Threat Actors Weaponize AI Hype to Deliver AsyncRAT
Threat actors are weaponizing AI-themed lure documents to deliver a complex multi-stage infection chain culminating in AsyncRAT and a custom .NET RAT called clay_Client. The attack uses hidden LNK files inside compressed archives to initiate a chain of PowerShell scripts that extract, decrypt, and execute payloads from disguised PDF containers using AES-CBC, XOR, and GZip decompression. AutoHotkey scripts perform process hollowing into legitimate .NET Framework executables, while defense evasion includes adding Microsoft Defender exclusions and restoring disabled VBS execution. The final RAT provides full remote control with screen capture, input simulation, fileless assembly loading, and process injection capabilities.
- domainshampobiskworld[.]nlclay_Client .NET RAT C2 domain decoded at runtime from encrypted strings
- domainshampoolagtto[.]comclay_Client .NET RAT C2 domain decoded at runtime from encrypted strings
- domainshamppocosmaticso[.]comclay_Client .NET RAT C2 domain decoded at runtime from encrypted strings
- ip107[.]172[.]10[.]190AsyncRAT C2 server hardcoded in .NET payload extracted from RtkLoggingManifest.man
- mutexIDG5FUAM3PSONBSInGIGSWSDMutex created by clay_Client RAT to prevent multiple simultaneous executions on the same host
- sha25661b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974SHA256 hash of the initial LNK lure file inside the 7z archive
- sha2567d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8SHA256 hash of the PowerShell script component in the infection chain
- sha25696b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecbSHA256 hash of the EXE component (AutoHotkey-based loader disguised as Realtek audio software)
Detection / Hunteropenrouter
What Happened
Attackers are tricking people into opening fake AI-related documents (like guides about Claude Code or PostgreSQL AI features) that actually contain hidden malware. Once opened, the malware goes through many hidden steps to install itself deeply on the computer, disguising its components as Realtek audio software. The attackers use legitimate Windows tools and a program called AutoHotkey to hide their activities, even turning off antivirus protections. The final malware gives attackers full remote control of the infected computer, allowing them to view the screen, simulate mouse movements, install additional malware, and steal information. The attack code contains Chinese language comments and variable names, suggesting the attackers used AI tools to help write the malware but didn't fully clean up before deploying it. Anyone who handles documents from untrusted sources is at risk. Organizations should educate employees about opening unexpected document archives, monitor for unusual scheduled tasks with audio-related names, and ensure antivirus protections cannot be easily disabled.
Key Takeaways
- Attackers distribute malicious archives disguised as AI-related technical documents (e.g., 'Agentic Coding with Claude Code') containing hidden LNK files that initiate a multi-stage infection chain.
- The attack chain uses novel obfuscation: payloads are embedded as line ranges within disguised PDF containers, encrypted with AES-CBC using PGP key block markers, and decoded through custom XOR routines keyed to 'Realtek2025'.
- AutoHotkey.exe is abused as a benign execution engine, renamed to resemble Realtek audio components, with malicious logic residing entirely in AHK scripts that perform process hollowing into legitimate .NET Framework executables.
- Two final payloads are deployed: a custom .NET RAT ('clay_Client') with screen capture, remote desktop, and fileless assembly loading capabilities, and AsyncRAT communicating with a hardcoded C2 IP.
- Scripts contain Simplified Chinese variable names and unsanitized Chinese comments, strongly suggesting AI-assisted development with inadequate review before deployment.
