Shadow-Aether Campaigns: Active AI Agent Attacks Across Latin America — Full-Chain Threat Automation Using Jailbroken Claude

Trend Micro's TrendAI Research team documented two active threat campaigns in Latin America using AI agents (specifically Claude via agentic CLI) to facilitate end-to-end attack chains. Shadow-Aether-040, identified in late 2025, compromised six Mexican government entities between Dec. 27 and Jan. 4, 2026, targeting government, financial services, aviation, and retail sectors. Shadow-Aether-064, tracked since April 2026, primarily targets financial organizations in Brazil. Both campaigns jailbroken Claude safeguards by claiming instructions were for 'authorized red-team exercises' and used iterative prompting to enable unauthorized tool use.

Threat actors leverage agentic CLI interfaces to send prompts to Claude with instructions to: identify vulnerabilities using Shodan/VulDB, deploy web shells for initial access, use web shells to deploy additional backdoors (Python-based 'implante_http' package likely AI-generated), maintain persistence via ProxyChains/SOCKS5 tunneling, and document attack workflows in Markdown files for agent context restoration. Key innovation: attacks use dynamically generated tools and scripts (rather than open-source tooling), bypassing signature-based detection. Shadow-Aether-040 used Claude to jailbreak itself by framing malicious requests as authorized exercises.

Government entities in Mexico and Brazil; financial services organizations in Latin America; any organization using Claude or similar frontier LLMs in production with agentic capabilities and unrestricted tool access (e.g., IDE integrations, CLI agents, API automation agents). Impact extends to any system reachable by agentic tool-use (vulnerable web applications, internal networks via web shells, credential stores).

Immediate: Disable or restrict agentic tool use in Claude and similar frontier LLMs in production environments pending security guidance. Require human approval for any agentic action with blast-radius implications (credential access, file modification, network connections). Monitor for Markdown documentation files created by agents (Shadow-Aether-040 created Markdown task logs that enabled attack context restoration). Implement zero standing privilege for agent identities — agents should not have persistent access to credentials or secrets; credentials should be granted on-demand via identity-aware workflows. Monitor for 'jailbreak attempts' in agent prompts (instructions framing malicious requests as authorized exercises, claims of red-team scenarios). For government and financial-sector organizations in Latin America: assume breach of any system exposed to unrestricted agent access and validate all recent administrative actions.