{
	"id": "56435a06-2d3b-4d3f-adc0-bb959a607b05",
	"created_at": "2026-04-06T00:10:58.336315Z",
	"updated_at": "2026-04-10T13:11:44.961205Z",
	"deleted_at": null,
	"sha1_hash": "2ce0d264912343f61f9fe9b55de3a98e74be4c88",
	"title": "Asbit: An Emerging Remote Desktop Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 643037,
	"plain_text": "Asbit: An Emerging Remote Desktop Trojan\r\nBy Paul Kimayong\r\nPublished: 2022-08-31 · Archived: 2026-04-05 17:29:36 UTC\r\nAsbit: An Emerging Remote Desktop Trojan\r\nIntroduction\r\nJuniper Threat Labs is currently monitoring an emerging Chinese Remote Desktop Trojan called Asbit. It’s a\r\nremote access Trojan being advertised on its developer’s website as a “Fast Remote Desktop”. This RAT first\r\nmade its appearance in 2021 and kept updating its infrastructure and features as it went along. It uses a number of\r\nstrategies to avoid endpoint and network detection. By using DNS over HTTPS (DoH) to resolve the IP addresses\r\nof its control servers, it aims to get past network DNS filters.\r\nThe domain asbit[.]cn was registered on January 31, 2021. This domain was used to host the malware and its\r\nmodules. It also hosts the threat actor’s website. The website is still live at the time of this publication. Recently,\r\nthe threat actor registered another domain and website, rdlite[.]com . The new website looks like a copy of the\r\nprevious website.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 1 of 14\n\nThe website www.asbit.cn translated to English. It advertises itself as “Fast Desktop”, a secure\r\nremote desktop application for IT professionals.\r\nTimeline\r\nTo provide an understanding of the Asbit operation, below is a timeline of their infrastructure. The domain,\r\nasbit[.]cn was registered on January 31, 2021. At that time, it resolved to IP 47.111.81.199 .  Later in the\r\nyear 2021, the threat actors registered mitm[.]work and fmt[.]ink . At this time, the servers are hosted on\r\nLinux servers. In 2022, they registered the domain def[.]cab, rfb[.]ink and rdlite[.]com . Around June of\r\n2022, we also see a shift of the OS they used in hosting these servers. Based on third-party server fingerprinting\r\nservices like Shodan and Cencys, we found that they shifted to Windows OS and used IIS. It’s unclear to us why\r\nthey shifted to Windows.\r\nDomain\r\nCreation\r\nDate\r\nDNS\r\nResolution\r\nASN Country\r\nFirst\r\nSeen\r\nLast\r\nSeen\r\nOS\r\nasbit.cn\r\nJanuary\r\n31, 2021\r\n47.111.81.199\r\nHangzhou\r\nAlibaba\r\nAdvertising\r\nCo.,Ltd.\r\nChina\r\n2021-\r\n01-31\r\n14:12:49\r\n2021-\r\n10-22\r\n5:50:25\r\nLinux\r\n43.128.31.158\r\nAsia\r\nPacific\r\nNetwork\r\nInformation\r\nCenter, Pty.\r\nLtd.\r\nHong\r\nKong\r\n2021-\r\n10-23\r\n0:35:40\r\n2021-\r\n12-21\r\n0:35:50\r\nLinux\r\n43.156.37.105\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2021-\r\n12-22\r\n15:42:42\r\n2021-\r\n12-22\r\n15:42:42\r\nLinux\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 2 of 14\n\nmitm.work\r\nMay 24,\r\n2021\r\n43.128.31.158\r\nAsia\r\nPacific\r\nNetwork\r\nInformation\r\nCenter, Pty.\r\nLtd.\r\nChina\r\n2021-\r\n06-04\r\n18:11:34\r\n2021-\r\n12-15\r\n8:34:51\r\nLinux\r\n43.154.232.199\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2022-\r\n06-15\r\n5:41:34\r\n2022-\r\n07-12\r\n4:04:09\r\nWindows,\r\nIIS server\r\n119.28.78.209\r\nTencent\r\ncloud\r\ncomputing\r\n(Beijing)\r\nCo., Ltd.\r\nHong\r\nKong\r\n2022-\r\n07-12\r\n4:30:38\r\n2022-\r\n08-01\r\n0:33:24\r\nWindows,\r\nIIS server\r\nfmt.ink\r\nSeptember\r\n4, 2021\r\n43.128.31.158\r\nAsia\r\nPacific\r\nNetwork\r\nInformation\r\nCenter, Pty.\r\nLtd.\r\nHong\r\nKong\r\n2021-\r\n09-06\r\n2:23:53\r\n2022-\r\n05-20\r\n8:39:50\r\nLinux\r\n43.154.211.60\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2022-\r\n05-20\r\n9:07:51\r\n2022-\r\n06-19\r\n17:40:10\r\nUnknown\r\n43.154.232.199\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2022-\r\n06-15\r\n5:20:32\r\n2022-\r\n07-12\r\n4:27:52\r\nWindows,\r\nIIS server\r\n119.28.78.209\r\nTencent\r\ncloud\r\ncomputing\r\n(Beijing)\r\nCo., Ltd.