AsyncRAT Malware Explained: Remote Access Trojan Used in Cyberattacks
AsyncRAT is a family of malware commonly used in cyberattacks as a Remote Access Trojan (RAT), providing remote control to a victim’s system. Once AsyncRAT malware infiltrates a system, attackers covertly execute commands, exfiltrate sensitive data, or monitor user activity in the background.
A sophisticated strain of malware that can be customized for different campaigns, AsyncRAT poses a significant threat. By acting stealthily and not immediately revealing its presence, AsyncRAT detection often poses more challenges compared to traditional malware.
Organizations require robust security measures to protect themselves against AsyncRAT malware and similar remote access trojan threats.
Introduction to AsyncRAT
A shortening of “Asynchronous Remote Access Trojan,” AsyncRAT is a popular malware family used by a range of threat actors to target Windows systems. Remote access trojans are a type of malware that enables attackers to remotely control infected computers.
Once the system is compromised, the attacker can execute commands remotely and receive data to facilitate different malicious activities.
AsyncRAT campaigns have been observed:
- Stealing credentials and other sensitive data.
- Loading other forms of malware, including ransomware.
- Providing botnet capabilities to launch attacks.
The Origin of AsyncRAT
AsyncRAT was initially released on GitHub in 2019 as an open-source remote administration tool. It is difficult to determine whether AsyncRAT was intended to be a legitimate project. It is self-advertised as a genuine remote administration tool, accompanied by notes proclaiming educational intent.
But, since its release, AsyncRAT has been almost exclusively utilized for malicious purposes, and it is suspected that the creator used the GitHub project to help promote their malware.
AsyncRAT analysis reveals that the original code has undergone significant revisions for campaigns. With AsyncRAT’s open-source nature, threat actors can revise the malware to develop their own variations that incorporate different features and functionality for new attacks and distribution methods.
This means that AsyncRAT provides the infrastructure for a wide range of attacks and actors, including:
- Amateur hackers
- Emerging cybercriminal groups
- Sophisticated ransomware collectives
- Nation-state entities
AsyncRAT campaigns have steadily increased since 2019, with the malware being used in many campaigns, including attacks on US infrastructure. In particular, AsyncRAT has become popular among the Chinese cybercriminal community.
It also has affiliations with a number of other malware families and is the foundation for other RATs such as RevengeRAT and BoratRAT.
AsyncRAT Analysis: How the Malware Works
The AsyncRAT family of malware was written in C#, although analysts have observed recent samples in Rust. This could be due to various reasons, including the additional challenges it presents for RAT evasion techniques.
In particular, Rust malware is harder to reverse engineer due to a lack of support for analysis tools.
Once a system is compromised, AsyncRAT sends system information to a command and control (C2) server. It then establishes persistence through different techniques, including:
- Scheduling tasks
- Creating registry keys
- Gaining elevated privileges using SeDebugPrivilege
With the ability to remotely execute commands, AsyncRAT typically downloads plugins, terminates processes, and updates itself. AsyncRAT analysis shows it can perform a number of functions common among remote access trojans, such as:
- Keylogging
- Exfiltration
- Using chat communication
- Disabling Windows Defender
- Recording the desktop screen
- Uploading additional payloads
- Persistence mechanisms
- Accessing camera and audio functions
- Denial of service attacks
- Running miners
Beyond these functions, AsyncRAT also demonstrates anti-detection capabilities. In particular, checking for and evading virtual machines and sandboxes.
Common Methods for AsyncRAT Malware Distribution
AsyncRAT is most commonly distributed as phishing malware, using spam email campaigns to spread the code as a malicious email attachment. But, AsyncRAT analysis has seen the malware distributed using a variety of methods, including:
- Malvertising on compromised sites
- Delivered payload through another malware infection
- Exploit kits
There have also been notable AsyncRAT campaigns utilizing spear phishing, a more targeted form of phishing. Variations of this distribution method have spread the phishing malware as an attachment with an ISO file to help overcome RAT evasion techniques.
Another exploit targets Microsoft OneNote by using spear phishing emails containing attachments that load an HTML Application file before running a disguised batch script to execute the AsyncRAT code.
AsyncRAT distribution is also commonly seen alongside other RATs and infostealers. Examples include:
- XWormRAT
- Vjw0rm
- VenomRAT
AsyncRAT Targets
Given its open-source nature, AsyncRAT is available for any threat actor to access and use.
With many revisions and versions of the malware, AsyncRAT has broad targeting capabilities and is used by a large number of threat actors to launch a wide range of attacks with diverse targets.
Typical sectors for AsyncRAT campaigns include:
- Healthcare
- Aerospace
- Technology
- Hospitality
- Business services
- Finance industry
- Government organizations
The 2025 Cyber Threat Intelligence Report from consultancy firm Bridewell revealed that AsyncRAT’s C2 servers were primarily observed in Poland, Turkey, and the United States. Not a single C2 server belonging to AsyncRAT was observed in China.
This indicates a preference for AsyncRAT threat actors in China.
Evolution & Recent AsyncRAT Campaigns
AsyncRAT has steadily gained popularity since its release in 2019. The Check Point State of Cyber Security 2025 report revealed AsyncRAT to be the 6th most prevalent malware family globally in 2024. Industry Analysts observed a spike in activity during late 2024 and early 2025.
Further AsyncRAT analysis from Check Point found it to be the fourth most prevalent malware in February 2025. A position it held in Check Point Research from May 2025.
Recent AsyncRAT campaigns have included:
- Exploiting Dropbox URLs and temporary TryCloudflare tunnel infrastructure to distribute the malware. This typically takes the form of a phishing email with a Dropbox URL that directs them to download a ZIP file. This contains a shortcut to a file with a .URL format that distracts the user by opening a legitimate-looking PDF while downloading multiple malware payloads.
- Hijacking expired or deleted Discord invite links allows the threat actor to redirect users from a trusted source to a malicious server. These attacks utilize multiple infection stages to spread the AsyncRAT malware stealthily while getting around many Windows security features.
Both of these AsyncRAT campaigns highlight threat actors exploiting legitimate infrastructure to deliver their malicious payload.
AsyncRAT Detection and Mitigation Strategies
While AsyncRAT attacks take many different forms and often operate stealthily, there are RAT evasion techniques that help mitigate their impact.
Common AsyncRAT detection and remediation strategies to consider for your organization include:
- Training employees on phishing malware techniques, looking for signs of malicious payloads, and not clicking on suspicious email links or attachments.
- Implementing email filtering and sandboxing capable of AsyncRAT phishing detection with files commonly used for malicious payloads.
- Endpoint Detection and Response (EDR) tools that detect AsyncRAT signatures and suspicious behavior indicative of compromised systems.
- Robust, zero-trust access controls to limit the impact of compromised credentials and prevent lateral movement throughout business networks.
Only allow remote access through secure connections using either secure Virtual Private Networks (VPNs) or Secure Web Gateways (SWGs)
RAT Protection with Check Point
To prevent AsyncRAT malware from taking control of your systems, you need robust RAT protection. With comprehensive endpoint security capabilities delivered in a single tool, Harmony Endpoint can detect AsyncRAT and other remote access trojan attacks before they have a significant impact.
With up-to-date threat intelligence and advanced machine learning algorithms for behavioral analysis, Harmony Endpoint detects malware before it can take root in your systems. It also includes anti-ransomware technology, advanced behavioral analysis, and full attack containment and remediation.
Schedule a demo or try a free trial of Harmony Endpoint and discover how it can secure your systems and users against AsyncRAT and similar threats.
