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper" or url like "https://1765000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper" or domainname like "https://1770000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper" or siteurl like "https://1770000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper" or url like "https://1770000000.xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper" or domainname like "https://github.com/gaescmo-ai/justin/releases/download/son/ethminer.exe" or siteurl like "https://github.com/gaescmo-ai/justin/releases/download/son/ethminer.exe" or url like "https://github.com/gaescmo-ai/justin/releases/download/son/ethminer.exe" or domainname like "http://109.120.177.217:8082/download" or siteurl like "http://109.120.177.217:8082/download" or url like "http://109.120.177.217:8082/download" or domainname like "https://sourceforge.net/projects/delta-executor-for-pc/files/latest/download" or siteurl like "https://sourceforge.net/projects/delta-executor-for-pc/files/latest/download" or url like "https://sourceforge.net/projects/delta-executor-for-pc/files/latest/download" or domainname like "https://ixpeering.dl.sourceforge.net/project/delta-executor-for-pc/DeltaExecutor.zip?viasf=1" or siteurl like "https://ixpeering.dl.sourceforge.net/project/delta-executor-for-pc/DeltaExecutor.zip?viasf=1" or url like "https://ixpeering.dl.sourceforge.net/project/delta-executor-for-pc/DeltaExecutor.zip?viasf=1" or domainname like "https://sourceforge.net/projects/delta-executor-for-pc/files/DeltaExecutor.zip/download" or siteurl like "https://sourceforge.net/projects/delta-executor-for-pc/files/DeltaExecutor.zip/download" or url like "https://sourceforge.net/projects/delta-executor-for-pc/files/DeltaExecutor.zip/download" or domainname like "https://cdn.discordapp.com/attachments/1436383055471185961/1454995091423887442/Keyser.zip?ex=6953c606&is=69527486&hm=e3ba56d122cc6b6228d787d29c6b5db31709fd16be119fa8d3a09d92cb0291e4&" or siteurl like "https://cdn.discordapp.com/attachments/1436383055471185961/1454995091423887442/Keyser.zip?ex=6953c606&is=69527486&hm=e3ba56d122cc6b6228d787d29c6b5db31709fd16be119fa8d3a09d92cb0291e4&" or url like "https://cdn.discordapp.com/attachments/1436383055471185961/1454995091423887442/Keyser.zip?ex=6953c606&is=69527486&hm=e3ba56d122cc6b6228d787d29c6b5db31709fd16be119fa8d3a09d92cb0291e4&" or domainname like "https://cdn.discordapp.com/attachments/1437009916224209018/1454995174328500318/CheatLoverz.zip?ex=69531d5a&is=6951cbda&hm=f1ac26bebf4394c43cbf21ed531f5dfdf7d31f30853b126611c1a39b970b81bc&" or siteurl like "https://cdn.discordapp.com/attachments/1437009916224209018/1454995174328500318/CheatLoverz.zip?ex=69531d5a&is=6951cbda&hm=f1ac26bebf4394c43cbf21ed531f5dfdf7d31f30853b126611c1a39b970b81bc&" or url like "https://cdn.discordapp.com/attachments/1437009916224209018/1454995174328500318/CheatLoverz.zip?ex=69531d5a&is=6951cbda&hm=f1ac26bebf4394c43cbf21ed531f5dfdf7d31f30853b126611c1a39b970b81bc&"

    Detection Query 4 :

    md5hash IN ("16b70d148b66c20c709b7eed70100a96","14f1de874c78221e7b6889af7463de69","8dadf8a4b77a340fcbb402789f9a07db","e07a76cc4258c6b4b3f85451ea2174d5","4c8e8e2fdc23bb7b24e6b410eb69fb4a","90e10b510144719613b1017abe227b87","A518FB6B9D2689737CE668675EEDE98F","e2af5595c9a0b7feaa9291b405d4c991","d2ad87a1fd1e8812c5ba4b259de4f885","754b581c7e3593446f0a06852031564a","A6BC4C6A58AC533D3DB5F96D24DDE0EF","1b1bd2783d4e8d1c2d444ffa8689677b","7d18257b55588bccb52159d261f9cd7f","d7d34c0559b3f6ba70be089e4cc6172c","47c8731b2526613e1e3bc61a88680cd0","a7400236ffab02ae5af5c9a0f61e7300","4dc93730ebe04a9b508a9f9dae74ae09","d32395a3a340e033e11bd89acddaa9cd","CDB67B1C54903F223F7DCCA14AEA67DF","79ea41812bd3310e11fc95403504f048","b133229ed0be8788c84a975656a7339c","FA24733F5A6A6F44D0E65D7D98B84AA6","CD1B15644BF0D7CBF270E8F21CEAE5E6","E3BB21152BA90990E3CCBC1A05842F8B","fbac126407b5735583dac5ea7cf519b3","02a4d24d0cdaa6f9a3ecf4b71e3f2eec","2a153877acc9270406d676403e999490","77f491c1c50e224d0c61ed608445d8a9","c60a3307d21840d1e15ee78b07d3eb04","d17b85de54d0c438c092c1e889b8c63f","e35c04a7c31f8641757374404edea395","fa8b5b5a302c0e353f4983973cf4b37e")

