AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign

McAfee Labs observed a large-scale malware campaign (Jan 2026) distributing 443 malicious ZIP files impersonating popular tools; these deliver a WinUpdateHelper.dll that contacts dynamic C2 domains to download PowerShell scripts which install coinminers, stealers, and backdoors. The operation includes 48 DLL variants across 17 kill chains, uses fileless execution, persistence via a fake service, victim-unique short-lived URLs, and distribution through Discord, SourceForge, mydofiles and other CDNs; the report provides extensive IoCs (hashes, C2/final payload URLs, wallets) and traces Bitcoin receipts totaling roughly $4.5k at the time of writing.