AsyncRAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1622 | Debugger Evasion |
AsyncRAT can use the |
|
| Enterprise | T1568 | Dynamic Resolution | ||
| .002 | Domain Generation Algorithms | |||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
AsyncRAT can hide the execution of scheduled tasks using |
| Enterprise | T1105 | Ingress Tool Transfer |
AsyncRAT has the ability to download files including over SFTP.[5][4] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1680 | Local Storage Discovery |
AsyncRAT can check the disk size through the values obtained with |
|
| Enterprise | T1106 | Native API |
AsyncRAT has the ability to use OS APIs including |
|
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
AsyncRAT has been delivered via malicious email attachments.[6] |
| Enterprise | T1057 | Process Discovery |
AsyncRAT can examine running processes to determine if a debugger is present.[3] |
|
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy | |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
AsyncRAT can create a scheduled task to maintain persistence on system start-up.[3] |
| Enterprise | T1113 | Screen Capture |
AsyncRAT has the ability to view the screen on compromised hosts.[5] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
AsyncRAT can enumerate the NetBIOS name on targeted machines.[4] |
|
| Enterprise | T1033 | System Owner/User Discovery |
AsyncRAT can check if the current user of a compromised system is an administrator. [3] |
|
| Enterprise | T1124 | System Time Discovery |
AsyncRAT can check whether the current system hour and day of the week are within operating hours defined it its configuration.[4] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
AsyncRAT has been executed through victims opening malicious file attachments.[6] |
| Enterprise | T1125 | Video Capture | ||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
AsyncRAT can identify strings such as Virtual, vmware, or VirtualBox to detect virtualized environments.[3] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1018 | TA2541 | |
| G0099 | APT-C-36 |
APT-C-36 has used a customized version of AsyncRAT.[8][9][10][6] |
| G1054 | MirrorFace |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0060 | Operation AkaiRyū |
During Operation AkaiRyū, MirrorFace used custom versions of AsyncRAT.[4] |
References
- Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
- Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
- Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
- Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.
- Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- Global Research & Analysis Team, Kaspersky. (2024, August 19). BlindEagle flying high in Latin America. Retrieved April 16, 2026.
- Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.
- Melnyk, S. (2025, June 27). Tracing Blind Eagle to Proton66. Retrieved April 16, 2026.
- Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.