Trend Micro: AI Enables “Vibe-Coded” Copycat Cybercrime

Share this article
Share this article
Prioritise Us on Google
Deloitte offers new service to accelerate AI adoption at cyber firms
Trend Micro finds AI & open-source tools aid criminals in turning security blogs into partial malware, complicating attack attribution & fuelling copycats

Cybersecurity leader Trend Micro is exposing the growing threat of AI-enabled cybercrime where malicious actors leverage AI tools to translate technical security blogs and public threat intelligence into “vibe-coded” malware. 

This trend dramatically lowers the barriers for copycat cyberattacks, empowering criminals to rapidly prototype malware by reusing fragments of known espionage toolkits detailed in public research. 

While AI-generated code is often incomplete and requires human expertise to weaponise, it gives attackers a significant head start – enabling them to refine and repurpose these malicious payloads more efficiently than ever before.

Trend Micro research: Do Security Blogs Enable Vibe-Coded Cybercrime? 

Trend Micro releases its Do Security Blogs Enable Vibe-Coded Cybercrime? research at a similar time to a report from AI company Anthropic, which revealed how its language model, Claude, was exploited by cybercriminals to conduct an extensive extortion campaign against at least 17 organisations. 

Using Cline to interpret the TTP in the publication and develop code. Credit: Trend Micro

The attackers used AI not only to automate network infiltration but to make strategic decisions about which data to steal and how to craft effective ransom demands, reaching sums of more than US$500,000 in some cases. 

This “vibe hacking” form of cybercrime exemplifies how AI tools have been weaponised to scale sophisticated operations – tasks that would have only been achievable by experienced teams.

Trend Micro’s key findings

In its research, Trend Micro finds:

  • AI-assisted generation of malicious code from technical security reports has become easier than before. However, the advantages of sharing security research far surpass the risks posed by attackers using AI to create phishing pages or malware that imitate existing campaigns or known threat groups
  • The AI-produced malicious code is only a preliminary draft and requires specialised skills and manual effort to complete and weaponise successfully
  • Copycat malware campaigns enabled by “vibe-coding” complicate attribution efforts but do not render advanced analytical methods ineffective, highlighting the continued importance of structured threat intelligence
  • Security publications need to evolve by considering the impact of large language models and encouraging the use of more sophisticated attribution techniques.

Trend Micro conducted its research by testing whether publicly available technical reports could be used by AI to generate functional malware samples. 

Youtube Placeholder

Specifically, it focused on the Earth Alux espionage toolkit, applying LLM-powered coding assistants to reproduce portions of this toolkit’s code. 

These AI tools generated Python and C code that simulated key attacker activities like persistence mechanisms and communication methods.

The results showed that while the AI output closely reflected the content of the published reports, the generated code was incomplete and required expert manual refinement to become fully weaponised malware. 

Additionally, Trend Micro found that easily bypassing AI model safety guardrails was possible using open-source, uncensored AI models, which demonstrated the dual-use nature of these LLM coding tools. 

This methodology provided practical insight into how AI can turn published threat intelligence into usable malware fragments, emphasising the evolving challenge of keeping threat intelligence transparent while mitigating the risks of AI misuse

Open-source tools and attribution challenges

Trend Micro’s research shows that criminals leverage not only public security data but also open-source AI models that can bypass safeguards.

This “vibe-coded” malware allows malicious actors to mimic multiple attacker groups’ tactics and techniques, blurring traditional methods of attribution and confusing those trying to fend off attacks – complicating efforts to identify threat actors accurately. 

In its report, Trend Micro underscores that existing attribution methods relying on IoCs and TTPs must evolve toward more advanced frameworks to counter this new dimension of AI-enabled attacks.

The importance of transparent reporting

Youtube Placeholder

Despite the risks, Trend Micro stresses that transparent security reporting is essential for global cyber defence. 

It says that detailed threat intelligence publications empower defenders worldwide and must continue with adaptation to account for AI’s dual-use nature. 

Bob McArdle, Director of Forward Threat Research at Trend Micro, says: “Transparency in security reporting has always been a cornerstone of community defence. 

“Our findings show that while criminals can attempt to misuse these reports with AI tools, the benefits of sharing research far outweigh the risks. 

“What changes is how we as an industry must think about attribution and the responsibility of testing how our publications might be interpreted by AI models.

Bob McArdle, Director of Forward Threat Research at Trend Micro

“Threat intelligence reports are vital for global cyber defence.

“But with vibe-coding, attackers can more easily blend in with others, deliberately confusing attribution. 

“Our advice to defenders is to embrace advanced attribution methods and to look beyond surface-level indicators.”

Company portals