As enterprise integration of generative artificial intelligence (AI) accelerates globally, threat actors are aggressively tailoring social engineering strategies to capitalize on the intense demand for specialized technical documentation. A sophisticated cyber campaign targets technical professionals and digital marketers by distributing malicious archives disguised as cutting-edge AI reference material. Using enticing literature titles like “AI-Ready PostgreSQL 18: Building Intelligent Data Systems,” “A Guide for Thinking Marketers in the Age of AI,” and “Agentic Coding with Claude Code, The everyday developer’s guide to agentic coding with Claude Code.7z,” attackers are successfully compromising targets seeking advanced professional education. Behind these topical lures lies an intricate, multi-stage infection chain that masterfully evades traditional static signatures. By compounding obscure script languages, heavy layer-by-layer obfuscation, and runtime reflection, the threat actors systematically deploy an AutoHotkey-based loader framework designed to inject AsyncRAT and a secondary .NET Remote Access Trojan (RAT) directly into the memory space of trusted system processes.

Initial Ingress and LNK-Driven Multi-Zone Container Deconstruction

The initial compromise relies on a compressed archive masquerading as a guide for developer tooling, specifically matching the string Agentic Coding with Claude Code, The everyday developer's guide to agentic coding with Claude Code.7z. When a user extracts this file, the visible directory structure exposes only a standard Windows shortcut (.lnk) file, while mask-filtering reveals two critical hidden documents named 3th.pdf and 4th.pdf. The execution vector triggers immediately upon interaction with the .lnk shortcut, which is configured to execute a deeply obfuscated command sequence leveraging native binaries like cmd.exe, more, type, and findstr. Rather than attempting to launch a conventional executable, the shortcut treats the hidden 3th.pdf document as a binary storage container. It systematically enumerates the file line by line, isolating an exact range of lines—specifically offsets 26004, 26005, 26006, and 26007—and extracts their text contents to initiate a highly targeted command injection that bypasses endpoint monitoring tools scanning for raw script execution on disk.

Automated Cryptographic Staging via Obfuscated PowerShell Execution

The character strings extracted from the specified line block inside 3th.pdf represent a short, volatile staging script designed to advance the multi-stage compromise without exposing clear-text identifiers. This intermediate script immediately reaches back into the hidden 3th.pdf container, performing a seek operation across a completely separate array of line offsets and piping the raw data stream directly into a new instance of the PowerShell runtime. To maximize operational stealth, the attacker invokes the PowerShell engine utilizing specific runtime flags: -windowstyle hidden completely suppresses the interactive console UI, -NoProfile (-nop) circumvents the initialization of localized user configuration scripts, and -ExecutionPolicy Bypass (-ep Bypass) overrides system-level safety configurations restricting script execution. Once running, this memory-resident script scans 3th.pdf for cryptographic boundaries marked by -----BEGIN PGP PRIVATE KEY BLOCK----- and -----END PGP PRIVATE KEY BLOCK-----. It strips out the pseudo-headers, joins the segmented strings, decodes the base-64 representation, and feeds the resulting binary data into a localized decryption routine. This routine leverages the Password-Based Key Derivation Function 2 (PBKDF2) with a hardcoded password string of "1" to derive cryptographic keys, subsequently decrypting the next payload stage via the Advanced Encryption Standard in Cipher Block Chaining mode (AES-CBC), dropping it as Cache_{GUID}.ps1 into the target system’s %APPDATA% path for immediate execution.

