Cybersecurity researchers have recently identified a sophisticated intrusion where an unknown threat actor utilized an AI-generated, “vibe-coded” PowerShell script to perform extensive Active Directory (AD) enumeration. This alarming development highlights the growing trend of cybercriminals leveraging artificial intelligence to craft potent and evasive tools, lowering the barrier to entry for sophisticated cybercrime.
The attack, which occurred in early June 2026, saw the threat actor gain initial access through Remote Desktop Protocol (RDP) using pre-compromised credentials. The actor then deployed their tools within the “C:ProgramData” folder. According to a report by Huntress researchers Jevon Ang and Dray Agha, the script was specifically designed to locate Domain Controllers (DCs), map users, computers, and domains, and then export this information. The successful enumeration was ultimately marked by the creation of an AD_Report.html file, summarizing the findings.
AI-Driven Active Directory Enumeration Raises Cybersecurity Concerns
The custom PowerShell script, described by Huntress as “highly aggressive” and “noisy,” exhibited several telltale signs of AI generation. These include detailed prompt iteration titles, placeholder strings, and an over-engineered approach to finding a Domain Controller, employing a “five-step cascading fallback mechanism.” The script’s title, “100% Working AD Information Gathering Script – FULLY FIXED,” strongly suggests iterative refinement with a large language model (LLM). This AI-assisted approach allows less-skilled actors to develop advanced tooling with minimal effort.
Once the primary Domain Controller was identified, the script initiated a detailed data collection process. It systematically harvested information on AD users, computers, groups, organizational units (OUs), and trust relationships, storing these findings in a designated staging directory. This comprehensive reconnaissance is a critical step for attackers aiming to understand and exploit network structures.
Approximately 30 minutes after the initial AD enumeration, the attacker escalated their activities. They deployed s5cmd, a legitimate tool for bulk file operations, and SharpShares, a C#-based utility for enumerating network shares. These tools were used to identify user-accessible data repositories, indicating a move towards data exfiltration or further compromise.
In the final phase of this particular attack chain, the gathered data was converted into CSV files, archived, and sent to a remote server. Before this exfiltration, an HTML report was generated, summarizing the acquired Active Directory inventory. Researchers believe the AI-generated payload was likely a “helpful” addition suggested by an LLM that the attacker simply incorporated, rather than a meticulously crafted element of their original plan.
This incident underscores a significant shift in cybersecurity threat landscapes. Threat actors are increasingly augmenting their arsenals with AI-generated malware, even if the underlying attack vectors are not entirely novel. The core methodology of the attack chain, as noted by Huntress, still resembles established “smash-and-grab” tactics. However, AI is now being selectively integrated, creating a hybrid approach that prioritizes aggression and speed over stealth. This allows for the execution of highly damaging campaigns at an accelerated pace, posing a significant challenge for defenders.
AI as a Force Multiplier in Cloud Attacks
The trend of AI enhancing cyberattack capabilities extends beyond on-premises environments. A separate report published by Sygnia revealed that AI-enabled attackers can orchestrate cyber intrusions with unprecedented speed and scale, often without relying on novel malware or zero-day exploits. The real innovation lies in the ability to operationalize established attack techniques across complex environments far faster than defenders can react.
Sygnia detailed an AI-assisted cloud attack that progressed from initial access to broad compromise within approximately 72 hours against a large Amazon Web Services (AWS)-based environment. The apparent motive behind this attack was financial gain, with the attacker leveraging compromised cloud infrastructure for extortion. The threat actor continuously reused newly acquired credentials to restart discovery, harvest secrets, establish persistence, and execute impact activities, demonstrating a rapid and adaptive approach.
This cloud attack did not rely on exploiting a single misconfiguration. Instead, it involved chaining together weaknesses across various components, including application services, AWS resources, source-control repositories, CI/CD workflows, runtime components, and data stores. This allowed for swift execution of credential discovery, secret harvesting, cloud enumeration, deployment-pipeline abuse, runtime modification, database access, and operational disruption.
The attacker also made repeated attempts to establish persistence on compromised hosts. Access to an AWS account was obtained through vulnerabilities in an internet-facing application. Each new access point triggered renewed enumeration, further secret collection, persistence efforts through the creation of access keys and IAM users, and data exfiltration. Notably, some attacker-created artifacts were disguised as legitimate penetration testing or red teaming exercises, adding a layer of obfuscation.
To increase pressure on victims, the attacker implemented several disruptive actions, including denying access to S3 buckets, limiting ECS services or containers to zero capacity, creating ACL rules to block network access, and purging SQS queues. Sygnia emphasized that the significance of these attacks was not the introduction of new techniques, but the dramatic reduction in time and effort required to operationalize them across complex cloud infrastructure.
The threat actor consistently translated newly acquired access into tailored actions. For each new access key, the actor appeared to rapidly determine the associated permissions, reachable resources, and the most valuable next steps. This agility and efficiency, powered by AI, represent a significant challenge for current cybersecurity defenses. The ongoing evolution of AI-assisted cyber threats suggests that organizations must continuously adapt their security strategies to counter increasingly sophisticated and rapid attacks.