\r\nHong\r\nKong\r\n2022-\r\n07-12\r\n5:10:32\r\n2022-\r\n08-01\r\n1:56:23\r\nWindows,\r\nIIS server\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 3 of 14\n\ndef.cab\r\nMay 6,\r\n2022\r\n43.128.31.158\r\nAsia\r\nPacific\r\nNetwork\r\nInformation\r\nCenter, Pty.\r\nLtd.\r\nChina\r\n2022-\r\n05-08\r\n23:00:04\r\n2022-\r\n05-08\r\n23:00:04\r\nLinux\r\n43.154.232.199\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2022-\r\n07-12\r\n9:55:52\r\n2022-\r\n07-26\r\n21:07:26\r\nWindows,\r\nIIS server\r\nrfb.ink\r\nFebruary\r\n24, 2022\r\n43.128.31.158\r\nAsia\r\nPacific\r\nNetwork\r\nInformation\r\nCenter, Pty.\r\nLtd.\r\nHong\r\nKong\r\n2022-\r\n05-14\r\n13:07:32\r\n2022-\r\n05-18\r\n7:20:44\r\nLinux\r\n43.154.211.60\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2022-\r\n05-21\r\n15:34:34\r\n2022-\r\n06-03\r\n2:41:55\r\nUnknown\r\n43.154.232.199\r\nTencent\r\nCloud\r\nComputing\r\n(Beijing)\r\nCo., Ltd\r\nChina\r\n2022-\r\n06-03\r\n15:32:50\r\n2022-\r\n07-12\r\n8:58:52\r\nWindows,\r\nIIS server\r\n119.28.78.209\r\nTencent\r\ncloud\r\ncomputing\r\n(Beijing)\r\nCo., Ltd.\r\nHong\r\nKong\r\n2022-\r\n07-12\r\n9:50:46\r\n2022-\r\n07-25\r\n11:51:59\r\nWindows,\r\nIIS server\r\nrdlite.com\r\nJune 8,\r\n2022\r\n104.21.10.90 Cloudflare\r\nUnited\r\nStates\r\n2022-\r\n06-08\r\n17:26:55\r\n2022-\r\n08-10\r\n2:16:40\r\nUnknown\r\n172.67.162.192 Cloudflare\r\nUnited\r\nStates\r\n2022-\r\n06-08\r\n17:26:55\r\n2022-\r\n08-10\r\n2:16:40\r\nUnknown\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 4 of 14\n\nEarly Version of asbit RAT\r\nThe earliest version of the malware we could find dates back to May 2021. It included a series of loader modules\r\nwhich will eventually download the core module. The malware is typically bundled with installers. It starts by\r\ndropping the loader module that installs another DLL as a service. The installed service further downloads and\r\nexecutes the core module. The core module has remote desktop functionality and other capabilities, including\r\ncommand execution and keystroke injection.\r\nThe malicious installer ( 806523a9e4021cd72691fbdeb229339a24984b7ca79c3860ba468c832bf95c4d ) drops the\r\nloader modules C:\\2.0.50727 and C:\\4.0.30319 . The files appear to be folders of the .NET framework, but\r\nthey are in fact files. This is likely done by the author to obscure itself and try to evade endpoint detection. It also\r\ndrops a malicious libexpat.dll ( 018656e61c7c5fc8d5983a32507fbcf379dd9e2b5dd7d67b8e44590d46a8c51f ) and\r\na benign XLSP.dll ( cca2ea493c8402ed24c9c93328066ae0ce451059e2f954929f24ab7481119b6c ).\r\nThe installer drops the components in the C:\\ directory.\r\nLoader Module\r\nThe loader module starts with the dropped C:\\2.0.50727 or C:\\4.0.30319. It executes either of these files using\r\nRegAsm.exe, an assembly registration tool that is used to load .NET assembly files.\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe /u \"C:\\4.0.30319\"\r\nThe \"/u\" parameter, which means \"Unregister “, is part of the command to install this module. This could be\r\ninterpreted as being used to remove the module. However, the module itself has an “Unregister” function that\r\ndoes the opposite. It creates a service for libexpat.dll that further downloads additional modules, including the\r\ncore module.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 5 of 14\n\nUnregister function in the loader module that installs 2 DLLs as a service.\r\nOnce the libexpat.dll service is installed and running, it downloads 2 additional modules. One is a module that\r\ncreates a web proxy ( f223ceb9830ed18d823f42d9d8d5c09429782e0bcdbc62da5f00c881964e7041 ) and the other is\r\nthe core module ( 4b1efadc55c0cc3471e0945804125317b2a75772393541f680b1617f8a42773d ).\r\nSecond Loader Module\r\nThis module installs a browser proxy by downloading a Proxy Auto-Configuration (PAC) file from\r\n47.111.81.199 . This allows the threat actor to act as a Browser-in-the-Middle by making all requests from the\r\nbrowser proxied to the threat actor’s server. Installation of the PAC file also includes installation of the threat\r\nactor’s certificate.