What began as a simple GitHub project in 2019 has quietly morphed into an open-source malware pushing modern cybersecurity measures. AsyncRAT, the C#-based remote access trojan (RAT), has evolved into a sprawling malware ecosystem. Which is never a nice thing to hear. It is one of the only malwares that now power a global surge in phishing campaigns, data theft, and even malware-as-a-service (MaaS) sales on the dark web.
According to new research by ESET, AsyncRAT’s real danger isn’t in its original capabilities but in its open-source, plug-in-friendly architecture. That is precisely what has allowed cybercriminals to spawn a host of powerful variants.
The variant spawns includes DCRat, which records from webcams and microphones, steals Discord tokens, encrypts files, and evades antivirus detection by disabling AMSI and ETW logs. Another strain, Venom RAT, adds even deeper stealth and evasion tactics, making it a more advanced descendant.
Although AsyncRAT has some useful features, such as keylogging, screenshotting, and remote command execution, its main danger lies in the way it is distributed, which is frequently through cracked software, harmful advertisements, or false update prompts.
It is typically combined with GuLoader or SmokeLoader. Attackers gain complete control when these little payloads infiltrate both business networks and consumer devices without anybody noticing.
Notable weaponized variants discovered by ESET include NonEuclid RAT and JasonRAT, the former of which brute-forces SSH/FTP passwords and hijacks clipboard cryptocurrency wallets and the latter of which targets victims according to geography.
In the meanwhile, XieBroRAT incorporates Cobalt Strike and adds a browser credential stealer specifically for Chinese-speaking targets.
Interestingly, the foundation for AsyncRAT was laid by Quasar RAT, an older C# tool from 2015. But researchers note that AsyncRAT is a full-blown rewrite, built with custom cryptography and stealth as core priorities.
With preconfigured open-source malware kits now sold openly on Telegram and underground forums, the barrier to entry for cybercrime has plummeted. Novice hackers with no programming experience can now deploy advanced threats using plug-and-play builders.
To make matters worse, experts also see an increasing reliance on unmoderated, code-generating LLMs, which when coupled with the accessibility of AsyncRAT malware, leads to a gold rush. Anyone with no clue of coding can now get their hands on any open-source malware this way.
If security experts are any right, we need behavioral analysis, command-and-control detection, and real-time threat intelligence to combat AsyncRAT. The same goes for its rapidly multiplying clones.