{
	"id": "ddcf3105-eb31-4beb-b0d9-a5b162e25611",
	"created_at": "2026-04-06T01:31:38.707726Z",
	"updated_at": "2026-04-10T03:24:39.650673Z",
	"deleted_at": null,
	"sha1_hash": "28111b9da1659d8adf6fef3fe3462dd40317edec",
	"title": "Targeted attack on Thailand Pass customers delivers AsyncRAT | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4006044,
	"plain_text": "Targeted attack on Thailand Pass customers delivers AsyncRAT |\r\nZscaler\r\nBy Gayathri Anbalagan, Partheeban J\r\nPublished: 2022-04-27 · Archived: 2026-04-06 01:18:12 UTC\r\nThe Zscaler ThreatLabz research team has recently discovered a malware campaign targeting users applying for\r\nThailand travel passes. The end payload of many of these attacks is AsyncRAT, a Remote Access Trojan that can\r\nbe used to monitor, control, and steal sensitive data from victims' machines.\r\nThailand Pass is an online travel agency that brokers airline tickets to travelers who want to visit Thailand or other\r\nforeign countries. Attackers trick victims using a spoof web page that poses as Thailand Pass, ultimately baiting\r\nusers into downloading AsyncRAT. \r\nThe Thailand Pass organization has issued an advisory for these malicious campaigns on their official website\r\n\"tp.consular[.]go[.]th\" as shown below.\r\nFigure 1: Advisory by Thailand pass organization.\r\nIn this blog, our team will provide a deep analysis of the malware campaign that we have observed related to these\r\nattacks.\r\nThe below image shows the complete flow of execution for this malware campaign. \r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 1 of 17\n\nFigure 2: Complete attack chain workflow.\r\nThe following malicious URLs were used for this campaign, as found through our Threat Intelligence collection\r\nframework.\r\nhxxps://bit[.]ly/Thailand-passport - is an shortened URL of\r\nhxxps://onedrive.live[.]com/Download?\r\ncid=6BCBE135551869F2\u0026resid=6BCBE135551869F2!168\u0026authkey=AGoYtbf1Lb5VjFg\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 2 of 17\n\nOn accessing the above URL, the page delivers a HTML file named “Thailand Pass Registration System (for\r\nair travel.html”. Once the user opens the HTML file, it automatically drops an ISO file named\r\n“thailand_Passport.iso” without any user interaction, as shown below.\r\nFigure 3 : Thailand pass phishing page drops ISO file.\r\nThis ISO file contains a VBScript called “qr_thailand_pass.vbs” file which begins the malware activity. The\r\ncontent of the vbs file will be in obfuscated form as shown below.\r\nFigure 4: Obfuscated content of the qr_thailand_pass.vbs file.\r\nAfter de-obfuscating the VBScript, we can see that the script tries to download a Testavast+denf.txt file from the\r\nweb hosting site(ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com) and executes the code using the “IEX”\r\noperation with the help of “powershell”.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 3 of 17\n\nFigure 5: Deobfuscated content of the qr_thailand_pass.vbs file.\r\nThe following image shows the content of the Testavast+denf.txt file which contains a code to check if antivirus\r\nservices ESET, Avast, AVG, or Malwarebytes are running. If any of those services is found, the script modifies the\r\nexecution flow of the malware to get around the antivirus, and downloads the appropriate files in order to do so. It\r\nsaves the files related to the antivirus service as untitled.ps1 and executes that powershell script. \r\nFigure 6: Checks for AV running service and downloads its related text file accordingly.\r\nWhile execution flows are modified if AV services are found to be present, the final payload (AsyncRAT malware)\r\nremains the same. \r\nIF AV exists on the host machine\r\nExample - Victim Machine runs MalwareBytes AV as a service\r\nHere, we have taken a case study of a host with malwarebytes antivirus installed, and will analyze the delivery of\r\nan AsyncRAT payload in detail. The following image shows the content of the killd.txt file which downloads the\r\nsupporting files from web hosting site(ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com) \r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 4 of 17\n\nFigure 7: Content of the powershell script present in the Killd.txt file.\r\nThe image depicts the content of the supporting files like admin.vbs, admin.ps1, 1_powerrun.vbs, 1.bat and 1.ps1\r\nwhose main task is to stop the particular AV service to evade detection and to execute the malware attack.\r\nadmin.vbs - Starts the admin.ps1 powershell script\r\nadmin.ps1 - Starts the 1_powerrun.vbs script in admin mode\r\n1_powerrun.vbs - runs the 1.bat batch file.