The landscape of cyber security is constantly evolving, with new threats emerging and existing ones adapting at an alarming rate. Among these, AsyncRAT, a notorious open-source Remote Access Trojan (RAT), has cemented its place as a pervasive and adaptable piece of malware. Since its 2019 debut on GitHub, AsyncRAT has not only been widely adopted but has also spawned a sprawling network of forks and variants. This article delves into the origins and intricate evolution of AsyncRAT, offering unique insights into its diverse ecosystem and highlighting its significant impact on the modern threat landscape for those involved in malware analysis and defense.
Understanding AsyncRAT: A Cornerstone of Cyber Threats
AsyncRAT, short for asynchronous remote access trojan, emerged as an open-source project on GitHub in 2019, quickly gaining notoriety within the cybercrime community. Developed in C#, this versatile Remote Access Trojan (RAT) offers a comprehensive suite of malicious functionalities, including keylogging, screen capturing, and credential theft. Its accessibility and simplicity democratized sophisticated attack capabilities, making it an immediate favorite among cybercriminals and leading to its widespread deployment in various cyberattacks.
While AsyncRAT was a complete rewrite, its roots can be traced back to the earlier Quasar RAT, available since 2015. Despite distinct codebases, a fundamental link exists in their custom cryptography classes—specifically, the Aes256 and Sha256 implementations used for decrypting malware configuration settings. As Figure 1 illustrates, identical code, including the same salt value and decryption settings, points to a clear influence. However, AsyncRAT distinguished itself with significant improvements, notably its modular architecture and enhanced stealth features, which made it more adaptable and resilient against detection in modern threat environments. This plugin-based architecture further propelled the proliferation of numerous forks, pushing the boundaries of its malicious capabilities.
Navigating the AsyncRAT Fork Ecosystem
Since its public release, AsyncRAT has served as a foundational framework for a multitude of new forks, each building upon or subtly altering its predecessor. This “fork labyrinth” encompasses variants ranging from mere cosmetic changes to substantial expansions in functionality.
As depicted in Figure 2, a complex hierarchy of these derivatives has evolved. Our analysis identifies DcRat and VenomRAT as the most widely deployed variants, collectively responsible for a significant proportion of observed campaigns, as shown in Figure 3. These dominant forks, alongside a host of lesser-known ones, paint a dynamic picture of the AsyncRAT landscape.
DcRat, for instance, represents a notable advancement over the original AsyncRAT. It leverages MessagePack for more efficient binary data serialization and incorporates sophisticated evasion techniques such as AMSI and ETW patching to disable security features that detect and log malicious behavior. DcRat also includes an antiprocess system to terminate security-related processes like Taskmgr.exe and MsMpEng.exe. Its plugin base is extensive, adding webcam access, microphone recording, Discord token theft, and even a simple ransomware plugin that uses AES-256 to encrypt files. Beyond these, subtle changes like altered salt values, dynamic API resolution, and deliberate variable renaming further enhance its stealth.
VenomRAT, likely inspired by DcRat, is another feature-rich variant that stands almost as a separate threat. While its features are well-documented by other vendors, its strong resemblance in client-side mechanics groups it within the AsyncRAT family. It’s worth noting that not all forks are entirely serious; variants like SantaRAT or BoratRAT (see Figure 4) began as jokes, yet surprisingly, we’ve observed instances of their real-world deployment.
Unmasking AsyncRAT Variants: Identification Techniques
Accurate identification of AsyncRAT forks is crucial for effective threat intelligence and mitigation. Our research primarily focused on the client-side binary, which resides on victims’ machines and contains vital configuration details, including C&C server information. The most straightforward method involves inspecting the malware’s configuration, typically found in the InitializeSettings function. Encrypted with AES-256 and stored as base64 strings in the Settings class, the configuration often includes a “Version” field conveniently labeling the fork’s name or author’s pseudonym in approximately 90% of samples. For instance, Figure 5 illustrates the typical configuration initialization for VenomRAT.
When the “Version” field is absent, another clue lies in the “Salt” value used for configuration encryption, often overlooked by attackers. This value, located in the Client.Algorithm.Aes256 class (see Figure 6), can reveal connections to parent forks. Additionally, the embedded certificate used for C&C server authentication, also a base64-encoded value in the configuration, can reveal further details like common name and organization, often tracing back to a previous fork (as shown in Figure 7 for BoratRAT).
For more sophisticated cases, detailed analysis involves manually inspecting the code—comparing its structure, syntax, and functionality against known patterns. A more advanced method, explained in Axel Mahr’s blogpost, involves sending a specially crafted packet to the C&C server itself to identify the server’s AsyncRAT version.
