Fake Tools and CDNs Power New “Vibe-Coded” Malware Campaign
“Vibe coding” has evolved from a buzzword to a key battleground, and a new malware campaign shows how attackers are abusing AI-assisted development to scale their operations with minimal effort.
Vibe coding, a term popularized in early 2025 to describe programming by prompting large language models instead of writing code manually, has rapidly spread across developer communities and social media.
In this workflow, users describe their intent in natural language and let LLMs generate complete, runnable code plus explanations.
McAfee Labs has uncovered a vibe-coded malware campaign that hijacks the popularity of AI tools, game mods, drivers, and utilities, then quietly turns victims’ systems into crypto-mining and malware delivery platforms.
McAfee Labs now reports that the same low-friction development model is being adopted by threat actors, who use LLMs to generate or refine key pieces of their kill chain, lowering the skill and time needed to launch new campaigns at scale.
Vibe-Coded Malware
In January 2026, McAfee observed more than 440 malicious ZIP archives masquerading as a wide range of software, from AI image and voice tools to VPNs, drivers, game cheats, modding utilities, and even “decryptors” and stealer malware.
These archives are hosted on popular content delivery and file-sharing platforms such as Discord, SourceForge, FOSSHub, MediaFire, and lesser-known sites like mydofiles[.]com, giving the operation broad reach and a veneer of legitimacy.

Each ZIP typically bundles a clean-looking executable alongside a malicious WinUpdateHelper.dll library, which McAfee has tracked since late 2024 in at least 48 distinct variants.
When victims launch the trojanized executable, it sideloads WinUpdateHelper.dll, which pretends that required “dependencies” are missing and opens a browser to download additional, unrelated software.
This noisy decoy installation diverts attention while the DLL silently reaches out to a command-and-control (C2) server and executes a malicious PowerShell payload in memory, avoiding obvious on-disk indicators.
To maintain persistence, the DLL creates a Windows service named “Microsoft Console Host,” configured to start at boot and to launch a PowerShell command that generates time-based C2 domains using Unix timestamps.
The resulting domain, such as 1765000000[.]xyz or 1770000000[.]xyz, changes roughly every 58 days, complicating static blocking.
Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.

From there, the script downloads and decrypts miner binaries into paths like C:\ProgramData\fontdrvhost.exe and RuntimeBroker.exe, imitating legitimate system processes.
The second-stage PowerShell scripts disable competing miners and persistence artifacts, add C:\ProgramData to Windows Defender exclusions, and then pull coin-miner payloads from short-lived, victim-specific URLs that expire after about a minute.
McAfee has observed simultaneous CPU-based mining of privacy coins such as Zephyr and GPU-based mining of Ravencoin via mining pools like solo-zeph.2miners.com and solo-rvn.2miners.com, maximizing resource usage on infected machines.
In some variants, final payloads switch from miners to stealers such as SalatStealer or remote access components, expanding the monetization options for the operators.
The PowerShell used in this campaign stands out for verbose, tutorial-style comments that describe each step in plain language, including references such as “downloads cvtres.exe from your GitHub URL” and multi-line explanations of folder creation and process hiding.
McAfee assesses that this structure is consistent with scripts generated or heavily assisted by large language models, aligning with the “vibe coding” approach where attackers prompt an AI for complete scripts and then lightly adapt them.
Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system.

The C2 infrastructure further resists analysis by only serving payloads to requests with a PowerShell user agent and returning 301 or 404 responses to tools like curl or browsers, making it harder for researchers to retrieve samples after the fact.
Financial impact and user risk
Hardcoded cryptocurrency wallet addresses in the miner configuration allowed McAfee to trace Bitcoin flows associated with the operation.
While most of the mining targets privacy-focused assets such as Monero, Zephyr, and Ravencoin whose chains are difficult to analyze McAfee identified at least seven Bitcoin wallets linked to the campaign, holding about 4,500 USD at the time of reporting and having processed roughly 11,500 USD in total inflows.
Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine.

Because multi-coin pools convert mined altcoins into Bitcoin for payout, the true profits and victim impact are likely much higher than what is visible on-chain.
Telemetry shows that the campaign is most prevalent in the United States, followed by the United Kingdom, India, Brazil, France, Canada, and Australia, reflecting the global popularity of AI utilities and game modifications that the lures impersonate.
McAfee warns that even users deliberately seeking cracks, cheats, or stealer malware are being backstabbed by more capable actors, emphasizing that “there is no honor among thieves.”
McAfee recommends that users download software only from official vendor sites, be skeptical of “too good to be true” tools and cheats promoted via social channels or generic file-hosting links, and keep security solutions updated to detect both DLL sideloading and anomalous PowerShell activity.
Organizations should monitor for unusual miner traffic, time-based .xyz domains, changes to Windows Defender exclusions, and suspicious services masquerading as native Windows components.
McAfee Labs states it will continue tracking these vibe-coded campaigns and updating protections as the operators iterate on their AI-assisted tooling.