Affected Systems
- Microsoft Windows (any version with .NET Framework v4.0.30319 installed)
- Systems with PowerShell enabled
- Systems with Windows Task Scheduler enabled
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Victim opens a 7z archive disguised as an AI-related technical document containing a visible LNK file and hidden PDF containers
- Execution: LNK executes obfuscated cmd sequence to extract specific line ranges from 3th.pdf and pipes content to hidden PowerShell with execution policy bypass
- Defense Evasion: Multi-stage decryption extracts payloads from 3th.pdf using AES-CBC with PBKDF2 key derivation, XOR with hardcoded key 'Realtek2025', and GZip decompression of 'Subtitles' archive
- Persistence: Multiple scheduled tasks created (CheckRealtekAudioVersion, RealtekAudioEnhancements64, ResetRealtekAudioSettings64) with VBS-mediated task chain for redundant execution at logon and system startup
- Defense Evasion: Microsoft Defender exclusions added for C:\ and powershell.exe; Windows Script Host re-enabled if disabled; VBS file associations restored
- Execution/Injection: AutoHotkey scripts perform process hollowing into randomly selected legitimate .NET Framework executables using disguised PE payload from RtkLoggingManifest.man
- C2: clay_Client RAT and AsyncRAT establish encrypted C2 communications with hardcoded domains and IP, enabling remote desktop, screen capture, fileless assembly loading, and process injection
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: FortiGuard AntiVirus signatures, FortiGuard Web Filtering Service, FortiGuard IP Reputation and AntiBotnet Security Service
FortiGuard provides AV detection signatures (LNK/Agent.MQOEQT!tr, MSIL/Agent.CDW!tr, POWERSHELL/Agent.CA!tr) and blocks the C2 infrastructure via Web Filtering and IP Reputation services. No YARA, Sigma, Snort, Suricata, KQL, SPL, or EQL rules are provided in the article.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | Process hollowing API call sequences (CreateProcess, GetThreadContext, WriteProcessMemory, VirtualAllocEx, SetThreadContext, ResumeThread) are visible to EDR if API hooking is in place. However, the use of AutoHotkey as a legitimate execution engine, reflective .NET assembly loading via Assembly.Load, and payloads encoded as text within PDF containers significantly reduce disk-based detection. PowerShell Script Block Logging would capture the intermediate scripts if enabled. |
| Network Visibility | Medium | Three C2 domains and one C2 IP are hardcoded and can be alerted on. Communications use custom encrypted serialization with RijndaelManaged ECB and custom length headers, making content inspection difficult. Network connections from legitimate .NET Framework processes (process hollowing targets) may appear benign in proxy logs. |
| Detection Difficulty | Hard | The attack chain employs extensive obfuscation including multi-zone data containers, multiple encryption layers, Chinese-language variable names, byte transformation decryption, and payloads encoded as numeric text. Process hollowing into legitimate .NET Framework executables and reflective .NET assembly loading evade traditional AV scanning. The use of AutoHotkey as a script execution engine further complicates PE-based classification. Defense evasion steps (Defender exclusions, VBS restoration) add additional layers of complexity. |
Required Log Sources
- Sysmon Event ID 1 (Process Creation)
- Sysmon Event ID 3 (Network Connection)
- Sysmon Event ID 8 (CreateRemoteThread)
- Sysmon Event ID 10 (Process Access)
- Sysmon Event ID 11 (File Creation)
- PowerShell Script Block Logging (Event ID 4104)
- Windows Security Event ID 4688 (Process Creation)
- Microsoft Defender Operational Log (for exclusion modifications)
- Windows Task Scheduler Operational Log
- Sysmon Event ID 7 (Image Loaded - for AutoHotkey DLL loads)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for process hollowing activity where legitimate .NET Framework executables (such as AddInProcess32.exe, AppLaunch.exe, or aspnet_compiler.exe) spawn from non-standard parent processes and exhibit suspicious memory allocation patterns consistent with T1055.012. | Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (Process Access), EDR process telemetry with API call tracing | Execution / Defense Evasion | Low - legitimate .NET Framework utilities rarely get hollowed; however, some legitimate software update mechanisms may use similar APIs. |
| If PowerShell Script Block Logging is available, consider searching for PowerShell scripts that reconstruct cmdlet names from character arrays or use non-Latin (Simplified Chinese) variable names, as this indicates deliberate obfuscation consistent with T1027. | PowerShell Event ID 4104 (Script Block Logging), EDR PowerShell telemetry | Execution / Defense Evasion | Low - legitimate PowerShell rarely uses Chinese variable names or character-array cmdlet reconstruction in production environments. |
| Consider monitoring for Add-MpPreference cmdlet usage that adds broad exclusion paths (such as entire drive roots) or excludes core system processes like powershell.exe, as this is a strong indicator of defense evasion per T1562.001. | Microsoft Defender Operational Log, PowerShell Event ID 4104, Windows Security Event ID 4688 | Defense Evasion | Low to Medium - legitimate administrative tools may use Add-MpPreference for specific folder exclusions, but excluding entire drives or powershell.exe is highly suspicious. |