    Detection Query 5 :

    sha256hash IN ("cb2eebf27def80261eef6b80d898e06f443294371463accd45ca24ce132fad98","99ff2045d1377db7342420160eb254b7b09cc4ce41a97b6bf0ec4d3f65d9ede6","17e0302f15475a90e807550ea4abe57fe75a3630fbcc6d9b8feec4c645b7c31b","42b0ba7953a014a56a27c07cb8c97c0109a1b38b78f34f230ea356f9403007ee","f15098661d99a436c460f8a6f839a6903aebd2d8f1445c3bccfc9bf64868f3b0","3be99fb0b3bcaa125583bd176353721634c090233dd018e56cd3fa8ac89c3aee","1390e61a45dd81fa245a3078a3b305e3c7cdeb5fa1e63d9daca22096b699f9e8","3a02d75900ba42443c40667182711584b83844911fdf212747b1e087269d3632","e40f2628b2981226b1afe16c1cf3796b9482b2ac070adac999707fc09909327c","11b129c8373b6621343dbfe837e21c016f6fe1f9bdbb2a40283c15cc046fd0ba","0db26e9a1213d09521fc0dbfe15f807c9960f62bc1cf4071001f58f210c53e9c","054d2da6e959466490cb0c3cdc2acb9602e47ac56b977a3d365b4d1728eb2dd5","36b339f53a8bf65b030bedf5ad3bfde04ebdad3b150ec75ebb77f4a4b3c0cdd7","113c38d3c1b6d6a87bc99dcfda402024547ecdbdc1d7577a4c0cb3a88569582a","188148aae3bdf973ba88b387db68feaeda58daf3a70477766ac34f3b125651a9","64c96f0251363aaf35c3709c134aab52b981508b0ce9445e42774d151e43686b","7bec5e37777e6a2ca50e765b07e8cb65e88f4822ab19d98c32f1c69444228e5c","12850f78fc497e845e9bf9f10314c4ecc6a659dcd90e79ef5bd357004021ba78","1db8d6d66ab97ed3e1415a02b356a05d8ec846d69e5fa533f443b8d5d29949ef","1967f6f42710b43506a0784a28ca8785af91b84dfa8629ec5be92be8eec564c6","206265f971c6b6bea2b74ceef0ec1417e7954d2cb83261ffa1b63f82964e5792","057121dd0ecbb242f7a26ec2772496147ae2ec2ee03abd6e79a2bfb5a6ac60e9","1366f9bf45a11fed9ec6a2f40a571f2736615233567c3d91bb1b09916bf5068c","140c985db532c9085b2de4adcc885a67199dac2c36a465afd7a2655b4f797b17","7d69eca36c0f69b3007cdbf908f15545e95611acf4bad8b9e30e54687a6d33bb","e863f45099f3dc057a5aee5990fabfb4e8ea8849cd5bc895092ff0a305a3f85d","13976bdc28d3b3ae88ed92fcf49ff9e083b0ce5fd53e60680df00cd92bdfb33b","179e55bb20de0def4f9a5272397a11b7cb5b4c55a24539da22720f64738a95eb","d758820962ead89d5eaf7e45930a5eb6ab11d5508988087faf84d8d7524408f1","6ea34fd213674f31a83c0eee2fb521303d2a7c23e324bbdfa1a8edd7b6b6b6f1","491019e31af8f1489aea8d4c0f9816813698def0301a2abb88e5248b37753d2b","085dc279b422d761729374b01eae1e22375ef9538a6c4bc7cc35e8a812450f93","0a8a58d18adc86977b7386416c6be8db850a3384949b6750a6c6b2136138684a","a206ff592aea155d2bb42231afc3f060494ffa8f3de8f25aaf8881639c500b44","063d5400db74f7e064141e3cb9bdc6e71fec88956560de94c280cf59bbc65c78","12e5890426baa26062077ec41d407ddfcd8df88480cce6308c0b4064530e767f","04399f9f3ef87d8dd15556628532a84d63d628eaae0ed81166d6efbee428cdba","17704d58fb9c4e68c54a56fa97cd32599792d00da53691b8bdb58e49296b7feb","3fea0a031ffd78c8d08f6499c2bbc6a9edac5dc88b9ba224921f8f142e5a9adb")

