{
	"id": "d6b802b8-e7c6-411b-9859-9ae7881853b5",
	"created_at": "2026-04-06T00:14:09.784744Z",
	"updated_at": "2026-04-10T03:20:27.366427Z",
	"deleted_at": null,
	"sha1_hash": "79c3db2be3ed78e20c1348c05824cb6fcf9fc965",
	"title": "Unmasking AsyncRAT: Navigating the labyrinth of forks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1886907,
	"plain_text": "Unmasking AsyncRAT: Navigating the labyrinth of forks\r\nBy Nikola Knežević\r\nArchived: 2026-04-05 19:11:29 UTC\r\nAsyncRAT has cemented its place as a cornerstone of modern malware and as a pervasive threat that has evolved\r\ninto a sprawling network of forks and variants. While its capabilities are not that impressive on their own, it is the\r\nopen-source nature of AsyncRAT that has truly amplified its impact. This blogpost provides an overview and\r\nanalysis of the most relevant forks of AsyncRAT, drawing connections between them and showing how they have\r\nevolved.\r\nKey points of this blogpost:\r\nWe provide unique insights into the landscape of AsyncRAT and its numerous variants in order\r\nto navigate the labyrinth of forks easily.\r\nIn the effort to map the vast hierarchy of AsyncRAT’s forks, we uncover their unique\r\ninterconnections and document how these variants can be distinguished.\r\nWe explore less common variants that feature unique plugins, ranging from a basic screamer\r\nplugin to a USB malware spreader.\r\nOrigins of AsyncRAT\r\nYou may have heard of AsyncRAT, short for asynchronous remote access trojan. This open-source RAT was\r\nreleased on GitHub in 2019 by a user going by the name of NYAN CAT. Developed in C#, it offers a wide range\r\nof typical RAT functionalities, including keylogging, screen capturing, credential theft, and more. Its simplicity\r\nand open-source nature has made it a popular choice among cybercriminals, leading to its widespread use in\r\nvarious cyberattacks.\r\nBut where does it come from? We believe that the groundwork for AsyncRAT was laid earlier by the Quasar RAT,\r\nwhich has been available on GitHub since 2015 and features a similar approach. Both are written in C#; however,\r\ntheir codebases differ fundamentally, suggesting that AsyncRAT was not just a mere fork of Quasar, but a\r\ncomplete rewrite. A fork, in this context, is a personal copy of someone else’s repository that one can freely\r\nmodify without affecting the original project. The main link that ties them together lies in the custom\r\ncryptography classes used to decrypt the malware configuration settings. Specifically, these are classes Aes256\r\nand Sha256, which fall under the Client.Algorithm namespace for AsyncRAT and the\r\nQuasar.Common.Cryptography namespace for Quasar. Figure 1 shows identical code being used in both\r\nimplementations of Aes256.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 1 of 15\n\nFigure 1. Comparison of cryptography classes between AsyncRAT (left) and Quasar (right)\r\nThe same code is mostly copied and pasted, including the same salt value and decryption settings. This class,\r\ntogether with Sha256, leads us to believe that AsyncRAT was to some degree influenced by the Quasar RAT.\r\nApart from these similarities, AsyncRAT introduced significant improvements, particularly in its modular\r\narchitecture and enhanced stealth features, which make it more adaptable and harder to detect in modern threat\r\nenvironments. Its plugin-based architecture and ease of modification have sparked the proliferation of many forks,\r\npushing the boundaries even further.\r\nFork labyrinth\r\nEver since it was released to the public, AsyncRAT has spawned a multitude of new forks that have built upon its\r\nfoundation. Some of these new versions have expanded on the original framework, incorporating additional\r\nfeatures and enhancements, while others are essentially the same version in different clothes.\r\nFork hierarchy\r\nFigure 2 illustrates how some of the more prevalent AsyncRAT forks have evolved from one another over time.