Threat Actors Weaponize AI Hype to Deliver AsyncRAT
A sophisticated malware campaign exploits growing interest in artificial intelligence by distributing malicious files disguised as AI-related learning resources and technical guides. The attack employs an exceptionally complex multi-stage infection chain beginning with compressed archives containing LNK shortcuts and hidden PDF files. Through multiple layers of obfuscation involving PowerShell scripts, batch files, and AutoHotkey loaders, the campaign establishes persistent access and deploys two distinct .NET Remote Access Trojans including AsyncRAT. The intermediate scripts extensively use Simplified Chinese variable names and exhibit coding patterns suggesting AI-assisted development, with cultural references to Chinese mythology used as symbolic aliases for Windows API calls. The attack implements advanced techniques including process hollowing, reflective DLL injection, and scheduled task persistence while actively disabling Windows Defender exclusions to facilitate execution.
Indicators of Compromise
- hash: 61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974
- hash: 7d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8
- hash: 96b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecb
- domain: shampobiskworld.nl
- domain: shampoolagtto.com
- domain: shamppocosmaticso.com
Threat Actors Weaponize AI Hype to Deliver AsyncRAT
Description
A sophisticated malware campaign exploits growing interest in artificial intelligence by distributing malicious files disguised as AI-related learning resources and technical guides. The attack employs an exceptionally complex multi-stage infection chain beginning with compressed archives containing LNK shortcuts and hidden PDF files. Through multiple layers of obfuscation involving PowerShell scripts, batch files, and AutoHotkey loaders, the campaign establishes persistent access and deploys two distinct .NET Remote Access Trojans including AsyncRAT. The intermediate scripts extensively use Simplified Chinese variable names and exhibit coding patterns suggesting AI-assisted development, with cultural references to Chinese mythology used as symbolic aliases for Windows API calls. The attack implements advanced techniques including process hollowing, reflective DLL injection, and scheduled task persistence while actively disabling Windows Defender exclusions to facilitate execution.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.fortinet.com/blog/threat-research/threat-actors-weaponize-ai-hype-to-deliver-asyncrat"]
- Adversary
- null
- Pulse Id
- 6a2ae2fc2f480b5e67ea0de5
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974 | — | |
hash7d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8 | — | |
hash96b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecb | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainshampobiskworld.nl | — | |
domainshampoolagtto.com | — | |
domainshamppocosmaticso.com | — |
Threat ID: 6a3052ca0b89be6888826953
Added to database: 6/15/2026, 7:30:18 PM
Last updated: 6/15/2026, 7:30:41 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.