Deep Dive into Unique AsyncRAT Variants
While major forks like DcRat dominate, several lesser-known variants showcase unique functionalities that push AsyncRAT’s capabilities further. These “exotic” forks, often the work of individual threat actors or small groups, comprise less than 1% of AsyncRAT samples but offer compelling insights into evolving attack vectors.
NonEuclid RAT: This variant stands out for its diverse plugin ecosystem beyond standard functionalities (see Table 1). For example, WormUsb.dll is a potent malware spreader that compromises PE files on local drives and USBs. It relocates the original file, drops an obfuscated stub, and then decrypts/executes both the payload and original file upon execution. This highlights a critical, often underestimated, vector in modern cyber security: USB-borne malware remains a potent threat, especially in air-gapped or sensitive environments where it can facilitate initial access or lateral movement, as seen in past nation-state attacks like Stuxnet.
Another notable plugin is cliper.dll, a dedicated clipboard hijacker that monitors for cryptocurrency wallet addresses and replaces them with the attacker’s own. This real-time interception of financial transactions exemplifies a direct pathway to financial fraud, a growing concern in cybercrime. Additionally, Brute.dll allows client-side brute-forcing of SSH and FTP, enabling attackers to distribute credential stuffing attacks across compromised machines.
JasonRAT: Identified in 2024, JasonRAT uses obscure “satanic” variable-naming conventions and an extended Morse code for string obfuscation (Figure 14). Beyond typical AsyncRAT configurations (Figure 12), it extends client capabilities with country targeting.
XieBroRAT: Characterized by Chinese localization, XieBroRAT introduces the BrowserGhost.dll plugin for browser credential theft and Abstain.dll for interaction with Cobalt Strike servers. It enhances coverage by wrapping the .NET client binary in shellcode, VBS, or JavaScript, and integrates well-known open-source tools like Mimikatz and SharpWifiGrabber for extended post-exploitation capabilities.
The Evolving Landscape of Open-Source Malware
The continued rise and evolution of AsyncRAT and its diverse forks unequivocally demonstrate the inherent risks associated with open-source malware frameworks. This ecosystem, ranging from persistent threats like DcRat to more curious, novelty forks like JasonRAT, illustrates how quickly threat actors can adapt, customize, and repurpose readily available code. The widespread availability of such frameworks significantly lowers the barrier to entry for aspiring cybercriminals, enabling even novices to deploy sophisticated malware with minimal effort.
This “democratization of malware development,” especially considering the increasing potential for misuse of Large Language Models (LLMs) in generating malicious code, accelerates the creation and customization of malicious tools. The result is a rapidly expanding and increasingly complex threat landscape. For organizations, this underscores the critical importance of proactive detection strategies, moving beyond signature-based solutions to embrace deeper behavioral analysis and robust threat intelligence feeds to effectively address these continually emerging and evolving threats.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IoCs
A comprehensive list of indicators of compromise (IoCs) can be found in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| F8E31B338123E38757F8B7099797119A038A3538 | Screamer.dll | MSIL/AsyncRAT.C | NonEuclid jump scare plugin. |
| 98223D2F8DF2F9E832AE081CD6E072A440C9A3CD | Piano.dll | MSIL/AsyncRAT.C | NonEuclid audio player plugin. |
| CDEC9A1C73E3E21B1D70DDAA6BF139D8D2A197A5 | Maps.dll | MSIL/AsyncRAT.C | NonEuclid geolocation plugin. |
| 932C49EEE087D432D0DA10CC0640B11FD2C91203 | Service.dll | MSIL/AsyncRAT.C | NonEuclid Windows service management plugin. |
| 2FA98D088486BAC57FF60E072E28FEE5830E7B28 | WormUsb.dll | MSIL/AsyncRAT.C | NonEuclid malware spreader plugin. |
| 62C9FEFA84067F695032A6939F07C3799AAD80A3 | Brute.dll | MSIL/AsyncRAT.C | NonEuclid SSH and FTP brute forcer plugin. |
| FAD946F7ACF017F0C50C81BF379AABA3528AFBB3 | Signature Antivirus.dll | MSIL/AsyncRAT.C | NonEuclid signature-based file matcher plugin. |
| 51B8A5818B7031EDB59A2B2ECF160A78505880BA | cliper.dll | MSIL/AsyncRAT.C | NonEuclid clipboard hijacker plugin. |
| 4FB0CAAD6E345947EE2D30E795B711F91C6A4819 | Stub.exe | MSIL/AsyncRAT.A | AsyncRAT client. |
| FD9CF01CEA7DE8631C34B988A7AAD55587A162FA | Stub.exe | MSIL/AsyncRAT.A | 3LoshRAT client. |