\r\nFigure 2. A small subset of forks highlighting their derivative relationships\r\nIn the middle of the tree are DcRat and VenomRAT. Our analysis has shown that they are the most widely\r\ndeployed variants, together accounting for a significant number of campaigns. Other lesser-known forks occupy\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 2 of 15\n\nsmaller but nonetheless notable portions of the pie. Figure 3 depicts the distribution of the most prevalent forks\r\naccording to our telemetry.\r\nFigure 3. Q2 2024 distribution of the most common forks, as measured by the number of unique\r\nsamples\r\nDcRat offers a notable improvement over AsyncRAT in terms of features and capabilities. One of the more\r\nobvious changes is the data structure used for transferring data back and forth. It utilizes MessagePack, a well-known open-source library for more efficient binary data serialization. DcRat also implements evasion techniques\r\nlike AMSI and ETW patching, which work by disabling security features that detect and log malicious behavior –\r\nAMSI patching prevents script scanning, while ETW patching blocks event tracing. Additionally, it features an\r\nantiprocess system whereby processes whose names match those in a denylist are terminated. Blocklisted\r\nprograms include Taskmgr.exe, ProcessHacker.exe, MsMpEng.exe, Taskkill.exe, etc.\r\nIt’s also worth noting that DcRat’s plugin base builds upon AsyncRAT and further extends its functionality.\r\nAmong the added plugins are capabilities such as webcam access, microphone recording, Discord token theft, and\r\n“fun stuff”, a collection of plugins used for joke purposes like opening and closing the CD tray, blocking keyboard\r\nand mouse input, moving the mouse, turning off the monitor, etc. Notably, DcRat also introduces a simple\r\nransomware plugin that uses the AES-256 cipher to encrypt files, with the decryption key distributed only once\r\nthe plugin has been requested. Apart from that, there appear to be many small changes like a different choice of\r\nsalt (a string instead of a binary value), deliberately changed variable names to further evade detection, dynamic\r\nAPI resolution, and many more.\r\nVenomRAT, on the other hand, was likely inspired by DcRat, as evidenced in the Identifying versions section. The\r\nmalware is packed with so many features that it could be considered a separate threat on its own. We have chosen\r\nto group it under AsyncRAT as their client parts are very similar to each other. VenomRAT’s features and plugins\r\nhave been documented in more detail by other vendors, so we won’t dive deep into them in this blogpost.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 3 of 15\n\nNot all RATs are serious in nature though, and this applies equally to AsyncRAT forks. Clones like SantaRAT or\r\nBoratRAT (see Figure 4) are meant to be jokes. In the case of the former, its authors have themselves\r\nacknowledged that the project was basically “shamelessly ripped off of DcRat”. Yet, despite this, we have found\r\ninstances of real-world usage of them in the wild.\r\nFigure 4. Official BoratRAT promotional logo\r\nIdentifying versions\r\nWhile doing the analysis, we used various methods to identify and categorize each sample. It should be noted that\r\nthe research was primarily on the client part of the malware, as this binary is what ends up on victims’ machines.\r\nIt contains useful information such as malware configuration and where information about the C\u0026C can be found.\r\nThe quickest and most straightforward way to identify a fork is to peek directly into the malware’s configuration,\r\nwhich can usually be found in the InitializeSettings function. The configuration values are encrypted with AES-256 and stored as base64 strings in the Settings class. In most cases, the correct fork name is readily available and\r\nconveniently labeled as Version. In about 90% of our analyzed samples, the Version field contains some\r\nmeaningful description of either the fork’s name or the malware author’s pseudonym. The remaining samples had\r\nthis field intentionally left blank. Figure 5 illustrates the typical configuration initialization procedure found in\r\nDcRat and its derivatives (VenomRAT in this case).