Threat Actors Weaponize AI Hype to Deliver AsyncRAT

MITRE Techniques

• [T1204.002 ] User Execution: Malicious File – The victim had to open a shortcut inside a disguised archive to start the infection chain (‘Once the victim opens the LNK file, the shortcut executes an obfuscated command sequence’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The LNK used cmd.exe and related native commands to extract and run staged content (‘native Windows components such as cmd.exe, more, type, and findstr’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Multiple stages used PowerShell to decode, decrypt, drop, and execute payloads (‘The PowerShell stage is invoked with “-windowstyle hidden”… and “-ExecutionPolicy Bypass”’).
• [T1027 ] Obfuscated Files or Information – Payloads and commands were concealed through hidden attributes, Base64, hex, runtime decoding, and variable reconstruction (‘hidden files’, ‘Base64-encoded strings’, ‘reconstructed at runtime from character arrays’).
• [T1140 ] Deobfuscate/Decode Files or Information – The malware decoded Base64, hex, and GZip-compressed data into runnable scripts and executables (‘decodes it from Base64’, ‘converts the result back into bytes’, ‘opens the previously dropped Subtitles file as a GZip-compressed stream’).
• [T1027.013 ] Binary Padding / File Masquerading – Files were disguised as PDFs, assets, manifests, and Realtek components to hide malicious content (‘3th.pdf’, ‘RealtekAudioService64.ps1’, ‘RtkLoggingManifest.man’).
• [T1564.001 ] Hide Artifacts: Hidden Files and Directories – The archive contained hidden files intended to evade casual inspection (‘two other files named 3th.pdf and 4th.pdf with a Hidden attribute’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence was established with multiple scheduled tasks and triggers (‘registering a scheduled task named CheckRealtekAudioVersion’, ‘registers two scheduled tasks’).
• [T1546.003 ] Event Triggered Execution: Windows Management Instrumentation Event Subscription – Not mentioned.
• [T1112 ] Modify Registry – The 32-bit script re-enabled Windows Script Host and restored file associations by editing the registry (‘checks whether Windows Script Host has been disabled in the registry, re-enables it if necessary’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Defender exclusions were added to weaken host defenses (‘adding C: to Microsoft Defender’s exclusion paths’).
• [T1105 ] Ingress Tool Transfer – Additional payloads were retrieved and written to disk from embedded containers and later stages (‘extracting … data’, ‘drops a newly received payload binary into the %TEMP% directory’).
• [T1055 ] Process Injection – The .NET loader performed process hollowing into legitimate .NET processes (‘creates a legitimate .NET process in a suspended state’, ‘allocates memory within the remote process’).
• [T1047 ] Windows Management Instrumentation – The final RAT queried system information such as win32_processor and Win32_Processor.deviceid (‘extracts basic information from victims’).
• [T1218.007 ] System Binary Proxy Execution: Mshta – Not mentioned.
• [T1021.001 ] Remote Services: Remote Desktop Protocol – The RAT included remote desktop capabilities (‘RemoteDesktopOpen’, ‘RemoteDesktopSendScreen’).
• [T1106 ] Native API – The injection chain relied on Windows APIs such as CreateProcess, GetThreadContext, WriteProcessMemory, VirtualAllocEx, ZwUnmapViewOfSection, SetThreadContext, and ResumeThread (‘The underlying API calls follow a classic injection sequence’).
• [T1027.005 ] Protocol Obfuscation – The malware encrypted serialized traffic using RijndaelManaged and custom length headers (‘encrypting them using RijndaelManaged in ECB mode’).