| If scheduled task monitoring is available, consider hunting for tasks with audio-service-themed names (containing terms like 'Realtek', 'Audio', 'Sound') that execute from user-writable paths under %LOCALAPPDATA% rather than from Program Files, as this indicates masquerading per T1053.005. | Windows Task Scheduler Operational Log, Sysmon Event ID 1 for schtasks.exe, EDR scheduled task telemetry | Persistence | Low - legitimate Realtek audio software installs tasks from System32 or Program Files, not from user AppData package directories. |
| Consider hunting for AutoHotkey executables (matching AutoHotkey.exe hashes) that have been renamed to resemble legitimate system components, particularly when found in non-standard directories and when they spawn .NET Framework processes or exhibit process injection API call patterns consistent with T1218. | Sysmon Event ID 7 (Image Loaded), Event ID 1 (Process Creation with hash correlation), EDR file reputation and process lineage | Execution / Defense Evasion | Medium - some organizations legitimately use AutoHotkey for automation; correlation with renamed binaries and injection APIs reduces false positives. |
Control Gaps
- Static file scanning cannot detect payloads encoded as numeric text within disguised container files (PDF, .assets, .Realtek extensions)
- Disk-based AV scanning is bypassed by reflective .NET assembly loading via Assembly.Load and process hollowing into legitimate executables
- Application allow-listing may not flag renamed AutoHotkey executables since the underlying binary is legitimate and signed
- Network content inspection is limited by custom encrypted serialization using RijndaelManaged ECB with MD5-derived keys
- PowerShell execution policies are bypassed via -ExecutionPolicy Bypass flag; if Script Block Logging is not enabled, intermediate scripts execute without logging
- VBS-based persistence chains may not be monitored in environments that do not track wscript.exe child process creation
Key Behavioral Indicators
- Process hollowing API sequence (CreateProcess + GetThreadContext + VirtualAllocEx + WriteProcessMemory + SetThreadContext + ResumeThread) targeting .NET Framework executables from non-standard parent processes
- PowerShell scripts reconstructing cmdlet names from character arrays or using non-Latin (Simplified Chinese) variable names
- Scheduled tasks with audio-service-themed names executing batch or PowerShell files from user AppData package directories
- AutoHotkey executables (matching known AutoHotkey hashes) renamed as Realtek audio components in non-standard paths
- Broad Microsoft Defender exclusion paths covering entire drive roots or core system executables like powershell.exe
- wscript.exe executing batch files from non-standard package directories under %LOCALAPPDATA%
- Legitimate .NET Framework executables (e.g., AddInProcess32.exe, AppLaunch.exe, aspnet_compiler.exe) making outbound network connections from user-context sessions
- File creation in %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics path by PowerShell or batch processes
False Positive Assessment
Low - The attack chain uses highly distinctive indicators including audio-service-themed scheduled tasks executing from user AppData directories, Defender exclusions for entire drive roots, PowerShell scripts with Simplified Chinese variable names, and process hollowing into .NET Framework executables. While individual indicators like PowerShell execution or scheduled task creation are common, the combination and specific patterns described are unlikely to appear in legitimate administrative activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified C2 IP (107.172.10.190) and domains (shampobiskworld.nl, shampoolagtto.com, shamppocosmaticso.com) at your firewall, proxy, and DNS filtering layers if your infrastructure supports it.
- If your EDR supports it, consider searching endpoint telemetry for the three SHA256 file hashes and the mutex IDG5FUAM3PSONBSInGIGSWSD across your fleet to identify potential infections.
- Consider hunting for scheduled tasks named CheckRealtekAudioVersion, RealtekAudioEnhancements64, or ResetRealtekAudioSettings64 and verify their legitimacy if found.
- If Microsoft Defender is in use, consider auditing current exclusion paths for broad entries such as entire drive roots or powershell.exe, and review who has permissions to modify exclusion lists.
- Evaluate whether your email gateway or web filter can block or quarantine 7z archives containing LNK files, especially those with AI-themed filenames from untrusted senders.
Infrastructure Hardening
- Consider enabling PowerShell Script Block Logging (Event ID 4104) and PowerShell Transcription across endpoints if not already deployed, as this attack chain heavily relies on multi-stage PowerShell execution.
- Evaluate deploying Sysmon with process creation, network connection, create remote thread, and process access event logging to improve visibility into process hollowing and injection activities.
- If supported by your endpoint platform, consider restricting Add-MpPreference cmdlet execution to specific administrative accounts only, or implement monitoring alerts for its usage.
- Consider implementing application control or allow-listing for AutoHotkey executables, particularly blocking renamed copies executing from user-writable directories.
