Date: 06/12/2026
Severity: Medium
Summary
Threat actors are exploiting growing interest in artificial intelligence by distributing malicious files disguised as AI-related guides and learning materials. The attack uses a complex, multi-stage infection chain with heavily obfuscated scripts and AutoHotkey-based loaders to deploy a .NET RAT and AsyncRAT directly into memory, enabling remote access and command-and-control communications. Evidence suggests the malware development process may have incorporated AI-assisted coding techniques, highlighting how attackers are leveraging AI trends both as lures and potentially as development aids.
Indicators of Compromise (IOC) List
Domains/URLs | Shampobiskworld.nl shampoolagtto.com shamppocosmaticso.com |
IP Address | 107.172.10.190 |
Hash | 61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974
7d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8
96b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecb
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "shampoolagtto.com" or url like "shampoolagtto.com" or siteurl like "shampoolagtto.com" or domainname like "Shampobiskworld.nl" or siteurl like "Shampobiskworld.nl" or url like "Shampobiskworld.nl" or domainname like "shamppocosmaticso.com" or siteurl like "shamppocosmaticso.com" or url like "shamppocosmaticso.com" |
Detection Query 2 : | dstipaddress IN ("107.172.10.190") or srcipaddress IN ("107.172.10.190") |
Detection Query 3 : | sha256hash IN ("61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974","7d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8","96b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecb")
|
Reference:
https://www.fortinet.com/blog/threat-research/threat-actors-weaponize-ai-hype-to-deliver-asyncrat