AsyncRAT has evolved from a straightforward remote access trojan into a complex ecosystem of forks and variants.
ESET researchers have mapped out the intricate web formed by AsyncRAT’s open-source codebase, revealing a constantly shifting threat landscape defined by new features, evasion techniques, and a parade of technical oddities.
The Roots of AsyncRAT:
AsyncRAT originated as an open-source project on GitHub in 2019, authored in C# and designed for remote access through functionalities like keylogging, screen capture, and credential theft.
While bearing conceptual resemblance to the older Quasar RAT, AsyncRAT is a from-scratch rewrite that notably borrows cryptographic code, particularly its Aes256 and Sha256 classes—from Quasar:
csharp// Snippet from AsyncRAT cryptography module
namespace Client.Algorithm
{
public class Aes256
{
private static readonly byte[] Salt = { ... };
// ...rest of cryptographic routines...
}
}
The above snippet highlights the key technical detail: the salt value and encryption logic are virtually identical to Quasar, demonstrating how ideas are ported even between diverging codebases.
Despite this, AsyncRAT’s core is modular and highly extensible, fueling its rapid adoption.
DcRat, VenomRAT, and Joking Offshoots
AsyncRAT’s public release triggered a burst of derivative projects, each adding new tricks or disguises.
Two forks stand out:
- DcRat improves data serialization using
MessagePackand implements advanced defense evasion:- AMSI/ETW patching disables Windows security features.
- Antiprocess system kills processes like
Taskmgr.exe,ProcessHacker.exe, andMsMpEng.exe. - Plugin expansion: From webcam access and Discord token theft to a ransomware plugin leveraging AES-256 encryption.
csharp// DcRat's AMSI patching routine
[DllImport("amsi.dll")]
public static extern int AmsiScanBuffer(IntPtr session, byte[] buffer, ...);
- VenomRAT mirrors DcRat’s modular structure but pushes feature bloat, making it a threat in its own right. While many derivatives like SantaRAT or BoratRAT start as jokes, even these have seen sporadic circulation in real-world campaigns.
Identification relies on examining the Version field in the AES-256 encrypted configuration—often readily visible—or investigating the Salt parameter or embedded X.509 certificates.
More advanced methods involve active probing of C&C servers and code structure analysis.
Exotic Plugins and Obfuscation Tactics
Beyond mainstream forks, niche variants show inventive plugin development:
| Plugin Name | Functionality |
|---|---|
| Screamer.dll | Jump scare with built-in images and WAV playback |
| WormUsb.dll | Infects other executables via USB/PEN drives |
| Brute.dll | SSH and FTP credential brute-forcing |
| cliper.dll | Clipboard hijack—replaces wallet addresses |
| Signature Antivirus.dll | Deletes files matching attacker-supplied MD5s |
The technical innovation sometimes borders on parody—JasonRAT obscures its strings with a custom Morse code variant (.--. .- ... ... .-- --- .-. -.. ...) and adopts variable names from esoteric “satanic” vocabularies.
NonEuclid RAT introduces plugins for geolocation harvesting (Maps.dll) and file brute-forcing, while XieBroRAT adds browser credential theft through BrowserGhost.dll and Cobalt Strike integration.
As the AsyncRAT ecosystem matures, the proliferation of ever-more modular and evasive forks significantly lowers the technical barrier for cybercriminals.
Security defenders should expect the evolution of even more obfuscated, plugin-rich forks, demanding constant vigilance and dynamic detection strategies to keep pace with these threats.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=ESET researchers have mapped out the intricate web formed by AsyncRAT’s open-source codebase, revealing a constantly shifting threat landscape defined){kind=link}