Goldberg's technical analysis of a real, widely-abused threat. Because AsyncRAT is open-source, behaviour varies across forks — see references for canonical detail; atomic IOCs rotate.

Overview

AsyncRAT is the workhorse RAT of the commodity threat landscape. Its open-source nature means a huge population of forks and crypters wrap the same core, so it shows up everywhere from low-effort spam to multi-stage campaigns staged by more capable actors.

Capabilities

  • Encrypted remote control: shell, file management, process control.
  • Surveillance: keylogging, screen capture, and audio/video recording.
  • Credential and info theft; downloads and executes additional payloads.

Delivery & execution

A typical chain starts with a phishing lure dropping a script (JS/VBS/PowerShell) that pulls further stages and finally the AsyncRAT payload — frequently injected into a legitimate process. Operators lean on living-off-the-land binaries (Windows Script Host, PowerShell, mshta) to blend in.

Persistence

  • Scheduled tasks and Run-key entries.
  • Startup-folder scripts; WebDAV-mounted payloads.
  • Uses SeDebugPrivilege where available to ease injection.

Detection

Single static indicators are weak here — the open-source base mutates constantly. Detection works best by correlating behaviour with network: script interpreters spawning from Office/mail, unexpected scheduled tasks, and a persistent encrypted beacon to a non-standard port.

Remediation

  • Isolate, capture memory (config and key are recoverable from RAM), then reimage.
  • Remove scheduled-task/Run-key persistence; hunt the estate for the same C2.
  • Constrain script hosts (WSH/PowerShell) and enable AMSI + script-block logging.

References