TrojanDownloader:Win64/AsyncRAT.D!MTB

Built primarily on C# and compiled Microsoft Intermediate Language (MSIL), AsyncRAT leverages the .NET Framework for deep device integration. This foundation provides native access to powerful Windows APIs, allowing a modular plugin architecture for surveillance functions. To complicate analysis, threat actors have begun distributing variants cross-compiled into Rust, a language that currently lacks the extensive, standardized reverse-engineering tool support available for .NET assemblies. The core communication protocol uses a persistent TCP socket to a command-and-control (C2) server. Configuration details, including target C2 domains like kashuub[.]com and ports such as 6606 or 7707, are stored within AsyncRAT as settings encrypted with AES-256. Network transmissions are serialized using MessagePack and are frequently wrapped in SSL/TLS connections secured by self-signed certificates bearing names like "AsyncRAT Server." 

AsyncRAT’s surveillance toolkit is extensive. For keystroke logging, it employs the SetWindowsHookEx API with a LowLevelKeyboardProc delegate to capture input. It uses .NET libraries to capture desktop screenshots, converting them to byte arrays for exfiltration. Beyond harvesting standard browser credentials, recent campaigns actively target cryptocurrency wallet extensions, including MetaMask and Phantom, indicating a direct financial motive. Threat actors maintain control through a remote shell module, running arbitrary commands via cmd.exe or PowerShell to download more tools, kill processes, or move laterally. 

The infection lifecycle is deliberately made complex to evade detection. Phishing remains the primary entry point, often using invoice lures or impersonating trusted brands like booking[.]com. A common social engineering tactic, dubbed "ClickFix," tricks users into pasting and running a malicious command via a fake error message. Subsequent stages heavily use fileless techniques. An initial loader script, such as Webcentral.vbs or as.wsh, executed by WScript.exe, retrieves the next payload. This is often done via PowerShell commands that download obfuscated components from URLs hosted on services like Dropbox or through TryCloudflare tunnels, such as plus-condos-thy-redeem[.]trycloudflare[.]com. The payload, frequently a non-binary file like logs.ldk, is read into memory as a byte array and loaded reflectively using .NET's Assembly.Load method. Before the main RAT is deployed, an intermediate module (for example, Obfuscator.dll) is often loaded in memory to patch security functions using PatchAMSI() and PatchETW(), deactivating critical defense telemetry.  

Final launch employs advanced injection techniques like process hollowing or Asynchronous Procedure Call (APC) injection. In one late 2025 campaign, an embedded Python distribution ran a script named ne.py from the %TEMP% directory to perform APC injection into explorer.exe. Persistence is dynamically achieved; with admin rights, it creates deceptive scheduled tasks (for example, "Skype Updater" or "SystemInstallTask"), and without them, it modifies user registry keys like HKCU\Software\Microsoft\Windows\CurrentVersion\Run. 

Key Indicators of Compromise (IoCs) for this chain include files like VLCdllFrame.xml, hash.ps1, libPK.dll, and xral.ps1 found in C:\Users\Public\ or %TEMP%. Network indicators involve calls to IP addresses such as 185[.]49.126[.]50 or 195[.]26.255[.]81 on ports 6606 or 8808, and to dynamic DNS domains like 3osch20[].duckdns[.]org or abuwire123[.]ddns[.]net. System behavioral signs include the default mutex AsyncMutex_6SI8OkPnk, conhost.exe running with --headless flags, or svchost.exe making unexpected WebDAV connections via davclnt.dll.