AsyncRAT
AsyncRAT is a .NET remote access trojan (RAT) and commodity malware family that can monitor and remotely control infected Windows systems. It was introduced on GitHub as open-source remote administration software and is widely abused by threat actors for malicious purposes. Reported capabilities in the provided content include remote control, screen recording, checking whether the current user has administrator privileges, and hiding scheduled task execution via ProcessWindowStyle.Hidden. In broader reporting cited here, AsyncRAT is also described as a follow-on payload or backdoor used to give attackers full control over compromised systems.
Observed delivery and infection chains in the content show AsyncRAT being distributed through multiple common initial access mechanisms. One chain used phishing emails with malicious Microsoft OneNote .one attachments that tricked users into launching embedded HTA, VBS, or WSF files via wscript.exe or mshta.exe; subsequent cmd.exe and PowerShell activity downloaded a malicious batch file and decoy notebook, and the final payload was AsyncRAT or similar info-stealing malware. Another analyzed malspam-driven chain used a ZIP archive named in the pattern E-STATMENT<digits>.exe.zip containing a Nullsoft installer and a PyInstaller-packed secondary payload; dynamic analysis linked its command-and-control traffic to AsyncRAT at 144.126.151.185:2005, with persistence via a Startup .lnk and HKCU\Software\fontdrvhost. Additional reporting in the content describes AI-themed lure archives delivering AsyncRAT through a complex multi-stage chain involving a malicious LNK, hidden PDFs, layered PowerShell, AutoHotkey-based loaders, scheduled tasks, process hollowing into legitimate .NET executables, and Microsoft Defender exclusions; one AsyncRAT branch in that campaign communicated with 107.172.10.190.
AsyncRAT also appears repeatedly as a secondary payload delivered by other malware ecosystems and loaders. The content explicitly links it to StealC affiliate activity, Amadey botnet clusters, and SocGholish/FakeUpdates infections. Proofpoint and IBM X-Force observed StealC-linked activity delivering AsyncRAT alongside Amadey, RedLine Stealer, Vidar, XTinyLoader, XMRig, SectopRAT, HijackLoader, SmokeLoader, zgRAT, and in some cases LockBit Black ransomware. ESET reporting cited here notes AsyncRAT among payloads distributed in the Amadey ecosystem. Orange Cyberdefense reporting cited in the content states SocGholish infections delivered loaders such as GhoLoader and MintsLoader that led to GhostWeaver, LockBit, RansomHub, AsyncRAT, and NetSupport RAT. MITRE ATT&CK content included here also notes AsyncRAT among malware obtained by threat actors during Operation Spalax.
Targeting in the provided material is broad and largely opportunistic, consistent with commodity RAT usage. The content references phishing, fake updates, gaming-themed lures, AI-themed lure documents, and malware delivery through compromised websites. Geographic reporting cited here notes that in 2025 AsyncRAT was among the top malware families in Mexico by unique victims. No single threat actor is uniquely associated with AsyncRAT in the provided content; instead it is used across multiple criminal delivery ecosystems.
High-confidence indicators and artifacts directly mentioned in the content include the C2 IP 144.126.151.185:2005 from one analyzed infection chain; the IP 107.172.10.190 from an AI-lure campaign branch delivering AsyncRAT; and a public sandboxed sample masquerading as a gaming-related file named "Escape From Tarkovnls..scr" with SHA1 3065DA0D35988807C34C98164D35385F846AB1DF and SHA256 84C8AD42D82A82951A1968C738FC813A83FC5CD6F1C2F446F2960CF21A373E14. The content also references inbound and outbound traffic to infrastructure associated with AsyncRAT and repeated use of Windows-native scripting and LOLBins during delivery.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally... the malicious RTF attachments exploited vulnerabilities in the Microsoft Equation Editor, specifically CVE-2018-0798, before downloading subsequent payloads.
"...Colombian organizations were reported by Darktrace to have been targeted by Blind Eagle in an attack campaign involving the abuse of the Windows vulnerability, tracked as CVE-2024-43451, that has been ongoing since November."
Google also observed financially motivated actors exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT...