\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 4 of 15\n\nFigure 5. Initialization of VenomRAT configuration values\r\nIf the Version field is empty, sometimes it’s possible to get another clue by looking at the Salt value used for\r\nencrypting the configuration. Attackers often neglect this parameter when copy-pasting their own fork. The Salt\r\nvalue can be found in the Client.Algorithm.Aes256 class, as seen in Figure 6.\r\nFigure 6. Extraction of the Salt value in the constructor of VenomRAT’s cryptography class\r\nYet another way to get more insight is to look for the embedded certificate used to authenticate the C\u0026C server.\r\nIt’s also located in the configuration as a base64-encoded value. Unpacking this value often reveals further\r\ninformation about the server, such as common name, organization, and organizational unit. If a particular fork has\r\nits own name in the Version field, it is often possible to trace back the previous fork upon which it was likely\r\nbased by looking at the CN field. Figure 7 shows a DER-encoded certificate that reveals the BoratRAT fork, after\r\nextraction and decoding.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 5 of 15\n\nFigure 7. Client certificate after extraction\r\nThe techniques mentioned above primarily apply to trivial cases where malware authors either did not bother to\r\nremove traces or used a default certificate. A more sophisticated method for identifying AsyncRAT servers exists,\r\nwhich involves sending a specially crafted packet to the C\u0026C server. This approach is explained in detail in this\r\nAxel Mahr blogpost.\r\nShould everything else fail, determining the sample origin can ultimately be done the old-fashioned way, by\r\nmanually inspecting the code. This involves a detailed analysis of the code’s structure, syntax, and functionality,\r\ncomparing them against the patterns of previously categorized samples.\r\nExtensive fork list\r\nWe have highlighted here some of the more prominent AsyncRAT forks. Due to the sheer number of available\r\nforks, it is not feasible to cover every single one. For completeness, Figure 8 provides an extended list of\r\nAsyncRAT forks known to be used for malicious purposes, as seen in ESET telemetry to date.\r\nFigure 8. Extended fork hierarchy list\r\nExploring lesser-known variants\r\nSo far, we’ve mentioned some of the major forks that dominate the landscape. In this section, we have cherry-picked some lesser-known forks that enhance AsyncRAT’s functionality beyond the features included in the\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 6 of 15\n\ndefault versions. These exotic forks are often the work of one person or group and they make up less than 1% of\r\nthe volume of AsyncRAT samples.\r\nNonEuclid RAT\r\nThis fork stands out primarily for its inclusion of new plugins, on top of the default ones. While some plugins\r\nmight seem trivial or geared towards “fun stuff”, others, like WormUsb.dll, have distinctly malicious purposes.\r\nTable 1 lists a selection of NonEuclid RAT plugins that deviate from the standard plugin base seen in regular\r\nforks.\r\nTable 1. Selection of NonEuclid RAT plugins we deemed interesting\r\nPlugin name Description\r\nScreamer.dll Jump scare plugin.\r\nPiano.dll Generic audio player.\r\nService.dll Windows services management.\r\nMaps.dll Collects geolocation info from the user.\r\nWormUsb.dll Malware spreader plugin.\r\nBrute.dll SSH and FTP brute forcer.\r\nSignature Antivirus.dll Simple signature-based file matcher.\r\ncliper.dll Replaces clipboard data with attacker’s cryptocurrency wallet addresses.\r\nScreamer.dll\r\nThere are five jump scare images built into the plugin. An attacker sends a command that indicates which image\r\nthey want to use, along with the WAV file to be played, and the delay after which the jump scare is triggered.\r\nFigure 9 shows the first three prebundled images an attacker may choose from.