Trend Micro: How AI is Enabling "Vibe-Coded" Cyber Crime

Cybersecurity giant Trend Micro is spotlighting a fast-emerging risk: attackers harnessing AI tools to repurpose public threat intelligence into what it dubs “vibe-coded” malware.

By using generative AI to translate technical blogs and security reports into working code fragments, cybercriminals are effectively lowering the barriers to entry for copycat operations. This enables malicious actors to prototype functional malware at speed, often by adapting pieces of known espionage toolkits published in open research.

While these AI-produced code samples are not immediately weaponised and still demand skilled intervention, they give criminals a dangerous head start – compressing the time needed to refine and operationalise attacks.

Trend Micro research: Do Security Blogs Enable Vibe-Coded Cybercrime? 

Trend Micro releases its Do Security Blogs Enable Vibe-Coded Cybercrime? research as AI firm Anthropic reports its Claude model had been manipulated by criminals conducting a large-scale extortion campaign, targeting at least 17 organisations.

In this case, bad actors used AI not only to automate intrusion steps but also to make calculated choices about which data to prioritise and how best to shape ransom demands, in some instances exceeding US$500,000.

The Trend Micro report probes whether technical reports themselves can seed this type of “vibe hacking” – showing how AI has shifted from being an analyst’s aid to a tool that actively enables digital crime at scale.

Trend Micro’s key findings

In its research, Trend Micro finds:

• AI-assisted generation of malicious code from technical security reports has become easier than before. However, the advantages of sharing security research far surpass the risks posed by attackers using AI to create phishing pages or malware that imitate existing campaigns or known threat groups
• The AI-produced malicious code is only a preliminary draft and requires specialised skills and manual effort to complete and weaponise successfully
• Copycat malware campaigns enabled by “vibe-coding” complicate attribution efforts but do not render advanced analytical methods ineffective, highlighting the continued importance of structured threat intelligence
• Security publications need to evolve by considering the impact of large language models and encouraging the use of more sophisticated attribution techniques.

To test this hypothesis, Trend Micro focused on the Earth Alux espionage toolkit, tasking AI-powered coding assistants with reproducing elements of its published functionality.

The generated Python and C scripts mirrored documented persistence and communication mechanisms but fell short of being fully deployable.

The study revealed that although AI-generated outputs mirrored the technical details found in publicly available reports, the resulting code was only partial and required skilled intervention to be shaped into fully functional malware.

Furthermore, Trend Micro discovered that safety guardrails within many AI systems can be easily bypassed when using open-source, unrestricted models – highlighting the dual-use reality of these large language model coding assistants.

Through this approach, Trend Micro gained valuable, hands-on insight into how AI can transform shared threat intelligence into actionable malware components, underscoring the escalating tension between the need for transparency in reporting and the growing risks of adversarial AI misuse.

Open-source tools and attribution challenges

The research shows that open-source, uncensored models provide opportunities for attackers to refine or mask their activities.

By blending tactics lifted from multiple groups, vibe-coded malware muddies attribution, creating uncertainty about who is truly behind an attack.

Trend Micro warns that defenders relying solely on IoCs and TTPs risk misattribution. Instead, intelligence efforts must advance toward behaviour-based frameworks that can withstand AI-triggered ambiguity in threat signals.

The importance of transparent reporting

Despite these concerns, Trend Micro stresses that open and timely threat reporting continues to be a cornerstone of cyber defence.

Detailed publications empower defenders worldwide – even if they can be misused by adversaries with AI augmentation.

Bob McArdle, Director of Forward Threat Research at Trend Micro, says: “Transparency in security reporting has always been a cornerstone of community defence. 

“Our findings show that while criminals can attempt to misuse these reports with AI tools, the benefits of sharing research far outweigh the risks. 

“What changes is how we as an industry must think about attribution and the responsibility of testing how our publications might be interpreted by AI models.

“Threat intelligence reports are vital for global cyber defence.

“But with vibe-coding, attackers can more easily blend in with others, deliberately confusing attribution. 

“Our advice to defenders is to embrace advanced attribution methods and to look beyond surface-level indicators.”