The authoring agencies have identified the following open source and dual-use tools as used and/or customized by the actors: ▪ AsyncRAT
Groups observed using it
19 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Typically, TA2541 will use Visual Basic Script (VBS) files to establish persistence with one of their favorite payloads, AsyncRAT.
In 2024, MirrorFace also deployed a heavily customized variant of AsyncRAT, embedding this malware into a newly observed, intricate execution chain that runs the RAT inside Windows Sandbox.
The group uses tools like Async RAT and Xworm before delivering LockBit payloads built using the leaked Lockbit Black builder.
The use of XenoRAT specifically strengthens this attribution, as Seqrite Labs confirmed in December 2024 that SideCopy had formally adopted customised XenoRAT variants as part of their updated toolset, following a similar pattern of open-source RAT adoption seen previously with AsyncRAT.
Post lazarusholic lazarusholic.bsky.social did:plc:iqisolaecmif2zmpfbmsq2te "APT-C-55(Kimsuky)组织依托GitHub+Dropbox分发恶意载荷的攻击活动分析" published by Qihoo360. #APT-C-55, #AsyncRAT, #Github, #LNK, #DPRK, #CTI
The terminal payload is typically XWorm or AsyncRAT, both commodity RATs sold through underground forums as Malware-as-a-Service.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access
2 techniques
Initial Access
Execution
6 techniques
Execution
The malicious HTA or VBS file calls the WMI provider host (WmiPrvSE.exe) which runs powershell via CMD to download a malicious batch file from transfer.sh, or a compromised website.
A scheduled task posing as a Realtek audio service guarantees the loader runs shortly after infection and at every logon... The malware registers several scheduled tasks disguised as Realtek services
The malicious HTA or VBS file calls the WMI provider host (WmiPrvSE.exe) which runs powershell via CMD to download a malicious batch file from transfer.sh, or a compromised website.
The malicious HTA or VBS file calls the WMI provider host (WmiPrvSE.exe) which runs powershell via CMD to download a malicious batch file from transfer.sh, or a compromised website.
Persistence
3 techniques
Persistence
A scheduled task posing as a Realtek audio service guarantees the loader runs shortly after infection and at every logon... The malware registers several scheduled tasks disguised as Realtek services
Privilege Escalation
4 techniques
Privilege Escalation
A scheduled task posing as a Realtek audio service guarantees the loader runs shortly after infection and at every logon... The malware registers several scheduled tasks disguised as Realtek services
we also believe this DLL to have functionality to write/inject data into another process... Open the process, Virtually Allocate memory in that process, Write data to the space in memory and lastly read the data injected into that process.
Stealth
10 techniques
Stealth
Opening the shortcut fires an obfuscated command stitched together from native Windows tools... peeling open nested layers of PowerShell, Base64 data, and AES-encrypted blocks.
My ideas included: Double extension Image (process name). This could apply to process creation, network connections, DNS queries, and others.
we also believe this DLL to have functionality to write/inject data into another process... Open the process, Virtually Allocate memory in that process, Write data to the space in memory and lastly read the data injected into that process.
One module rebuilds a hidden PE file from plain numeric text, then injects it into a legitimate .NET process using a classic process hollowing routine — CreateProcess, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread.
The sample was located in the ‘appdata\local\microsoft\fontdrvhost.exe’ directory. We confirmed these two files were in fact the same by comparing hash values.
What sets these AsyncRAT AI lures apart is the heavy abuse of legitimate software... the attackers repurpose the trusted AutoHotkey loader as an execution engine while the malicious logic hides inside .ahk scripts
Its only visible item is a single shortcut file, but two PDFs sit beside it with a hidden attribute.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Collection
3 techniques
Collection
Command and Control
3 techniques
Command and Control
we identified inbound/outbound traffic to an IP address associated with AsyncRAT
IOCs tracked for this family
601 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan observed as an additional payload leveraged by StealC affiliates.
Remote access trojan identified among the top malware families affecting victims in Mexico in 2025.
AsyncRAT is listed as a malware family delivered in StealC-linked activity.
AsyncRAT is mentioned as a payload distributed by a large botnet cluster within the Amadey ecosystem.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.