THREAT actors in Latin America are using AI agents to automate entire attack chains, from initial access to generating customised hacking tools on the fly, according to TrendAI researchers cited by Dark Reading. The report highlights two campaigns, Shadow-Aether-040 and Shadow-Aether-064, identified by TrendAI as Spanish-speaking and Brazilian Portuguese-speaking operations respectively, targeting government and financial sector entities in Mexico and Brazil.
Shadow-Aether-040, first identified in late 2025, compromised six government entities in Mexico between 27 December and 4 January, with AI agents supporting the full chain of compromise and data theft in some cases. Shadow-Aether-064 began in April and also relied heavily on AI tooling, principally targeting financial organisations in Brazil to steal financial data.
Both campaigns employed ProxyChains, SOCKS5 tunnelling and SSH for initial access, and used tooling such as Chisel, CrackMapExec, Impacket and Neo-reGeorg, while creating custom, dynamically generated hacking tools and scripts to aid scanning, password spraying and exploitation. The researchers noted that these dynamically generated commands and code differ with each execution, making them harder to detect than traditional, signature-based tools.