HP Wolf Security: How Vibe Hacking Overwhelms Legacy Defence

Just as AI gave the world vibe coding, bad actors are ‘vibe hacking’ their way into systems.

HP Wolf Security’s latest Threat Insights Report March 2026 says as much, with AI enabling attackers to scale and accelerate campaigns, by prioritising cost, effort and efficiency. 

The report examines notable malware campaigns and emerging attack techniques that demonstrates how cybercriminals are increasingly using AI and inexpensive off‑the‑shelf components, posing significant challenges for traditional security defences.

Uncovered security threats 

One of the most striking trends identified by HP Wolf Security is the reuse of the same inexpensive components across multiple campaigns. 

Attackers are assembling malware-like building blocks by combining obfuscated scripts, archive‑hosted images with embedded code and commonly available NET loaders to deliver a range of malicious payloads such as DarkCloud and AsyncRAT. 

In many cases the initial lures vary from fake invoices to social‑engineered attachments, but the intermediate stages of the infection chains remain identical.

Researchers at HP Wolf Security also note that attackers are creating counterfeit installers for widely used software. Fake Microsoft Teams downloads were observed that contained malware bundled with legitimate installers. 

These packages exploited DLL sideloading through a signed executable to install the OysterLoader backdoor – which is frequently seen prior to ransomware deployment.

Vibe hacked scripts evade detection 

Vibe‑hacking campaigns involve attackers embedding infection scripts, crafted with the help of AI, into seemingly benign files such as images, PDSFs or scanned word documents. 

One example documented in the report involves a fake invoice PDF that directed victims to a compromised website.

Once clicked, the link triggers a silent download of malicious code in the background, before immediately redirecting the user to a legitimate site such as Booking.com in an attempt to lower suspicion and evade detection.

Despite advances in defensive technology, many threats continue to slip past traditional email gateway security. 

The report states that at least 14% of email‑based threats in Q4 2025 evaded one or more gateway scanners, highlighting the limitations of perimeter defences in the face of rapidly evolving tactics.

Script and executable based threats also remain prevalent, with simple visual basic for applications (VBA) macros in Office documents still being used to install PowerShell loaders. 

These loaders ultimately deploy malware such as Agent Tesla, which is capable of harvesting local email contacts and communicating with threat operators via Telegram channels. 

This underscores how even basic macro‑based techniques continue to be effective in certain regions, particularly in the Asia-Pacific region. 

AI overwhelms security systems with threat volume

A central theme of the report is the prioritisation of speed and cost over sophistication. 

Many threat actors opt for components purchased on hacker forums or adapted from widely available tools, allowing them to construct and deploy campaigns quickly without significant development effort. 

Principal threat researchers at HP point out that this approach mirrors legitimate software development practices where automation and pre‑built templates accelerate delivery, albeit with lower quality code.

The increasing use of AI‑assisted scripting and automation poses a dual challenge. On one hand, it enables novice attackers to quickly generate functional malicious code.

On the other, it creates a volume of threats that can overwhelm detection tools that rely on known signatures or behavioural models tuned to older attack patterns.

“As someone who has spent decades on the front lines as a CISO and now at Doppel, I’ve never seen the social engineering problem evolve as fast as it has in the last 24 months,” says Bobby Ford, Chief Strategy & Experience Officer at Doppel.

“We used to worry about attackers getting around the firewall; now they get through your people by perfectly recreating the voice of your CEO, the face of your recruiter or the login page of your payroll provider and they can do it at scale.

“Legacy defences were never designed to distinguish a real executive from a synthetic one or a genuine outreach from an AI-powered fraud campaign. 

“Modern threats require modern defence: multi-channel, multi-layered, AI-native and built for a world where identity, intent and authenticity are constantly under attack.”