\r\nFunction that download and install a PAC file\r\nThe certificate installed by asbit malware.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 6 of 14\n\nLastly, the module contacts “rat.t.com” to report the newly infected system. The system information which\r\nincludes MAC address, OS, CPU and date is hashed and sent as the ID.\r\nCore Module\r\nThe core module is a fully functional RAT. It has a hard coded server to where it connects to, which is\r\n47.111.81.199:6000 . It also includes several functionalities including command execution and keystroke\r\ninjection.\r\nBelow are the list of functions it can perform:\r\n1. Capture Screenshots\r\n2. Run TightVNC for Remote Desktop Control\r\n3. Control Mouse Movements\r\n4. Inject Keystrokes\r\n5. Kill Process by PID\r\n6. Download Files\r\n7. Execute Commands\r\n8. Collect Installed Certificates\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 7 of 14\n\nAn interesting function of this RAT is that it uses TightVNC for its remote desktop functions. We also found other\r\nvariants of this malware that use UltraVNC instead of TightVNC.\r\nFunction in the core module that uses TightVNCServer.\r\nWinVNC.exe process seen during execution of the malware.\r\nLatest Version\r\nAs we noted in the “Timeline” section, the threat actor changed its infrastructure. It shifted to the following\r\ndomains for its download and control servers.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 8 of 14\n\nink\r\nink\r\ncab\r\nwork\r\nThey have also added functionality to bypass network security using DNS over HTTPS (DoH) and added a\r\nseparate module solely for Remote Desktop using the RDPSession Class built in Windows.\r\nInstaller\r\nWe found the installer distributed as .pif files. Some of these files were seen as discord attachments, which\r\nindicates how the threat actors used Discord as an infection vector. Below are some of the installer files we found:\r\nFilename: Photo_2022-07-10_19-23-19.pif\r\nSha256: 754cc559a2c861c0ef8acfbbb632e79e04839ab9f8948fa3392c1cd69d14f026\r\nITW URL: https://cdn.discordapp.com/attachments/911561368359039026/995990526950117406/photo_2022-07-1\r\nFilename: Need to download attachments.pif\r\nSha256: C5a720c2460da4c49b912409b204fbec31c79af3f7aaa011a3e679645f060760\r\nITW URL: Unknown\r\nFilename: WhatsAppSMS reception.txt\r\nSha256: a2cdf57b6a1cbf36d0440feedb2d9593e81cf646fd6f736a66d32950c1fa6857\r\nITW URL: Unknown\r\nThe following analysis is based on the installer\r\n754cc559a2c861c0ef8acfbbb632e79e04839ab9f8948fa3392c1cd69d14f026 .\r\nThe installer drops the loader module and libexpat.dll .\r\nIt has a slightly different install command than the first version. It still uses RegAsm.exe to load the loader module\r\nbut now it drops it in C:\\ with a random filename not with a .NET folder-like name. Libexpat.dll is also\r\ndropped in C:\\ProgramData.\r\n\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" /u \"C:\\kfdjvzx5.5ie\"\r\ndd99e3acca16b02fa947b0742acfdc0a entry\r\nThe loader module, C:\\kfdjvzx5.5ie installs libexpat.dll as a service.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 9 of 14\n\nLibexpat.dll further downloads the following additional modules.\r\nCore\r\nDownloaded from https://106[.]12.129.126/build?project=loader.core\u0026version=4.0.30319\r\nDownloads the core Module\r\nHas functions to uninstall itself and the malware\r\nCore Module\r\nDownloaded from https://106[.]12.129.126/build?project=client.core\u0026version=4.0.30319 as a gzip\r\nfile\r\nUses DoH to determine the IP of ddns.b.rdlite.com where it can download the rdp module.\r\nRdp Client Module\r\nDownloaded from https://222[.]210.157.249:1024/build?\r\nproject=rdp.client.core\u0026version=4.0.30319\u0026t=28069859\r\nUses DoH to determine the IP of its control server (v2.team.rfb.ink:5100)\r\nCore Module\r\nThe new core module includes functions such as capture screenshots, inject keystrokes and execute commands,\r\nbut we noticed a much cleaner programming style hinting active development of the malware. We also noticed it\r\nadded several functions, particularly handlers, for example, vnc, rfb and p2p functions.