Local Payload Extraction and Persistence Mechanisms within Windows Subsystems

Upon activation, the dropped Cache_{GUID}.ps1 script expands its operation against the 3th.pdf multi-zone container to unpack the primary operational runtime components. The script programmatically instantiates a hidden workspace located inside the user profile at %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics, a target path carefully selected to mimic legitimate Windows audio diagnostic packages and evade casual inspection by system administrators. It then parses 3th.pdf for blocks bound between the markers === SoundEffects X ===, loops through the isolated text data to strip out all non-hexadecimal characters, translates the clean hex strings back into raw bytes, and writes the stream to disk under the innocuous filename Subtitles. Following the generation of the Subtitles blob, the script performs two independent extraction routines on fields labeled Name and KasKos inside the document structure. These structures are base-64 decoded and processed through a customized bitwise XOR decryption algorithm bound to the hardcoded symmetric key string Realtek2025, resulting in the deployment of two highly critical management files: RealtekAudioService64.ps1 and RealtekAudioService64.bat. To guarantee long-term operational resilience, the script interacts with the Task Scheduler engine to register an administrative persistent task named CheckRealtekAudioVersion, utilizing dual triggers bound to user logon and system startup to run the malicious batch file silently. Immediately after cementing persistence, the script pulls the clean 4th.pdf document out of the archive and opens it in the user’s default viewer, presenting an authentic educational guide to serve as a high-fidelity psychological distraction while the malicious infrastructure operates unhindered in the background.

Evasion Dynamics: Localized Chinese Variable Obfuscation and Script Architecture

An engineering review of the dropped execution infrastructure reveals strong indicators regarding the development lifecycle of the attack tools, specifically pointing to an un-sanitized generative AI development pipeline. For instance, the dropped RealtekAudioService64.bat acts as an initial stealth wrapper; it checks its input arguments and, if launched interactively, immediately spawns a new instance of itself via PowerShell with -WindowStyle Hidden before terminating the parent console process. It builds up the string executable literal powershell.exe dynamically through the concatenation of disjoint string fragments to break static string signatures, creates an ephemeral diagnostic log named using a versioned pattern like ver0x0000000000000003_, runs the companion script RealtekAudioService64.ps1, and deletes the log file to strip forensic evidence from the disk journal. The subsequent RealtekAudioService64.ps1 script exhibits highly sophisticated evasion techniques designed to complicate static parsing and automated behavioral analysis. All core Windows PowerShell cmdlets—including Test-Path, Join-Path, New-Item, and Out-Null—are completely abstracted and constructed dynamically at runtime through character index arrays. Crucially, these constructed cmdlet pointers are stored and referenced using Simplified Chinese variable identifiers, mapping directly to $测试路径, $连接路径, $新建项目, and $输出空值. The integration of Chinese code syntax alongside an inline script comment # 静默任务创建脚本 - 无输出版本 positioned right next to an emoji-laden development string # 🔥 REMOVE EVERYTHING NOT HEX indicates that the threat actors utilized automated generative AI models to synthesize their code, inadvertently carrying foreign-language comments and prompting quirks into production.

The AutoHotkey Execution Engine and Sophisticated Process Hollowing Implementation

The execution of RealtekAudioService64.ps1 acts as a data pipeline that decodes the previously stored Subtitles payload, reading it as a GZip-compressed stream and deserializing it using a structured record format. Each internal entry contains localized relative directory paths, item type descriptors, file lengths, and raw byte values. As each file is unpacked from the compressed stream, the script applies an arithmetic byte-level transformation consisting of subtracting 3 modulo 256 to reverse a lightweight obfuscation layer, dropping a complete directory structure under the spoofed audio diagnostic path. Among the extracted components are two binaries named to look like Realtek utilities (RealtekAudioEnhancements64.exe and RtkNGUI64.exe), but cryptographic hash validation confirms they are identical copies of the benign, signed AutoHotkey.exe interpreter. By leveraging a trusted, signed interpreter to run malicious custom scripts, the threat actors drastically reduce their disk-based risk footprint. The execution flow bifurcates here, with the dominant branch orchestrated by RtkNGUI64.ahk, which sets up redundant persistent entries and imports four separate code modules to initialize payload execution. This script selects a legitimate .NET Framework binary at random from C:\Windows\Microsoft.NET\Framework\v4.0.30319\, focusing on trusted components like AddInProcess32.exe, AppLaunch.exe, or aspnet_compiler.exe. It then loops through an accompanying file named RtkLoggingManifest.man line by line, scanning for the text pattern System metric code = <number> and parsing out the trailing integers. These numeric strings are converted back into raw bytes, revealing that the innocent manifest configuration file is actually an obfuscated, text-encoded Portable Executable (PE) file. These bytes are passed along with the chosen .NET target path to an Execute() function defined in RtkDiagService.ahk, which executes a textbook process hollowing sequence. It launches the legitimate .NET binary in a suspended state, unmaps its internal memory using ZwUnmapViewOfSection, allocates fresh memory space using VirtualAllocEx, maps the unpacked malicious PE headers and sections using WriteProcessMemory, modifies the execution state via GetThreadContext and SetThreadContext, and invokes ResumeThread to run the code contextually inside a trusted Windows process space.

