AsyncRAT, once a simple, open-source remote control tool, has now turned into a complex, malicious code ecosystem. It constantly proliferates new variants with flexible implantability, sophisticated concealment techniques and avoidance tactics that are increasingly difficult to deal with. From a project on GitHub, AsyncRAT has become a popular platform among cybercriminals, bringing both creativity and danger into the mix.

From open source to full-powered attack

AsyncRAT launched on GitHub in 2019, writing in C# and supporting functions such as keylogging, screenshotting, and stealing authentication information. Although similar in concept to the RAT Quasar, AsyncRAT was completely rewritten from scratch. A notable point is that the AES-256 and SHA-206 coding fragment in AsyncRAT was copied from Quasar, suggesting that the malicious code projects often share and reuse each other’s coding logic.

Its modular design and high scalability helped AsyncRAT be quickly exploited by cybercriminals, giving momentum to a series of new forkings.

Notable variants: DcRat and VenomRAT

Among many derivatives from AsyncRAT, two stand out variants are DcRat and VenomRAt.

DcRat uses the MessagePack library to improve data processing performance, while integrating powerful defense avoidance techniques:

• Disable AMSI and ETW to bypass Windows monitoring
• Automatically end security processes such as Taskmgr.exe, ProcessHacker.xe, MsMpEng.exec
• Various plugin systems: from webcam hacks, Discord token hacks to AES-256 extortion codes

VenomRAT has a similar architecture to DcRat but is “boosted” to add functionality at a dizzying speed, becoming a separate threat. Besides, seemingly “funny” prongs such as SantaRAT or BoratRAt still appear in the actual campaign, making the classification more complex.

Unconventional Plugins and creative hiding techniques

The identification of RAT variants typically relies on the Version field analysis in the configuration file (usually encoded AES – 256), the Salt parameter, or the X.509 certificate embedded in the source code. Some of the more advanced techniques use code structure analysis, C&C probing, or execution behavior monitoring.

Many new plugins appear with strange functionality:

• Screamer.dll: Video and audio panic.
• WormUsb.dll: spread via USB by infecting executable
• Brute.dll: brute-force SSH/FTP information
• cliper.dll: stealing crypto wallets by replacing addresses in clipboard
• Signature Antivirus.dll: delete files with MD5 matching the list specified by the attacker

Some “different” variants such as JasonRAT encode sequences in custom Morse code and use the variable with the bizarre name “satanism”. Whereas NonEuclid RAT integrates a geo-positioning plugin, XieBroRAT can steal browser information and support Cobalt Strike.

The rapid evolution of the AsyncRAT ecosystem is blurring the line between sophisticated malicious code tools and the accessibility of common cybercriminals. Thanks to modular architecture and easy customization, a series of new variants are constantly being introduced with increasingly ingenious concealment and highly destructive plugins. This makes detection and defense more difficult than ever.

In the face of an ever-changing threat environment, cybersecurity experts can’t rely solely on static markers or traditional defense solutions. Close monitoring of new behaviors, active malicious code analysis, and adoption of flexible surveillance strategies will be vital conditions for effective response to the next generation wave of RATs. And at the current rate of evolution, this may be just the beginning.