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 10 of 14\n\nAnother interesting function is the use of DNS over HTTP (DoH) to query the ip address of its control servers. For\r\ninstance, the domain name of the file server where it hosts the rdp module could be any of the following domains:\r\na.rdlite.com:1024\r\nb.rdlite.com:1024\r\nw.rdlite.com:1024\r\nHowever, it does not use the traditional way of getting the IP address, which is connecting to the DNS at port 53\r\nusing UDP. Rather, it gets the IP address using DNS over HTTP (DoH).\r\nBelow is a query for the IP address of ddns.b.rdlite.com using Alibaba DoH server.\r\nGET /resolve?name=ddns.b.rdlite.com\u0026short=true\u0026_=28042000 HTTP/1.1\r\nHost: 223.5.5.5\r\nConnection: Keep-Alive [\"222.210.157.249\"]\r\nCurrently, it can either use AliDns or DnsPod DoH servers.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 11 of 14\n\nUsing DoH makes the malware more resilient against network filters that rely on traditional DNS queries for\r\nblocking domains. For example, a network filter that blocks the domain ddns.b.rdlite.com won’t be able to block\r\nthe request because it can only see the HTTP request to DoH servers (e.g., Alibaba or DnsPod). The way to block\r\nthis request is to directly block the IP address associated with the domain.\r\nIt’s interesting to note however that the malware author did not use HTTPS which will make it more resilient as\r\nsuch requests are encrypted.\r\nRDP Client Module\r\nThis module is mainly for remote desktop control as the name implies. The old versions relied on commercial or\r\nfree remote desktop applications, such as TightVNC or UltraVNC while the latest version implements its own\r\nRDP. It does this by using the built-in Windows RDP application. It works by creating an RDP Session instance by\r\nusing the CLSID ( 9B78F0E6-3E05-4A5B-B2E8-E743A8956B65 ) which is the RDPSession Class in Windows.\r\nThe RDP modules control server is v2.team.rfb.ink:5100 , and it also uses DoH to determine the IP of its\r\ncontrol server.\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 12 of 14\n\nConclusion\r\nIn this blog, we have detailed the evolution of an emerging Chinese remote desktop trojan. We have identified\r\nsome of its capabilities and its infrastructure and how it tries to evade endpoint and network detection. We believe\r\nthat this RAT is in its early development but it’s actively being developed. It’s likely that we will see future\r\nversions of this malware with enhanced capabilities and new ways of evading endpoint and network detection.\r\nJuniper ATP Cloud detects this malware using Machine Learning based on behavioral analysis engine.\r\nIndicators of Compromise\r\nasbit[.]cn\r\nmitm[.]work\r\nrdlite[.]com\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 13 of 14\n\nfmt[.]ink\r\ndef[.]cab\r\nrfb[.]ink\r\n47[.]111[.]81[.]199\r\n43[.]128[.]31[.]158\r\n43[.]156[.]37[.]105\r\n43[.]154[.]232[.]199\r\n119[.]28[.]78[.]209\r\n43[.]154[.]211[.]60\r\n104[.]21[.]10[.]90\r\n172[.]67[.]162[.]192\r\n806523a9e4021cd72691fbdeb229339a24984b7ca79c3860ba468c832bf95c4d\r\n018656e61c7c5fc8d5983a32507fbcf379dd9e2b5dd7d67b8e44590d46a8c51f\r\nf223ceb9830ed18d823f42d9d8d5c09429782e0bcdbc62da5f00c881964e7041\r\n4b1efadc55c0cc3471e0945804125317b2a75772393541f680b1617f8a42773d\r\n754cc559a2c861c0ef8acfbbb632e79e04839ab9f8948fa3392c1cd69d14f026\r\nC5a720c2460da4c49b912409b204fbec31c79af3f7aaa011a3e679645f060760\r\na2cdf57b6a1cbf36d0440feedb2d9593e81cf646fd6f736a66d32950c1fa6857\r\nSource: https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nhttps://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan"
	],
	"report_names": [
		"asbit-an-emerging-remote-desktop-trojan"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ce0d264912343f61f9fe9b55de3a98e74be4c88.pdf",
		"text": "https://archive.orkl.eu/2ce0d264912343f61f9fe9b55de3a98e74be4c88.txt",
		"img": "https://archive.orkl.eu/2ce0d264912343f61f9fe9b55de3a98e74be4c88.jpg"
	}
}