Fake AI study guide AsyncRAT lure campaign targeting Windows users
Campaign
Summary
Hide ▲
Show ▼
A malware-luring campaign now uses fake AI study guides and developer resources to target Windows users at organizations, increasing the risk of stealthy AsyncRAT infections. The operation relies on staged execution and trusted system tools to avoid detection. Its AI-themed packaging is designed to exploit demand for learning material and trick professionals into opening malicious files.
Related Happenings
AsyncRAT multi-stage delivery via trusted tools
Malware Activity
H score22
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
How related:
The manifest yields two .NET payloads: a modular remote access trojan (RAT) Fortinet tracks as clay_Client, and AsyncRAT, which beacons to its own command-and-control (C2) server.
About this happening:
A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...
AsyncRAT multi-stage delivery via trusted tools
Malware ActivityHow related: The manifest yields two .NET payloads: a modular remote access trojan (RAT) Fortinet tracks as clay_Client, and AsyncRAT, which beacons to its own command-and-control (C2) server.
About this happening: A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical Analysis
H score28
First: 17.02.2026 20:08
Last: 17.02.2026 20:08
Sources 1
About this happening:
Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical AnalysisAbout this happening: Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
Campaign
H score48
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
CampaignAbout this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
H score39
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
H score39
First: 26.01.2026 23:42
Last: 26.01.2026 23:42
Sources 1
About this happening:
A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
ClickFix fake CAPTCHA campaign delivering Amatera
CampaignAbout this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
Timeline
-
11.06.2026 17:00 2 articles · 4h ago
Fake AI study guides deliver AsyncRAT to Windows users
Initial DisclosureThreat actors disguise booby-trapped archives as AI study guides and developer resources to target Windows users at organizations, using a staged chain of LNK files, hidden documents, scheduled tasks disguised as Realtek audio services, AutoHotkey, and PowerShell to deploy AsyncRAT and a Fortinet-tracked RAT named clay_Client.
Show sources
- Cybercriminals Use Fake AI Guides and Dev Tools to Spread AsyncRAT Malware — www.infosecurity-magazine.com — 11.06.2026 17:00
- Cybercriminals Use Fake AI Guides and Dev Tools to Spread AsyncRAT Malware — www.infosecurity-magazine.com — 11.06.2026 17:00