A new FortiGuard Labs investigation reveals a malware campaign built entirely around a contradiction. The campaign uses the promise of AI education to deliver an Asynchronous Remote Access Trojan (AsyncRAT)—while also bearing the unmistakable fingerprints of AI assistance in its construction.
The victims, searching for guidance on topics like PostgreSQL 18 or agentic coding, download what looks like a helpful technical resource. However, they actually trigger a malware intrusion chain that can give attackers remote control over compromised Windows systems—without users being aware.
The chain includes shortcut files that read hidden offsets inside disguised PDFs. There are also PowerShell scripts wrapped in PGP-style encryption, AutoHotkey binaries posing as Realtek audio drivers, and reflective process injection into trusted .NET processes. The chain components all converge on a RAT capable of screen capture, remote control, and self-deletion.
Attackers Package Malware as Trusted Content
What makes this campaign worth dwelling on isn't the technical sophistication, but rather what it accidentally reveals about its creators. Buried inside the obfuscated PowerShell are simplified Chinese variable names, an unsanitized Chinese-language comment, and even a stray emoji left in production code. These sloppy artifacts suggest the attackers leaned on generative AI to help write their tooling, then shipped it without fully cleaning up after their AI collaborator.
“This campaign is a reminder that supply chain risk isn’t limited to software updates or vendor code,” commented Diana Kelley, Chief Information Security Officer at Noma Security. “Attackers are now packaging malware as trusted learning content and AI-themed resources—knowing employees are actively seeking these materials.”
Added John Gallagher, Vice President at Viakoo, “What distinguishes this campaign is not just the AI hype lure, but the highly sophisticated, multi-stage delivery architecture designed to completely bypass traditional static file scanning and endpoint defenses. It's an existing attack vector, just performed more quickly and made more stealthy because of AI.”
The story that this campaign tells is less about a single exploit and more about an emerging asymmetry. AI lowers the barrier to simultaneously building convincing lures and complex malware—even as it leaves behind evidence that human-only operations rarely did.
The Bait: Selling Knowledge to People Hungry for AI Skills
Following the tactics used by this malware campaign, the attackers do not target random spray-and-pray victims. Instead, the lure documents target a specific audience: people actively searching for AI and data skills,
Titles like <AI-Ready PostgreSQL> and a fake <Agentic Coding with Claude Code> exploit the professional anxiety about falling behind on AI. On top of that, the archive looks inert. A single visible shortcut file masks two hidden PDFs that aren't documents at all, but payload containers.
The Trapdoor: One Click Sets Off a Chain Reaction
Another key aspect of this campaign is that the .lnk shortcut file doesn't open a document. It simply reads four specific lines out of a 26,000-line PDF and executes them as a command.
That extracted command pulls yet another segment from the same file and pipes it directly into a hidden, policy-bypassing PowerShell session. A PGP block, disguised as cryptographic padding inside the PDF, is then decrypted with a trivial password and dropped as a new script.
Essentially, each stage exists only to unlock the next.
The Disguise: A Fake Audio Driver Around a Real Backdoor
The malware stages itself inside a directory and filenames, mimicking Realtek audio software—a believable, low-suspicion identity on most Windows machines. A decoy PDF is then shown to the victim.
This gives the appearance of a successfully opened document while the real infection runs silently behind it. Persistence is locked in through scheduled tasks disguised as routine driver checks—set to fire at login, startup, and on a recurring daily schedule.
The Tell: Attacker AI Assistants Leave Fingerprints
Deep in PowerShell, every built-in command is renamed with variable names using simplified Chinese characters to represent identifiers in the programming code. This obfuscation technique doubles as a clue to the author's likely origin and tooling.
In addition, an unsanitized Chinese-language comment and a stray emoji survive inside otherwise English malware code. This kind of artifact is one that a human author proofreading their work would have caught.
The overall pattern points to a workflow where generative AI accelerates the implementation. But human review of the AI output is incomplete or entirely absent.
The Reveal: Legitimate Software as a Weapon
Two of the dropped audio executables are unmodified copies of AutoHotkey, abused purely as a script-running engine rather than flagged as malicious. One script branch performs textbook process hollowing, which spawns a legitimate .NET process, unmaps the memory, and writes a reconstructed payload into the gap.
A second branch goes further. It disables Microsoft Defender protections and then restores disabled scripting engines—rebuilding the persistence chain through VBS and scheduled XML tasks. This is an example of defensive evasion layered on top of disguise.
The Payoff: A Remote Access Trojan with a Full Command Menu
The final .NET payload connects to live command-and-control infrastructure. It immediately fingerprints the victim machine, including the OS version, the CPU, and any security software.
From there, the command set spans self-deletion, remote updating, live screen capture, simulated mouse input, and fileless reflective loading of additional malware. A second payload extracted from the same chain is identified as AsyncRAT, confirming the campaign's ultimate objective: full and durable remote control.
What This Campaign Says About the Next Phase of Cybercrime
This campaign demonstrates that AI hype is now a reliable social-engineering hook. It preys on the fear of professionals, who worry they will be left behind when it comes to leveraging AI to do their jobs.
The same accessibility that lets defenders use AI to write detections lets attackers use it to write multi-stage intrusion chains faster than before. “This class of attack via compositional opacity reflects a growing threat class,” wrote Ram Varadarajan, CEO at Acalvio Technologies. “Essentially, it decomposes the attack into multiple, subtle steps, none of which individually raise a flag, but whose cumulative effect causes the damage. We can expect such attacks to become increasingly AI-tuned, hence increasingly subtle—with attacks executed against unwitting humans and AI agents alike. Defending against them will require layered defenses, culminating in AI-aware tripwires.”
Added Kelly, “Security teams should treat downloaded documents, archives, and training assets as part of the supply chain. By inspecting compressed files, using content safety scanning, restricting script execution, and monitoring for unusual endpoint behavior after files are opened, they can give employees a trusted corporate library of vetted AI and technical resources so they don’t have to rely on random downloads.”
Given these comments, consider the defining irony of this AsyncRAT malware campaign: Sophisticated tradecraft undercut by careless AI-generated artifacts. This suggests detection may increasingly hinge on spotting the seams where automation replaced human discipline.