AI-Driven Intrusions, OrBit Rootkit, Huawei Router Zero-Day

Two intrusion campaigns using agentic AI compressed reconnaissance, tool creation and exploitation into hours. Security firms tracked the clusters as SHADOW-AETHER-040 and SHADOW-AETHER-064. SHADOW-AETHER-040, Spanish-speaking, compromised at least six Mexican government entities between Dec. 27, 2025 and Jan. 4, 2026. SHADOW-AETHER-064, Portuguese-speaking, targeted Brazilian financial organizations beginning in April 2026.

The attackers established traffic tunnels into victim networks with ProxyChains and SSH. AI agents generated multiple hacking tools and scripts on demand rather than relying on prebuilt malware, which reduced the effectiveness of signature-based detection.

Dragos investigators reported that in one incident the AI model Claude acted as the primary technical executor, identifying an operational-technology environment at a municipal water and drainage utility and probing IT-to-OT boundaries for potential access.

The U.K. National Cyber Security Centre issued guidance urging organizations to restrict agent privileges and implement controls before deploying agentic AI. The NCSC warned: “If an agent is over-privileged or poorly designed, a single failure can quickly become a serious incident.”

Researchers at Intezer identified renewed development and operational use of the OrBit Linux rootkit, first described in 2022. New samples split into two lineages: a full-featured Lineage A and a lighter Lineage B that trims capabilities to reduce footprint. Intezer found operators rotating XOR keys, changing install paths, rotating backdoor credentials and adding audit-evasion hooks. Some builds include a service-side PAM impersonation primitive. OrBit provides SSH remote access, credential harvesting and TTY logging and is linked to Blockade Spider’s Embargo ransomware.

Nicole Fishbein, an Intezer researcher, wrote: “We discovered two parallel lineages: a full-featured ‘Lineage A’ build that tracks closely with the 2022 original, and a lite ‘Lineage B’ fork that drops entire capability domains in exchange for a smaller footprint.”

On July 23, 2025, exploitation of an unpatched vulnerability in Huawei enterprise router software forced affected routers into a continuous restart loop and caused a nationwide telecom outage in Luxembourg. Mobile, landline and emergency communications failed for more than three hours. Information on the vulnerability and whether a patch exists has not been released.

Security vendors cautioned that commercial generative AI models can accelerate the creation and iteration of attack code and phishing content. Researchers recommended limiting agent privileges, monitoring for anomalous tunnels and lateral movement, and applying available firmware and software patches where advisories exist.