\r\nPiano.dll\r\nThis plugin plays arbitrary WAV files. All sound files are stored in %appdata%\\Piano. piano.dll supports three\r\ncommands:\r\nSetSound – adds a new sound file to %appdata%\\Piano,\r\nPlayMisc – plays a requested sound file from %appdata%\\Piano, and\r\nClientAdd – retrieves multiple sound files from the C\u0026C server.\r\nService.dll\r\nThis plugin facilitates managing Windows services, such as starting, stopping, and pausing services.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 7 of 15\n\nMaps.dll\r\nThis is a simple plugin to collect geolocation information from the victim. It uses the .NET\r\nGeoCoordinateWatcher class to register a callback function to collect data each time the location is available.\r\nAmong the collected information are latitude, longitude, username, and computer name.\r\nWormUsb.dll\r\nThis plugin compromises PE files with an arbitrary payload specified by the attacker.\r\nDespite the term Usb in WormUsb.dll, this plugin targets several locations based on the command provided:\r\nInfectExe – compromises an individual PE file,\r\nInfectExeInWindows – targets PE files in personal folders (Desktop, Documents, Downloads, My Music),\r\nand\r\nInfectUsbExe – targets PE files in all drives excluding the C drive.\r\nUnder the hood, it works by moving the original file to a temporary location. Then it drops a small stub in place of\r\nthe original file. This stub’s resource section is then populated to contain both the original file and the specified\r\npayload, both of which are compressed and encrypted with a per-file key, generated at the time of construction.\r\nFollowing this, the malware then obfuscates the stub by introducing proxy methods, adding custom control flow\r\nobfuscation, and variable renaming. As a final touch, it embeds the original icon and metadata in the modified\r\nstub. Figure 10 shows the function, with the original method names, responsible for compromising a single file.\r\nFigure 10. Compromise function of a WormUsb.dll plugin\r\nWhen such a compromised file is executed, it first decrypts, unpacks and runs the payload program, then proceeds\r\nto do the same with the original program.\r\nBrute.dll\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 8 of 15\n\nThis plugin supports brute forcing of both SSH and FTP protocols from the client side. The attacker feeds it three\r\nparameters: host, login, and password, and the plugin will try to connect using those credentials. If the connection\r\nsucceeds, the credentials are sent back to the attacker with a flag indicating success. It’s not difficult to imagine a\r\nscenario whereby an attacker might use this sort of attack to distribute brute forcing across a large pool of\r\ncompromised machines, thus circumventing restrictions based solely on the IP address.\r\nSignature Antivirus.dll\r\nThe name of the plugin implies it might have something to do with antivirus functionality. While this is\r\ntechnically true, it is also a case of the most primitive, manual antivirus solution ever created. The plugin receives\r\na list of MD5 hashes from the attacker and compares them to the hashes of all EXE files it finds on every disk. If a\r\nmatching file is found, it triggers the oddly named DetectVirus function, which merely deletes the file without any\r\nfurther analysis. This makes the name of the plugin very dubious at best. In the hands of the malware author, it\r\nmay have been used to delete competitor malware, or really just any arbitrary file.\r\ncliper.dll\r\nThis is a standalone clipper that continuously monitors the victim’s clipboard, and if a cryptocurrency wallet\r\naddress is detected, it is replaced with one provided by the attacker. Attacker-provided wallets are only sent when\r\nthe plugin is first requested; they are not hardcoded in the plugin. Additionally, in Figure 11, we can also see some\r\ncredit card entries. This plugin contains an extensive list of regexes that can detect both cryptocurrency wallets\r\nand credit cards, and in the case of the latter they just get sent back to the attacker.