Exploring AsyncRAT: The Evolution and Impact of Remote Access Trojans

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025 3 min read

AsyncRAT Overview and Variants

AsyncRAT is an open-source remote access trojan that emerged on GitHub in 2019. Its design incorporates a variety of typical RAT capabilities, including keylogging, screen capture, and credential theft. The simplicity and open-source nature of AsyncRAT have made it particularly attractive to cybercriminals, resulting in its widespread use in various cyberattacks. Over time, AsyncRAT has evolved into a fundamental component of modern malware, generating numerous variants and forks that enhance its functionality.

AsyncRAT

Image courtesy of Help Net Security

Evolution of AsyncRAT

ESET Research has analyzed the evolution of AsyncRAT, detailing how its modular architecture and improved stealth features contribute to its adaptability in modern threat environments. According to ESET researcher Nikola Knežević, “AsyncRAT introduced significant improvements, particularly in its modular architecture and enhanced stealth features, making it more adaptable and harder to detect in modern threat environments.”

The most popular forks include DcRat, VenomRAT, and SilverRAT. DcRat expands the feature set of AsyncRAT considerably, while VenomRAT enhances capabilities even further. Some less serious forks, such as SantaRAT and BoratRAT, were created as jokes but have been observed in actual attacks.

For a deeper analysis of AsyncRAT variations, see ESET’s detailed report.

AsyncRAT Forks and Their Features

The diverse landscape of AsyncRAT forks presents unique characteristics and functions. ESET's telemetry shows that DcRat accounts for 24% of unique sample infections, while VenomRAT follows with 8%. This indicates the prevalence of these variants in active cyberattacks.

Notable Variants

  • DcRat: Enhances AsyncRAT’s features, utilizing MessagePack for efficient data serialization. It implements evasive techniques such as AMSI and ETW patching, blocking detection mechanisms and terminating processes on a denylist.
  • VenomRAT: Offers an extensive feature set, functioning almost independently from its predecessor. It integrates multiple plugins directly into the client, which reduces reliance on external modules.
  • SantaRAT and BoratRAT: These forks are more novelty than serious threats, highlighting the range of AsyncRAT's evolution.

Unmasking AsyncRAT: Navigating the labyrinth of forks

Image courtesy of ESET

Identifying AsyncRAT Variants

Identifying the various forks of AsyncRAT relies on analyzing configuration settings and values within the malware's code. Most samples contain a Version field that identifies the specific fork, which is usually encrypted using AES-256. If this field is absent, other clues may be found in the Salt values or embedded certificates.

ESET’s research provides methodologies for identifying AsyncRAT servers, including sending crafted packets to C&C servers. Further insights can be derived from the malware’s code structure and functionality.

Figure 5. Initialization of VenomRAT configuration values

Image courtesy of ESET

Lesser-Known Variants and Their Capabilities

Less common AsyncRAT forks continue to emerge, each with unique plugins that extend functionality beyond the original RAT capabilities. Some noteworthy examples include:

  • NonEuclid RAT: Features plugins such as WormUsb.dll, which targets PE files for infection, and Brute.dll, which brute forces SSH and FTP.
  • JasonRAT: Displays odd naming conventions and employs Morse code for string obfuscation.
  • XieBroRAT: Targets browser credentials and provides interaction with Cobalt Strike servers.

Figure 10. Compromise function of a WormUsb.dll plugin

Image courtesy of ESET

Conclusion

The pervasive nature of AsyncRAT and its forks highlights the challenges in cybersecurity. The open-source framework lowers the barrier for aspiring cybercriminals, enabling the rapid development and deployment of sophisticated malware. As threats evolve, proactive detection strategies and behavioral analysis will be critical in combating emerging risks.

For more information on malware threats and how to protect against them, visit our website at Gopher Security.

Explore our services or contact us for assistance in safeguarding your digital assets.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article