The security field is experiencing a shift as state-sponsored groups and organized syndicates increasingly prioritize volume over technical complexity. Researchers recently documented a tactical adjustment by the Pakistan-linked group APT36 (also known as Transparent Tribe), which now uses AI-assisted "vibe-coding" to generate large quantities of unauthorized software. This trend toward automated malware production runs parallel to a major defensive success: the coordinated global takedown of the Tycoon 2FA credential harvesting platform. Together, these events illustrate an environment where defenders must manage continuous, multi-vector access attempts designed to overwhelm standard detection baselines.
The shift to automated generation and credential capture
The development of "vibeware" changes standard software generation methods. APT36 uses natural language prompts to direct AI models to write code in less common programming languages, including Nim, Zig, and Crystal. The resulting software frequently contains fundamental logic errors, such as credential harvesters with placeholder command-and-control addresses or remote access channels with broken time-tracking functions. However, researchers classify the primary goal as "Distributed Denial of Detection." By simultaneously deploying multiple modules written in different languages and routing communication through legitimate cloud services like Slack or Google Sheets, the group forces defensive engines to continuously reset their baselines. Since endpoint security tools are often optimized for C++ or C#, a binary written in an unfamiliar language like Crystal frequently bypasses initial scrutiny simply because it is unrecognized.
As APT36 scales its operations, the security community recently disrupted Tycoon 2FA, a platform built for scaled credential capture. Neutralized this cycle by Europol, Microsoft, and global partners, Tycoon 2FA previously accounted for 62 percent of all phishing attempts blocked by Microsoft. Operating as an adversary-in-the-middle (AitM) service, the platform proxied legitimate Microsoft 365 or Google authentication sessions in real time. This methodology captured not only passwords but the resulting authentication tokens, bypassing traditional multifactor authentication (MFA) methods like SMS codes and push notifications. Processing over 30 million emails monthly and impacting nearly 100,000 entities, the platform’s removal substantially degrades global capacity for business email compromise (BEC) and session hijacking.
Evaluating the network edge
The focus on automated access extends to the network edge, where Cisco recently patched 48 vulnerabilities across its firewall ecosystem. Two findings affecting the Secure Firewall Management Center (FMC) received a maximum CVSS severity score of 10.0. The first, CVE-2026-20079, permits authentication bypass and root-level command execution through tailored HTTP requests. The second, CVE-2026-20131, involves insecure Java deserialization leading to full system compromise.
Because the FMC functions as the control plane for an entire firewall fleet, an unauthorized party with root access can push unsafe configurations across a global network or disable security inspection controls. Over the last two years, nation-state actors have increasingly targeted edge devices like firewalls, VPNs, and routers as initial access vectors, as these systems frequently operate outside the visibility of standard endpoint monitoring tools.
Regional targeting and defensive strategies
The effectiveness of high-volume tactics varies by region. Recent data indicates organizations in Latin America face an average of 3,100 security threats per week—more than double the volume recorded in the United States. The methodology also diverges: 95 percent of threats in the US are delivered via web vectors, whereas 74 percent in Latin America arrive via email. This reliance on email delivery explains why platforms like Tycoon 2FA and the automated software from groups like APT36 remain effective in the region. Healthcare is currently the most targeted sector in Latin America, seeing nearly 30 percent more activity than other industries. This reflects a strategic choice by threat actors to focus on high-pressure environments where operational disruption yields the highest financial leverage.
To adapt to these automated methodologies, security teams are moving away including flat architectures and non-cryptographic MFA. The success of AitM platforms like Tycoon 2FA shows the operational necessity of transitioning and phishing-resistant authentication frameworks, including FIDO2-based security keys or passkeys. These methods cryptographically bind the authentication request to the legitimate domain, preventing a proxy service from capturing a usable session. Additionally, the increasing volume of AI-generated software makes network segmentation and the principle of least privilege critical. When malicious actors can generate unique variants daily to bypass signature-based detection, a segmented network architecture provides the most effective defense by limiting lateral movement.
The trend toward high-volume, automated threat generation is expected to accelerate. While the code produced by AI-assisted groups like APT36 currently contains logical flaws, these models are maturing rapidly. The primary challenge involves operators maintaining a constant, high-volume presence across multiple programming languages and platforms. We recommend organizations immediately audit their edge infrastructure, specifically Cisco FMC instances—to ensure management interfaces are not exposed to the public internet. Defending the perimeter requires active monitoring of the management plane and a transition away from legacy authentication methods.
Although the Tycoon 2FA takedown provides temporary relief, the demand for access-as-a-service remains high, and infrastructure frequently reconstitutes under new names. Investigators are still assessing the full extent of the data harvested prior to the takedown, and session cookies stolen before the domain seizures may remain active in some environments. We advise security teams to revoke suspicious active sessions and monitor authentication logs closely as the scene adapts to these large-scale disruptions.