American Artificial Intelligence Experts Targeted With SugarGh0st RAT

Researchers uncovered a SugarGh0st RAT campaign aimed at US organizations involved in artificial intelligence across academia private industry and government sectors. The attacker used a free email account to send an AI-themed lure prompting recipients to open a zip file attachment. This attachment contained an LNK shortcut file which deployed a JavaScript dropper. Inside this dropper were a decoy document an ActiveX tool exploited for sideloading and an encrypted binary all encoded in base64. While the decoy document distracted the recipient the JavaScript dropper installed a library enabling Windows APIs to be run directly from JavaScript. This allowed subsequent JavaScript to execute a multi-stage shellcode derived from DllToShellCode which XOR decrypted and decompressed the SugarGh0st payload.