    Detection Query 6 :

    sha256hash IN

    ("1097bc1ed1dd2e46f65fe16f18f431a1539cf73f97599aec2b81d1ad07f2e485","4135754b26dfac10cd19dcf6e03677b537244cf69fdce9c4138589e59449b443","d3ba17aa83748c539c75cee7eedb03a483f2e86af10b69da3f0c8e549f014ac3","94077065d049e821803986316408b82edad43fcd5a154f6807b4382eece705c3","07aa31bd8b220f79acd6b26accfb84ab6b67f1e6b1baa57ad2f48c5db6771ec5","5280b0ecb6c7246db84a9b194f5c85cc303c028475900b558306fdd4e51f4fc3","1d85ffe28d065780c9327078941cb762915c69c69012303e45eee44c092f8046","19c6d61936af8a650eebe50b7a21260cbc365cb09e27b9104a095eda3dbc85a9","ce06d83adb53c8b9d240202193ca4c04d0163994dad707aed0f0e67fdd2a42fe","347601eae5851ef7a6cf5a6b7f93ae6078969bafd191f6a8812a20fa6bf43996","dd37cd62fa18af798018a706f20a91a537f0993f0254a0c84d64097c6480afb2","14df8e6e7aadab0866e1a7b17adb247014343f5e3143249e78a6846051b1e620","4fe5d461aaa752b94d016ca4e742e02d30d3d4848a32787ce3564b5393017d77","1cdd70b8b8aac60584f17b9396c5f8086105c92e630fcb81649d395c461c71f9","c0ab89c3d9c7b9a04df5169eb175d5173c6de08a4ef3674cd6d7f9a925d63151","37aead580cea7b82a1e76cb642a9269b9ad1dcdb60f36660e59ee5f8e00cc7b8","1a60852904ff9c710cd754fa187ce58cb18c69e35ea4962a8639953abe380f64","112c08db627e759a499ab96e7964425f721fda8b56029e15ab27c762bf1d91cc","1aa12327f111d30f0a973070e2a941322b07710b9c90c02b0c5c0eda26c902cc","7029d68969814f1473e4e4a22abd4be85678a03bbe4c0f6194f3b7e421872ab3","1baea27d6148bf630d85c28b24d5aa9114ad32800d10f2977acecd7845275ecf","396f397099a459f3adeba057788aa3d34882eea7d1665c828449f205a86dc80f","db8afdafbe39637fec3572829dd0a1a2f00c9b50f947f1eb544ede75e499dca7","152914827e68584725b0890a46d62e45122789d1341e50f134b586aa7e139d3c","001cdd8e978b8233a958cfb81b20272a5d3a9c53ce2eb9dda28f0755f95f3e14","a0c3de95e5bf84cb616fe1ee1791e96ff5753778b36201610e6730d025a6cb12","393f6c6b307aecfe46acc603da812cc17f0ebf24b66632660a2e533dfa4f463f","17eff164be5859f8ed5b4c4d9969f9384523f4ac9a8bd1b6e73ee2ea7d1761e2","00d70985e5e73cba934ffc7b886cea5df2d9f04c72b80f1e653ae709910666da","04d3477a22a0693c3278c5a86f9c88289a7ccc2565cb61f8a78c9b269666baff","fe02d8d7a6b8f66624b238665d63094a2bcd19c44a3f9c449788cadbb1b741a6","94de957259c8e23f635989dd793cdfd058883834672b2c8ac0a3e80784fce819","767b63d11cee8cfb401a9b72d7bcca23b949149f2a9d7456e6e16553afcef169","f6093084196acded1179d3a1466908beb966dceaba03e1dfeb02a2628fdb0423","fcc512630ee95d3f4c31e3aabc75ad2e29dfacb4d4bcce7a12abe9a516979dbd","4ab63b5ccd60dfd66c7510d1b3bc1f45f0c31c2d4c16b63b523d05ccac3fcb9d","1217e31084df1dbe3fb37cd2b0c65bc70ec20278ab11471f0adafe845ed482d9","020b6449605713404d9ea6bd332df47f815663f239b39c368208158b1411efb2","ea65298d8d8ce4b868511a1026f8657abcc6b2e333854f4fc1bd498463b24084","00226d16b97c2a2201ca806491f5a6df3650a70c19e82b791740aaef7cf93e72","0165aa283b6dd66db66d5865907e753acc68b894fc8086bffe106ac3d550d0df","3dafa158ccb63f989aaab41541ea9c02d2cf1a2b5f50c5a7b98abc1bcadd73f1","df0ca0f15926964040bb43978f97faccc00bae5f6a00d8bd7d105d8c7d32efb1","86e14dd0ab29ee0eab21874811b7e450d609feb606f77206627b62cccbd58afa","3abf66e0a886ec0454d0382369dd6d23c036c0dd5d413093c16c43c72b8ccb0b","35aa1d44c71bdac70faa11b51fc29c13348e99cf981faa7119861df3ab7e50ba","908d35e6afd90da2e7c71cf82c8a61b553410ca920e67dba1bae35c2b6b19bad","116760f2d7d0b138a2d62683bc08d462087dbd278e491177ae9c978e1fddb1a0")

    Reference:    

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ai-written-malware-vibe-coded-campaign/


    Tags

    MalwareAIDiscord

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.