Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malware
TrendMicro has called for caution on how much detail is disclosed in security advisories
Threat intelligence reports play a crucial role in helping enterprises keep tabs on emerging threats. These blog posts detail the tactics, techniques, and procedures (TTPs) of a threat group or dissect the makeup of a particular malware strain.
New research, however, shows they could also be doing more harm than good. According to research from Trend Micro, hackers are now using AI to analyze these reports and use them to refine their tactics.
The study showed large language models (LLMs) can translate technical blogs into “partial malicious code” in a dark twist on the “vibe coding” trend.
This not only allows threat actors to speed up attacks or reverse engineer malware strains, it also helps them mimic other group’s TTPs, creating challenges with the attribution of attacks.
Speaking to ITPro, Robert McArdle, Director of Forward Threat Research at Trend Micro, said the company’s findings highlight the latest example of cyber criminals jumping on the vibe coding bandwagon to wreak havoc.
“We already know that cyber criminals are using vibe coding,” McArdle said. “We’ve seen that in their discussions on criminal forums. We’ve seen existing malware that very much looks like it was vibe coded.”
“It got us thinking, what if you can actually clone an analysis by a researcher to try to re-implement the malware from what they've described?”
McArdle told ITPro the company decided to test this by using AI tools to dissect its own blog posts, which showed some initial promise.
“What came back was quite good,” he said. “It wasn’t the final product. It did need a little bit of tweaking to get it to work, but it certainly took a lot of work out of the way.”
This ‘lightening of the load’ is a key concern, McArdle noted. While AI tools are unlocking productivity gains for workers on the right side of the law, they’re proving equally powerful for criminals.
Worse still, these tools are helping lower the barrier to entry for up-and-coming cyber criminals and accelerating processes for those with a higher level of technical know-how.
“AI lets you jump from your current level of proficiency up to the next level faster,” he told ITPro. “So if you’re a complete novice and you know very little about code, you can vibe code a reasonably okay malware.”
“If you're already skilled and you go to an in-depth analysis of something even more advanced, then it certainly helps you get up to speed on that faster and go from those examples and have some sort of working code," McArdle continued. “So in each case it levels up the skill set of the attacker.”
Time to tone down the technical details?
Faced with this, McArdle said Trend Micro’s view on threat intelligence reports is that industry providers should consider toning down the technical details.
The company itself has taken this on board and McArdle said a key factor in releasing this research was to raise awareness and let industry counterparts know what’s going on.
“We often release these [threat intelligence reports] to raise awareness, to let people know that you know something is going on,” he said.
“Within those, it's the level of detail that you put in the post that’s the difference. We need to let people know this new attack is happening. Here's the main details you need to know to defend yourself. Here's the bigger world context, and so on,” McArdle added.
“But we probably don't always need to go down to the low-level code of ‘this is exactly how this was implemented, from start to finish’.”
“The more and more you go to that level, the more an AI is capable of reconstructing an approximation of the malware from it,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
The UK AI revolution: navigating the future of the intelligent enterpriseAs AI reshapes industries and societies, decision-makers in the UK face a critical choice: build a sovereign future or merely import it.
-
Turning the UK AI revolution into a sovereign realityThe UK AI Revolution documentary series posed difficult questions about AI’s hype, control, and future. Now, IT leaders must find the architectural answers
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