| B8AB93E958E0DE4BE2766B2537832EDB37030429 | Client.exe | MSIL/AsyncRAT.A | DcRat client. |
| 68B58483D0E4E7CC2478D6B4FC00064ADE3D7DB3 | Microsoft_Edge_Driver.exe | MSIL/AsyncRAT.A | VenomRAT client. |
| 4F69E0CE283D273B724CE107DF89F11C556A7A4E | Client.exe | MSIL/AsyncRAT.C | BoratRAT client. |
| E4F87568473536E35006D1BD4D4C26A8809F3F91 | Client.exe | MSIL/AsyncRAT.A | Anarchy Panel client. |
| D10B8197732437E9BF840FEA46A30EFF62892A4E | Client.exe | MSIL/AsyncRAT.A | CollapseRAT client. |
| 0DC28EA51F0D96E0D1BC78DF829C81A84332C5F1 | dwm.exe | MSIL/AsyncRAT.A | Shadow X RAT client. |
| E5B511E7550CBADE74E75EADE8F413A89D963FE5 | ClientAny.exe | MSIL/AsyncRAT.A | LMTeamRAT client. |
| 3124F58428184FDF75E21B1E5A58CADF9DD2BA03 | Stub.exe | MSIL/AsyncRAT.A | PhoenixRAT client. |
| 8402AA507CF5B1BBFAB53E3BF7A7D4500796A978 | Client.exe | MSIL/AsyncRAT.A | EchoRAT client. |
| AB2C6F9695346FAA9495B4AB837085C1524FFDDF | Client.exe | MSIL/AsyncRAT.A | XieBroRAT client. |
| 3E6CD9D07B8ECE706697F332AC9F32DE5ECAF086 | tempClient.exe | MSIL/AsyncRAT.C | NonEuclid RAT client. |
| FF4592A8BCB58F5CF6BD70B882E886EC6906EECD | Servant.exe | MSIL/AsyncRAT.A | JasonRAT client. |
MITRE ATT&CK techniques
This table was built using version 17 of the MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
|---|---|---|---|
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | DcRat terminates security tools such as Taskmgr.exe and MsMpEng.exe. |
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | DcRat leverages AMSI and ETW bypass techniques to evade detection. | |
| T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | JasonRAT employs modified Morse code and obscure variable names to hinder analysis. | |
| Credential Access | T1539 | Steal Web Session Cookie | DcRat leverages a plugin to steal Discord tokens from compromised machines. |
| T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | XieBroRAT uses a plugin to collect browser credentials. | |
| T1110.003 | Brute Force: Password Spraying | NonEuclid uses a plugin to brute force SSH and FTP credentials. | |
| Discovery | T1614.001 | System Location Discovery: System Language Discovery | NonEuclid uses a plugin that collects geolocation data from compromised systems. |
| Collection | T1123 | Audio Capture | DcRat has a microphone plugin that enables audio capture from the victim’s device. |
| T1125 | Video Capture | DcRat includes a webcam plugin that allows remote access to the victim’s camera. | |
| T1115 | Clipboard Data | NonEuclid uses a plugin that monitors the clipboard to intercept and replace cryptocurrency wallet addresses. | |
| Impact | T1486 | Data Encrypted for Impact | DcRat features a ransomware plugin capable of encrypting files on the victim’s system. |
FAQ
Question 1: What is AsyncRAT and why is it so prevalent in cybercrime?
Answer 1: AsyncRAT is an open-source Remote Access Trojan (RAT) developed in C#. Its prevalence stems from its simplicity, versatility, and accessible code, which significantly lowers the barrier for cybercriminals to deploy sophisticated malware. This “democratization” of malicious tools allows even less experienced actors to conduct complex cyberattacks, making it a persistent and adaptable threat in the cyber security landscape.
Question 2: How do AsyncRAT’s forks evolve, and what unique threats do they pose?
Answer 2: AsyncRAT’s forks evolve by extending its original capabilities, incorporating new features, advanced evasion techniques, and specialized plugins. These variants, such as DcRat or NonEuclid RAT, can include functionalities like ransomware, credential theft from browsers or Discord, and even USB-borne malware spreaders. This continuous evolution makes them highly adaptable and challenging to detect, posing a significant and dynamic threat to organizational and personal cyber security defenses.
Question 3: What are key strategies for organizations to defend against sophisticated RATs like AsyncRAT and its variants?
Answer 3: Effective defense against sophisticated RATs requires a multi-layered approach. Key strategies include implementing robust Endpoint Detection and Response (EDR) solutions, continuous network monitoring, regular patching and software updates, and comprehensive employee training on phishing and social engineering tactics. Additionally, organizations should leverage up-to-date threat intelligence feeds and prioritize behavioral analysis over traditional signature-based detection to identify novel or evasive malware variants. Given the threat of plugins like `WormUsb.dll`, strict USB device policies and endpoint scanning for removable media are also crucial.