\r\n1.bat - runs the 1.ps1 powershell script.\r\nFigure 8: Content of the admin.vbs,admin.ps1,1_powerrun.vbs and 1.bat.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 5 of 17\n\nThe final goal of the “1.ps1” powershell script is to stop the MalwareBytes service and add exclusion for the\r\nsupporting files during the real time scanning as depicted below.\r\nFigure 9: Stops the Malwarebytes Antivirus service in Force method.\r\nAfter disabling the running antivirus service, it downloads the AsyncRAT malware from the killd.txt file and starts\r\nits malicious activity on the victim's machine.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 6 of 17\n\nFigure 10: Content of the AsyncRAT payload present in the killd.txt file.\r\nIf no antivirus services are detected on the victim machine then the code will move to the “else” as shown below.\r\nIF AV does not Exist on the host machine\r\nHere the script downloads “task.txt”, “SecurityHealth.exe” and “SecurityHealth.exe.manifest” files from the\r\nfollowing domain “hxxp://microsoft[.]soundcast[.]me”. Then, it executes the “task.txt” file as “untitled.ps1”. It\r\nalso copies the following “SecurityHealth[.].exe” and “SecurityHealth[.]exe[.]manifest” files in the startup folder\r\nfor persistence techniques.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 7 of 17\n\nFigure 11: If AV not exist, download files from “hxxp://microsoft[.]soundcast[.]me/”.\r\nThe following image shows the content of the Task.txt file which creates a scheduled task as GoogleUpdate to\r\nexecute the dropped SecurityHealth[.]exe file. This naming fools the user and enables the malware to implement\r\nits persistence method.\r\nFigure 12: Task.txt file uses persistence technique.\r\nThe securityHealth[.]exe file needs the SecurityHealth[.]exe[.]manifest supporting file to execute its malicious\r\nactivities.\r\nThe following image shows the decoded content present in the SecurityHealth[.]exe[.]manifest containing the\r\nURL(34[.]71[.]81[.]158/Run/aaa.ps1) to download the malicious powershell script(aaa.ps1).\r\nFigure 13: Decoded content present in the SecurityHealth.exe.manifest, downloads aaa.ps1.\r\nThe downloaded powershell script aaa.ps1 contains the same AyncRAT payload which is present in the killd.txt\r\nfile(Malwarebytes AV related file).\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 8 of 17\n\nFigure 14: content present in aaa.ps1 file\r\nFinal payload AsyncRAT malware - Execution Flow\r\nThe variable $Filc contains the actual AsyncRAT malware payload, which is injected into a legitimate\r\naspnet_compiler.exe file to show it as a genuine file running in background. The following image shows how the\r\nprocess injection is done in detail.\r\nFigure 15: AsyncRAT payload process injection in legitimate file(aspnet_compiler.exe).\r\nWhile decoding the variable $Filc, it results in an AsyncRAT malware file that was hidden inside of it. After\r\ndeobfuscation, converted that into a decimal format and then into ASCII to see the actual executable file (malware\r\npayload) as depicted below.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 9 of 17\n\nFigure 16: Deobfuscated AsyncRAT malware executable.\r\nThe injected malware payload runs as a legitimate aspnet_compiler.exe process as shown below.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 10 of 17\n\nFigure 17: Aspnet_compiler is running as a legit file with injected AsyncRAT payload into it.\r\nProcess Injection - Work Flow\r\nWe have dissected the deobfuscated AsyncRAT to see how the process injection is accomplished. The following\r\nimage shows the APIs used for process injection in the Execute method.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 11 of 17\n\nFigure 18: Content Present in GetMethod- Execute Function - Process injection APIs.\r\nThe following APIs are also used to inject the malware AsyncRAT into the legitimate file aspnet_compiler.exe\r\nfile.\r\nFigure 19: Content Present in GetType - Order.Yes -  Process injection APIs.\r\nThe payload will also check for the Anti-VM and Anti-debugging techniques to evade detection as follows:\r\nHere it checks whether the downloaded malware payload is running in the host or virtual machine, and also uses\r\nanti-debugging techniques to hide its actual behavior.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 12 of 17\n\nFigure 20: Decompiled AsyncRAT file : Anti VM - Anti Debugging techniques.\r\nFinally, it steals the networking credentials of the victim and sends the stolen information to the following C\u0026C\r\nserver (invoice-update[.]myiphost[.]com) as shown below.\r\nFigure 21: Decompiled AsyncRAT file - C\u0026C server location.