In our hyper-connected world, the hunger for professional growth has become a playground for cybercriminals. As artificial intelligence reshapes the tech landscape, developers and curious professionals are constantly hunting for the latest study guides, coding manuals, and AI-driven workflow tutorials. Threat actors have caught onto this trend, weaponizing our professional curiosity by disguising malicious software as legitimate “AI-ready” resources. According to new research from Fortinet’s FortiGuard Labs, hackers are now circulating deceptive files with names like “AI-Ready PostgreSQL 18” or fake agentic coding guides for tools like Claude Code. These aren’t just random viruses; they are sophisticated traps designed to compromise Windows environments by exploiting the very trust we place in educational content.
The brilliance of this attack lies in its “staged” execution, which keeps it hidden from traditional security software. When a victim opens one of these alluring study guides, they aren’t just opening a document; they are triggering a complex, silent chain of events. A malicious shortcut file kicks off a series of PowerShell scripts, which methodically pull hidden data from disguised files buried within the folder. While the user is shown a harmless decoy document to keep them from getting suspicious, the background process is hard at work, performing a series of decryption steps that would make a spy thriller plot look simple. To evade detection, the attackers use seemingly innocent tools—such as AutoHotkey—to run their malicious logic, effectively hiding in plain sight behind legitimate administrative software.
What makes this particular campaign so unsettling is how it mimics professional infrastructure to maintain persistence. Once the malware takes hold, it creates scheduled system tasks that masquerade as “Realtek audio services.” Because these look like standard driver components, most users—and even many automated security systems—would never think twice about them. The attack culminates in the deployment of AsyncRAT, a notorious remote access trojan that gives hackers a direct window into the victim’s machine. By using “process hollowing,” the attackers inject their malicious commands into a legitimate .NET process, ensuring that the malware’s activities appear to be coming from a trusted, system-authorized source rather than an intruder.
Researchers have noted a fascinating, albeit dark, trend in the construction of these attacks: they appear to be AI-assisted. Analysts identified code comments in Chinese and functions named after characters from Chinese mythology, suggesting that attackers are using generative AI to speed up the development of these exploits. While a human mastermind still directs the underlying logic of the attack, AI is being used to churn out the code, making the malware more modular and harder to predict. Industry experts describe this as “compositional opacity”—a technique where an attack is broken into small, seemingly harmless parts that only form a dangerous whole once they are already inside the target network.
The human element remains the most vulnerable part of our digital security, but responding to these threats requires a balance of better technology and smarter habits. Security professionals, such as Diana Kelley of Noma Security, emphasize that we must shift how we view downloads. We can no longer treat a PDF or a tutorial folder as “just a file”; we have to treat them as part of a software supply chain. Relying on random downloads from the internet, no matter how helpful they claim to be, is an increasing liability. Organizations should consider curating vetted internal libraries for AI resources, ensuring that employees have access to the knowledge they need without having to venture into the “wild west” of third-party websites.
Ultimately, defending against this “fileless” style of attack requires a layered approach that isn’t just focused on catching viruses, but on monitoring behavior. Experts suggest blocking unsanctioned scripting engines like AutoHotkey in professional environments, as they have little use for standard office work but high potential for abuse. Teams should also tune their endpoint security to scan memory, not just the files sitting on a hard drive, and keep a watchful eye on scheduled tasks or strange outbound network traffic. By auditing what our computers are doing behind the scenes and training our teams to recognize these specific AI-themed phishing lures, we can move from being passive targets to proactive defenders in an increasingly complex digital age.