SOC Prime Bias: High

12 Jun 2026 06:27 UTC
newspaper icon Fortinet Blog

AsyncRAT Delivered Through AI-Themed Threat Campaigns

Author Photo
SOC Prime Team linkedin icon Follow
AsyncRAT Delivered Through AI-Themed Threat Campaigns
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors are capitalizing on AI-themed lures to distribute a multi-stage malware infection chain. The attack combines staged scripts, AutoHotkey-based loaders, and process hollowing to deploy both a .NET remote access trojan and AsyncRAT. One notable aspect of the campaign is the apparent use of AI-assisted development, reflected in Simplified Chinese variable names and code comments embedded throughout the malware.

Investigation

FortiGuard Labs examined a complex intrusion sequence that began with a malicious ZIP archive containing an LNK file. Their analysis uncovered several stages of payload extraction from a PDF-based container, followed by AutoHotkey-driven reflective injection and final deployment of a modular .NET RAT alongside AsyncRAT. The researchers also documented distinct obfuscation methods, including Chinese-language semantic abstraction and custom decryption logic designed to conceal the malware’s behavior.

Mitigation

Users should be especially cautious with LNK files, compressed archives, and documents received from untrusted or unexpected sources. Organizations should review startup entries, scheduled tasks, and registry locations for unauthorized changes. Monitoring for suspicious PowerShell activity and unusual outbound network connections is also essential for identifying the early stages of compromise.

Response

If this activity is detected, responders should perform forensic review of the %LOCALAPPDATA% and %APPDATA% directories to identify dropped scripts and related artifacts. Task Scheduler should be checked for suspicious tasks such as CheckRealtekAudioVersion or ResetRealtekAudioSettings64. Affected systems should be isolated immediately to prevent further communication with the identified malicious domains and IP addresses.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef technique fill:#ffff99 %% Node Definitions %% Initial Stage action_user_exec["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>User opens a compressed archive containing<br/>a malicious .lnk shortcut disguised as an AI guide."] class action_user_exec action action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>The .lnk file uses cmd.exe to execute an<br/>obfuscated command sequence to extract data<br/>from a hidden PDF file named 3th.pdf."] class action_obfuscation technique %% Staged Execution action_ps_decryption["<b>Action</b> – <b>T1027.013 Obfuscated Files or Information: Encrypted/Encoded File</b><br/>A PowerShell script performs AES-CBC decryption<br/>and Base64 decoding to reveal a payload<br/>saved as Cache_{GUID}.ps1."] class action_ps_decryption technique %% Persistence and Evasion action_persistence["<b>Action</b> – <b>T1547 Persistence</b><br/>The script creates a scheduled task named<br/>CheckRealtekAudioVersion to ensure survival."] class action_persistence technique action_exclusion["<b>Action</b> – <b>T1679 Selective Exclusion</b><br/>The malware uses Add-MpPreference to add<br/>the C drive and powershell.exe to the<br/>Microsoft Defender exclusion list."] class action_exclusion technique %% Proxying and Scripting action_cmd_shell["<b>Action</b> – <b>T1059.003 Command and Scripting Interpreter: Windows Command Shell</b><br/>Utilizes Windows Command Shell for execution."] class action_cmd_shell technique action_syncappv["<b>Action</b> – <b>T1216.002 System Script Proxy Execution: SyncAppvPublishingServer</b><br/>Uses a VBS file ResetRealtekAudioSettings64.vbs<br/>to act as a mediator for launching batch files."] class action_syncappv technique %% AutoHotkey Stage tool_autohotkey["<b/>Tool: AutoHotkey.exe<br/>Benign binary used to execute malicious<br/>.ahk scripts for complex logic."] class tool_autohotkey tool action_ahk_interpreter["<b/>Action – <b>T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT</b><br/>The .ahk scripts manage process injection<br/>and orchestration."] class action_ahk_interpreter technique %% Injection and Payload action_hollowing["<b/>Action – <b>T1055.012 Process Injection: Process Hollowing</b><br/>Reconstructs a PE payload from text data<br/>and injects it into legitimate .NET processes."] class action_hollowing technique process_dotnet["<b/>Process: .NET Process<br/>Targeted legitimate process such as<br/>AddInProcess32.exe for injection."] class process_dotnet process malware_asyncrat["<b/>Malware: AsyncRAT<br/>A modular .NET Remote Access Trojan<br/>deployed as the final payload."] class malware_asyncrat malware action_exfiltration["<b/>Action – <b>T1048 Exfiltration Over Alternative Protocol</b><br/>Exfiltrates system information and performs<br/>surveillance via C2 domains like shampobiskworld.nl."] class action_exfiltration technique %% Connections %% Initial chain action_user_exec –>|leads_to| action_obfuscation action_obfuscation –>|triggers| action_ps_decryption %% Persistence and Evasion chain action_ps_decryption –>|establishes| action_persistence action_ps_decryption –>|performs| action_exclusion %% Scripting and Proxying chain action_ps_decryption –>|leverages| action_cmd_shell action_cmd_shell –>|uses| action_syncappv %% AutoHotkey chain action_syncappv –>|executes| tool_autohotkey tool_autohotkey –>|uses| action_ahk_interpreter %% Injection chain action_ahk_interpreter –>|performs| action_hollowing action_hollowing –>|injects_into| process_dotnet %% Final Payload chain process_dotnet –>|hosts| malware_asyncrat malware_asyncrat –>|performs| action_exfiltration "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary has gained initial access and is preparing to establish a persistent Command-and-Control (C2) channel using AsyncRAT. To evade network-based signature detection, the attacker utilizes the RijndaelManaged .NET class to encrypt the traffic. The attacker executes a PowerShell one-liner that instantiates the encryptor, intending to wrap the C2 heartbeat in an encrypted payload. This command is designed to trigger the specific string-based detection rule.

  • Regression Test Script:

    # Simulation of AsyncRAT-style encryption instantiation in PowerShell
# This command is designed to match the 'RijndaelManaged.CreateEncryptor' string in the command line.
$code = "[System.Security.Cryptography.RijndaelManaged]::CreateEncryptor()"
powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "$encryptor = [System.Security.Cryptography.RijndaelManaged]::CreateEncryptor(); Write-Output 'Encryption engine initialized.'"

  • Cleanup Commands:

    # No persistent changes made by the simulation script; however, 
# clearing the PowerShell history to remove traces of the command.
Clear-History
Remove-Item (Get-PSReadlineOption).HistorySavePath -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free