- If your network security tools support TLS inspection, consider evaluating whether connections to the identified C2 domains and IP can be detected through JA3/JA3S fingerprinting or SNI matching.
User Protection
- Consider educating users about the risks of opening compressed archives from untrusted sources, particularly those containing LNK files disguised as documents.
- If applicable, consider enabling Microsoft Defender SmartScreen and Attack Surface Reduction rules to block obfuscated script execution and process hollowing attempts.
- Evaluate whether your EDR can alert on or block wscript.exe executing from non-standard user directories, as this is used in the VBS-mediated persistence chain.
- Consider restricting the use of AutoHotkey in your environment if it is not a business requirement, or monitor for its execution from non-standard paths.
Security Awareness
- Consider incorporating AI-themed social engineering lures into existing phishing simulation programs, as threat actors are actively exploiting the AI trend with fake technical documents.
- If your organization provides security awareness training, consider adding guidance on verifying the legitimacy of downloaded technical resources before opening, especially those related to AI tools and platforms.
- Consider advising users to report any unexpected scheduled task creation prompts or Defender modification alerts to the security team immediately.
- If applicable to your awareness program, consider highlighting that legitimate software updates rarely require turning off antivirus protections or modifying script execution policies.
MITRE ATT&CK Mapping
Execution
Persistence
Defense Evasion
Discovery
Command and Control
Additional IOCs
- File Paths:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics- Primary staging directory disguised as a Windows audio diagnostics package, used to store extracted payloads and components%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache- Subdirectory containing AutoHotkey loaders, AHK scripts, batch files, and disguised payload containers%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache\ConfigureSoundSettings- Subdirectory containing RealtekAudioEnhancements64 components including .assets payload container%APPDATA%\Cache_{GUID}.ps1- Decrypted PowerShell script dropped by the AES-CBC decryption stage from 3th.pdfSubtitles- GZip-compressed archive file extracted from 3th.pdf containing AHK loaders, scripts, and batch files with byte-subtraction decryption layerRtkLoggingManifest.man- Disguised PE payload file where executable bytes are encoded as numeric text lines with format 'System metric code = <number>'ResetRealtekAudioSettings64.Realtek- Disguised payload container file with embedded hex-encoded .NET PE and reflectively loaded assemblyRealtekAudioEnhancements64.assets- Disguised payload container file containing PowerShell script that adds Defender exclusions and launches follow-on payloadsResetRealtekAudioSettings64defualt.bat- Batch file launched via VBS-mediated scheduled task for layered persistence (note misspelling of 'default')
- Command Lines:
- Purpose: LNK file extracts specific line ranges from hidden PDF container and pipes content to PowerShell for execution | Tools:
cmd.exe,type,more,findstr| Stage: Initial Access / Execution |cmd.exe /c type <filename> | findstr "26004: 26005: 26006: 26007:" - Purpose: Execute PowerShell scripts in hidden window with execution policy bypass and no profile loading | Tools:
powershell.exe| Stage: Execution |powershell.exe -windowstyle hidden -nop -ep Bypass - Purpose: Add Microsoft Defender exclusion paths and processes to weaken host defenses before payload execution | Tools:
powershell.exe,Add-MpPreference| Stage: Defense Evasion |Add-MpPreference -ExclusionPath - Purpose: Create scheduled task for persistence disguised as Realtek audio service update checker | Tools:
schtasks.exe,cmd.exe| Stage: Persistence |schtasks /create /tn <taskname> /tr
- Purpose: LNK file extracts specific line ranges from hidden PDF container and pipes content to PowerShell for execution | Tools:
- Other:
CheckRealtekAudioVersion- Scheduled task name created for initial persistence executing RealtekAudioService64.bat at logonRealtekAudioEnhancements64- Scheduled task name targeting RealtekAudioEnhancements64.exe in ConfigureSoundSettings subdirectoryResetRealtekAudioSettings64- Scheduled task name using wscript.exe to run VBS file for additional layered persistenceRealtek2025- Hardcoded XOR decryption key string used to decode Base64-encoded payloads from 3th.pdfRealtekAudioService64.ps1- Dropped PowerShell script using Simplified Chinese variable names for cmdlet obfuscation and GZip decompression of Subtitles payloadRtkDiagService.ahk- AutoHotkey module implementing full process hollowing workflow with Chinese mythology-themed API aliases