AsyncRAT multi-stage delivery via trusted tools
Malware Activity
Summary
Hide ▲
Show ▼
A Windows malware chain is now delivering AsyncRAT, increasing the risk of stealthy remote access on targeted systems. The lure uses AI study guides and developer resources to target professionals seeking learning material, then pivots through LNK shortcuts, hidden documents, and scheduled tasks disguised as Realtek services. The final payload relies on AutoHotkey and process hollowing before beaconing to its own C2 server.
Related Happenings
Fake AI study guide AsyncRAT lure campaign targeting Windows users
Campaign
H score33
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
How related:
Threat actors have been disguising malware as AI study guides and developer resources to trick professionals into running a multi-stage attack that ends in the AsyncRAT trojan.
About this happening:
A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
CampaignHow related: Threat actors have been disguising malware as AI study guides and developer resources to trick professionals into running a multi-stage attack that ends in the AsyncRAT trojan.
About this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
H score16
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
Campaign
H score48
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
CampaignAbout this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware Activity
H score16
First: 11.12.2025 15:16
Last: 11.12.2025 15:16
Sources 1
About this happening:
**NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware ActivityAbout this happening: **NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
PhantomCaptcha WebSocket RAT PowerShell delivery chain
Malware Activity
H score16
First: 24.10.2025 15:15
Last: 24.10.2025 15:15
Sources 1
About this happening:
**PhantomCaptcha** delivered a **WebSocket RAT** on **October 8** through a **multi-stage PowerShell** chain that let operators run commands, exfiltrate data, and load more malwar...
PhantomCaptcha WebSocket RAT PowerShell delivery chain
Malware ActivityAbout this happening: **PhantomCaptcha** delivered a **WebSocket RAT** on **October 8** through a **multi-stage PowerShell** chain that let operators run commands, exfiltrate data, and load more malwar...
Timeline
-
11.06.2026 17:00 2 articles · 4h ago
Fake AI study guides deliver AsyncRAT on Windows
Initial DisclosureFortinet's FortiGuard Labs described a multi-stage Windows campaign that disguises malware as AI study guides and developer resources to trick professionals into opening booby-trapped files, launching LNK-based script chains, and executing payloads through scheduled tasks masked as Realtek audio services and AutoHotkey. The final stages rebuild clay_Client and AsyncRAT, and AsyncRAT beacons to its own command-and-control server, affecting Windows users at any organization.
Show sources
- Cybercriminals Use Fake AI Guides and Dev Tools to Spread AsyncRAT Malware — www.infosecurity-magazine.com — 11.06.2026 17:00
- Cybercriminals Use Fake AI Guides and Dev Tools to Spread AsyncRAT Malware — www.infosecurity-magazine.com — 11.06.2026 17:00