\r\nSimilar campaign - Delivery using Discord CDN: \r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 13 of 17\n\ncdn[.]discordapp[.]com/attachments/921529408060289114/947221997325258772/qr_thailand_pass.zip\r\nWe have seen several other Thailand Pass organization spam templates that directly deliver the VBScript file that\r\nleads to the delivery of the same AsyncRAT malware, as shown below.\r\nFigure 22: Thailand pass downloads VBScript file directly.\r\nConclusion:\r\nAsyncRAT – like other Remote Access Trojans – is a powerful malware that plays a significant role in\r\ncybercriminal activities. ThreatLabz actively tracks these types of malware attacks to protect our customers from\r\ndata theft and from other sensitive information being abused by the cybercriminals.\r\nIOCs:\r\nURLs:\r\nbit[.]ly/Thailand-passport\r\nonedrive[.]live[.]com/Download?\r\ncid=6BCBE135551869F2\u0026resid=6BCBE135551869F2!168\u0026authkey=AGoYtbf1Lb5VjFg\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Testavast+denf[.]txt\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Nod[.]txt\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Avast[.]txt\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Killd[.]txt\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/1[.]bat\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/1[.]ps1\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 14 of 17\n\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/1_powerrun[.]vbs\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/PowerRun[.]exe\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/admin[.]ps1\r\nec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/admin[.]vbs\r\nmicrosoft[.]soundcast[.]me/Run/task[.]txt\r\nmicrosoft[.]soundcast[.]me/Run/SecurityHealth[.]exe\r\nmicrosoft[.]soundcast[.]me/Run/SecurityHealth[.]exe[.]manifest\r\n34[.]71.81[.]158\r\ncdn[.]discordapp[.]com/attachments/921529408060289114/947221997325258772/qr_thailand_pass.zip\r\nHashes:\r\n9f0a23cf792d72d89010df5e219b4b12 - Thailand pass[.]html\r\ne2da247426a520209f7d993332818b40  -  Thailand pass[.]ISO\r\n8f30215a81f2a2950fd5551d4f2212ce - QR_thailand_pass[.]vbs\r\ne8e4ea0f80c9ff49df07e9c1b119ba2a - Security health[.]exe\r\n25ed250f143d623d0d41bd9123bcc509 - SecurityHealth[.]exe[.]manifest\r\n4e6d695ed0559da97c9f081acf0892e4 - AsyncRAT Payload\r\n2922a998d5b202ff9df4c40bce0a6119 - Process injector\r\nb64ac660f13b24f99999e7376424df2d - Killd.txt\r\n984f6bd06024f8e7df2f9ec9e05ae3d2 - Avast.txt\r\na5dfd5b75db6529b6bd359e02229ad1d - Nod.txt\r\n9c0bdb129084a6c8fce1a1e9d153374b - Admin.ps1\r\n7ec50ec3091ff38eb7c43e2a8a253bc9 - 1.ps1\r\nae29fc1878f3471bb196ba353b3daf9d - 1_powerrun.vbs\r\n44314f46a2beb1cc20a0798533f0913E - 1.bat\r\n878b1aae24a87bc0dbce537336878b5E - Admin.vbs\r\nC\u0026C:\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 15 of 17\n\ninvoice-update[.]myiphost[.]com\r\nDetection \u0026 Coverage:\r\nAdvanced Sandbox Report:\r\nFigure 23:Zscaler Sandbox detection\r\nAdvanced Threat Protection:\r\nWin32.Downloader.AsyncRAT\r\nHTML.Phish.ThailandPass\r\nVBS.Dropper.AsyncRAT\r\nWin32.Backdoor.AsyncRAT\r\nPS.Downloader.AsyncRAT\r\nWin32.Trojan.NETAssemblyInject\r\nAbout us\r\nZscaler ThreatLabz is a global threat research team with a mission to protect customers from advanced\r\ncyberthreats. Made up of more than 100 security experts with decades of experience in tracking threat actors,\r\nmalware reverse engineering, behavior analytics, and data science, the team operates 24/7 to identify and prevent\r\nemerging threats using insights from 300 trillion daily signals from the Zscaler Zero Trust Exchange.\r\nSince its inception, ThreatLabz has been tracking the evolution of emerging threat vectors, campaigns, and groups,\r\ncontributing critical findings and insights on zero-day vulnerabilities, —including active IOCs and TTPs for threat\r\nactors, malware, and ransomware families, phishing campaigns, and more.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 16 of 17\n\nThreatLabz supports industry information sharing and plays an integral role in the development of world-class\r\nsecurity solutions at Zscaler. See the latest ThreatLabz threat research on the Zscaler blog.\r\nSource: https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat"
	],
	"report_names": [
		"targeted-attack-thailand-pass-customers-delivers-asyncrat"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439098,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28111b9da1659d8adf6fef3fe3462dd40317edec.pdf",
		"text": "https://archive.orkl.eu/28111b9da1659d8adf6fef3fe3462dd40317edec.txt",
		"img": "https://archive.orkl.eu/28111b9da1659d8adf6fef3fe3462dd40317edec.jpg"
	}
}