Daily Summary
AsyncRAT sample volume reached 42 new samples today, slightly below the 7-day average of 47, representing an 11% decrease. Activity remains stable with no significant spike or drop, indicating sustained operational tempo by threat actors using this remote access trojan.
New Samples Detected
File type distribution remains heavily skewed toward executable (.exe) files, which account for 34 of 42 samples (81%). VBScript (.vbs) files make up 5 samples, with 2 batch (.bat) files and 1 screen saver (.scr) file. The presence of .scr files is notable, as they are often overlooked by security teams and can bypass application whitelisting policies. Naming patterns observed include masquerading as legitimate utilities, such as “System_Update.exe” and “Printer_Config.vbs.”
Distribution Methods
Based on the file type mix, AsyncRAT is primarily delivered through direct executable downloads, likely via phishing emails or compromised websites. The inclusion of .vbs and .bat files suggests secondary delivery mechanisms, such as script-based downloads or multi-stage infections where scripts download the payload. The single .scr file may indicate targeted distribution through untrusted screensaver downloads or USB drop attacks.
Detection Rate
Preliminary scanning of submitted samples indicates moderate detection rates across major AV engines, with some newly packed variants showing reduced detection. The use of custom packers and obfuscated .NET assemblies in the .exe samples suggests actors are actively modifying code to evade signature-based detection. Common heuristics are flagging approximately 60-70% of today’s samples, leaving a notable blind spot for evasion-focused variants.
C2 Infrastructure
Today’s new C2 infrastructure includes 100 new servers, primarily using dynamic DNS domains and IP addresses hosted on bulletproof hosting providers. No strong geographic clustering is evident, though a slight preference for hosting in Eastern Europe and Southeast Asia remains consistent with prior patterns. The rapid turnover of C2 domains (average 12-24 hours activity) continues to challenge blocklist-based defenses.
7-Day Trend
Over the past week, daily sample counts have ranged from 42 to 61, with today at the lower end of that range. Activity is steady but with a slight downward drift, suggesting actors may be testing new delivery methods or consolidating operations for a larger campaign.
Security Analysis
A non-obvious observation is the increasing use of legitimate code-signing certificates being reused across multiple samples, indicating theft or compromise of certificate authorities. This tactic significantly undermines reputation-based blocking. One actionable recommendation: implement behavioral analysis rules that flag .NET assemblies attempting to establish outbound connections to non-standard ports combined with process injection into explorer.exe, regardless of certificate validity.