Final Payload Capabilities: Deep Analysis of the AsyncRAT Command Structure

The code execution hollowed into the target .NET process launches AsyncRAT, a notorious and powerful remote access trojan engineered for robust command-and-control (C2) operations, alongside a secondary .NET remote access utility. Once established within memory, the AsyncRAT client establishes a secure socket link back to the attacker’s infrastructure and listens for specific operational directive groups. These directives are split into distinct control tiers:

• System Control Commands: This tier monitors and maintains implant persistence on the compromised asset. The ClientShutdown command implements a hard kill switch, calling SocketShutdown.Both to cleanly tear down the network socket before invoking Environment.Exit(0) to kill the process instantly. The ClientDelete directive kicks off a comprehensive uninstallation routine that purges all traces of the malware from disk and deletes the task keys from the system registry to break forensic timelines. For payload updates, ClientUpdate drops a newly received binary directly into %TEMP%, launches it silently, and runs self-deletion on the legacy version, while the Ping directive serves as a standard heartbeat to signal to the C2 panel that the node is active.
• Surveillance and Remote Monitoring Commands: These capabilities provide the operators with complete, interactive control over the victim’s local desktop environment. The RemoteDesktopOpen command checks the host’s screen topology using Screen.AllScreens.Length and exports the layout dimensions back to the handler. Following activation, RemoteDesktopSend leverages Graphics.CopyFromScreen to continuously take screenshots, passing them through an encoder to compress the frames into JPEG format based on specified quality parameters to optimize bandwidth utilization before shipping raw bytes to the C2 server, while the mousemove directive parses arbitrary coordinates to mock user hardware inputs.
• Advanced Execution and Evasion: This tier presents the highest risk to compromised infrastructures. It takes advantage of the modular design of the .NET framework to dynamically execute secondary scripts and payload assemblies entirely in-memory, completely bypassing legacy Endpoint Detection and Response (EDR) platforms that restrict their inspection capabilities to disk-based file access events.

Our Opinion: The Paradigm of AI-Augmented Threat Engineering

This campaign marks a critical milestone in the evolution of modern cyber threats, highlighting the dual-use reality of generative artificial intelligence in weaponizing social engineering and engineering evasive code. By positioning their malware within high-fidelity technical resources like Claude Code manuals and PostgreSQL guides, the attackers exploit the global rush for AI literacy. What makes this case particularly striking is the operational friction visible in the malware’s code architecture itself: the presence of Simplified Chinese annotations sitting directly beside automated development artifacts and emojis shows a developer leaning heavily on an LLM to accelerate their pipeline, yet failing to sanitize their output. From a defense standpoint, this operation exposes the limits of file-centric security architectures. The threat actors avoided custom compiled binaries on disk, opting instead to abuse a signed interpreter like AutoHotkey and utilize multi-zone files to reconstruct payloads in memory before executing a classic process hollowing technique on native .NET binaries. This shifts the defensive priority completely away from traditional file hashing and static signatures toward real-time behavioral tracing and memory inspection. Organizations must realize that as AI tools lower the barrier to entry for building multi-stage evasion paths, defense strategies must evolve to focus on deep endpoint behavioral telemetry to catch these fileless execution chains.