Threat actors are weaponizing AI-themed lure documents to deliver a complex multi-stage infection chain culminating in AsyncRAT and a custom .NET RAT called clay_Client. The attack uses hidden LNK files inside compressed archives to initiate a chain of PowerShell scripts that extract, decrypt, and execute payloads from disguised PDF containers using AES-CBC, XOR, and GZip decompression. AutoHotkey scripts perform process hollowing into legitimate .NET Framework executables, while defense evasion includes adding Microsoft Defender exclusions and restoring disabled VBS execution. The final RAT provides full remote control with screen capture, input simulation, fileless assembly loading, and process injection capabilities.