APT36: A Nightmare of Vibeware

    Monday, March 16, 2026 In: Threat Research Print

    Date: 03/16/2026

    Severity: High

    Summary

    Pakistan-linked threat actor APT36 (Transparent Tribe) has shifted to an AI-assisted malware development model known as “vibeware,” generating large volumes of disposable implants using niche programming languages such as Nim, Zig, and Crystal to evade traditional detection. Primarily targeting Indian government and diplomatic entities, the campaign leverages trusted cloud services like Slack, Discord, Supabase, and Google Sheets for command-and-control and data exfiltration. Although many samples contain coding errors due to AI-generated development, the high-volume, polyglot approach enables the group to overwhelm defenses and reset detection baselines while maintaining persistent espionage capabilities.

    Indicators of Compromise (IOC) List

    URLs/Domains

    hcisupport.in

    coadelhi.in

    hcidoc.in

    IP Address

    45.56.162.192

    193.29.56.122

    104.238.61.237

    23.152.0.81

    45.56.162.170

    Hash

    a5f8e394f7098294b2983f7cd7e750c3

    3cf6bc05a246ddb7bf875381a9bdf7d4

    8a1f290595e459cbfb55fa4c3a58ee0b

    41e952209f149525e4be1eea7961b00b

    83d3def856a88bad32d683ead6cf540b

    c9423c4cb3f520ae60fdd1bf4b9e64b4

    f916e6cc69a4e6a2fcbbcc7fe046f383

    913199ea8343ac030f4fe8dcb215a2eb

    54380dfde28bb96e5a3a0dadbf9c4cb0

    8aeb2fb5a8d863126588ff91186d4c0a

    379c8e420d4fa723751677571c6a52ee

    83822297319d8961f4a87805df963a48

    c8d2d1837c75cf5050dc679a40e6c394

    fa2dc49926eb370dc755d7681eae2a85

    9652d51cde165d405916a8f3e26e7318

    0fbb0143272c325f4b540819a84826b5

    2e75e109184a7f6473258bf00440bfd0

    47ff0ff8336a207722a8dcd0d3e92825

    2fc4c9cf0b2b52e8840ca7a3f38034fb

    ca2edac970d8afed99db4b5cda72a13e

    bea885be7d43627211504dc51685db0e

    569bb4899de5759c32ea6df661c35d4c

    86e72d95b2a8d49c6537076934fda2fe

    62c335a4c4ab14bbc85eb1c026db2f8a

    c57a340368c9996b8ded4af57a8c3686

    32277138366754f6e8514bb89ed74741

    857f5f12a88d35dbabdc9a61bc692238

    ed4dd29c57a38f2bb1934acbaeadeeba

    c8593e311e3cc8443a3187cd7666018b

    39e6cd3e098a0c23f1695e3e8ad4a30c

    f82d87182c19cc4811e952e1c18ef71d

    ed95f38533247a4bb7ad49db297dbe1b

    acae98c2997aa85e7b0789a99b6c106a

    82f322d4665589191da19e1e663b7d51

    c0218ece73d9046e25293fbef71bc70c

    f465416476bb3838e982da81aa4aee5b

    7804b006084b6f582f2f74ff758d8cee

    12289d965b800c8450526bad29f70669

    e2f6b3d71063b22c0d88c194e9148eaf

    5ea7da52f69f0772621a227007413959

    3e9b3306644b1a4d8c3ac23c7e0d4c7b

    16be323504052f95cf670e1f3a705892

    3f834e31f560d9d58bd7849cddda5769

    12b4800a37b97cfc031e52ea06e0a7e2

    62411d171212eeb325ce00d357bf0795

    04939089f73d100ab4948cda2a1e3736

    fa01bbb5effe12423953c757fd0cb111

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "hcidoc.in" or siteurl like "hcidoc.in" or url like "hcidoc.in" or domainname like "hcisupport.in" or siteurl like "hcisupport.in" or url like "hcisupport.in" or domainname like "coadelhi.in" or siteurl like "coadelhi.in" or url like "coadelhi.in"

    Detection Query 2 :

    dstipaddress IN ("193.29.56.122","45.56.162.170","104.238.61.237","45.56.162.192","23.152.0.81") or srcipaddress IN ("193.29.56.122","45.56.162.170","104.238.61.237","45.56.162.192","23.152.0.81")

    Detection Query 3 :

    md5hash IN ("3f834e31f560d9d58bd7849cddda5769","12b4800a37b97cfc031e52ea06e0a7e2","2fc4c9cf0b2b52e8840ca7a3f38034fb","62411d171212eeb325ce00d357bf0795","04939089f73d100ab4948cda2a1e3736","ed4dd29c57a38f2bb1934acbaeadeeba","a5f8e394f7098294b2983f7cd7e750c3","3cf6bc05a246ddb7bf875381a9bdf7d4","8a1f290595e459cbfb55fa4c3a58ee0b","41e952209f149525e4be1eea7961b00b","83d3def856a88bad32d683ead6cf540b","c9423c4cb3f520ae60fdd1bf4b9e64b4","f916e6cc69a4e6a2fcbbcc7fe046f383","913199ea8343ac030f4fe8dcb215a2eb","54380dfde28bb96e5a3a0dadbf9c4cb0","8aeb2fb5a8d863126588ff91186d4c0a","379c8e420d4fa723751677571c6a52ee","83822297319d8961f4a87805df963a48","c8d2d1837c75cf5050dc679a40e6c394","fa2dc49926eb370dc755d7681eae2a85","9652d51cde165d405916a8f3e26e7318","0fbb0143272c325f4b540819a84826b5","2e75e109184a7f6473258bf00440bfd0","47ff0ff8336a207722a8dcd0d3e92825","ca2edac970d8afed99db4b5cda72a13e","bea885be7d43627211504dc51685db0e","569bb4899de5759c32ea6df661c35d4c","86e72d95b2a8d49c6537076934fda2fe","62c335a4c4ab14bbc85eb1c026db2f8a","c57a340368c9996b8ded4af57a8c3686","32277138366754f6e8514bb89ed74741","857f5f12a88d35dbabdc9a61bc692238","c8593e311e3cc8443a3187cd7666018b","39e6cd3e098a0c23f1695e3e8ad4a30c","f82d87182c19cc4811e952e1c18ef71d","ed95f38533247a4bb7ad49db297dbe1b","acae98c2997aa85e7b0789a99b6c106a","82f322d4665589191da19e1e663b7d51","c0218ece73d9046e25293fbef71bc70c","f465416476bb3838e982da81aa4aee5b","7804b006084b6f582f2f74ff758d8cee","12289d965b800c8450526bad29f70669","e2f6b3d71063b22c0d88c194e9148eaf","5ea7da52f69f0772621a227007413959","3e9b3306644b1a4d8c3ac23c7e0d4c7b","16be323504052f95cf670e1f3a705892","fa01bbb5effe12423953c757fd0cb111")

    Reference:    

    https://www.bitdefender.com/en-us/blog/businessinsights/apt36-nightmare-vibeware 

    https://github.com/bitdefender/malware-ioc/blob/master/2026_03_05-apt36-iocs.csv


    Tags

    MalwareThreat ActorAPTTransparent TribeAPT36AIGovernment Services and FacilitiesPakistanIndiaDiscordExfiltrationPolyglot

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.