\r\nFigure 11. Wallets and cards monitored by cliper.dll\r\nJasonRAT\r\nIdentified in 2024, this variant shows continued signs of activity. It is interesting in that it employs obscure\r\nvariable-naming conventions reminiscent of “satanic” terms from what the malware author refers to as the Book\r\nof Jason. In Figure 12, you can see typical AsyncRAT configuration values (in base64), but with renamed\r\nvariables, while Figure 13 shows the logic of the main entry point of the malware. Besides the usual configuration\r\nvalues, this variant further extends the client by introducing country targeting.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 9 of 15\n\nFigure 12. Partially obfuscated JasonRAT configuration values\r\nFigure 13. Main JasonRAT entry point showing renamed function names\r\nAnother strange feature is the choice of string obfuscation. A subset of the strings employs an extra layer of\r\nobfuscation by utilizing an extended variant of Morse code. Both uppercase and lowercase letters are included, as\r\nwell as some special characters. Figure 14 shows the encoded registry key string using an extended mapping.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 10 of 15\n\nFigure 14. Extended Morse code used as string obfuscation in JasonRat\r\nXieBroRAT\r\nThis is a RAT with Chinese localization. It introduces a new plugin, BrowserGhost.dll, which is a browser-credential stealer. Another plugin, Abstain.dll, provides interaction with Cobalt Strike servers by making a reverse\r\nconnection.\r\nTo increase the coverage, the malware provides the delivery chain in several different languages. The standard\r\n.NET client binary can be wrapped and distributed via shellcode, VBS, or JavaScript.\r\nFinally, the author further extended the malware by borrowing heavily from open-source projects, integrating tools\r\nlike mimikatz, SharpWifiGrabber, SharpUnhooker, etc.\r\nConclusion\r\nAsyncRAT’s rise and its subsequent forks highlight the inherent risks of open-source malware frameworks. Our\r\nanalysis revealed a diverse and evolving ecosystem of derivatives, ranging from persistent threats like DcRat and\r\nVenomRAT to lesser-known novelty forks like JasonRAT and BoratRAT, which seem to serve more as curiosities\r\nthan credible threats. All of these forks not only extend AsyncRAT’s technical capabilities but also demonstrate\r\nhow quickly and creatively threat actors can adapt and repurpose open-source code.\r\nThe widespread availability of such frameworks significantly lowers the barrier to entry for aspiring\r\ncybercriminals, enabling even novices to deploy sophisticated malware with minimal effort. This democratization\r\nof malware development – especially considering the rising popularity of LLMs and potential to misuse their\r\ncapabilities – further accelerates the creation and customization of malicious tools, contributing to a rapidly\r\nexpanding and increasingly complex threat landscape.\r\nIn light of these trends, it is reasonable to anticipate that future forks may incorporate more advanced obfuscation,\r\nmodularity, and evasion capabilities. This potential evolution underscores the importance of proactive detection\r\nstrategies and deeper behavioral analysis to effectively address emerging threats.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 11 of 15\n\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nF8E31B338123E38757F8\r\nB7099797119A038A3538\r\nScreamer.dll MSIL/AsyncRAT.C\r\nNonEuclid jump scare\r\nplugin.\r\n98223D2F8DF2F9E832AE\r\n081CD6E072A440C9A3CD\r\nPiano.dll MSIL/AsyncRAT.C\r\nNonEuclid audio\r\nplayer plugin.\r\nCDEC9A1C73E3E21B1D70\r\nDDAA6BF139D8D2A197A5\r\nMaps.dll MSIL/AsyncRAT.C\r\nNonEuclid\r\ngeolocation plugin.\r\n932C49EEE087D432D0DA\r\n10CC0640B11FD2C91203\r\nService.dll MSIL/AsyncRAT.C\r\nNonEuclid Windows\r\nservice management\r\nplugin.\r\n2FA98D088486BAC57FF6\r\n0E072E28FEE5830E7B28\r\nWormUsb.dll MSIL/AsyncRAT.C\r\nNonEuclid malware\r\nspreader plugin.\r\n62C9FEFA84067F695032\r\nA6939F07C3799AAD80A3\r\nBrute.dll MSIL/AsyncRAT.C\r\nNonEuclid SSH and\r\nFTP brute forcer\r\nplugin.\r\nFAD946F7ACF017F0C50C\r\n81BF379AABA3528AFBB3\r\nSignature\r\nAntivirus.dll\r\nMSIL/AsyncRAT.C\r\nNonEuclid signature-based file matcher\r\nplugin.\r\n51B8A5818B7031EDB59A\r\n2B2ECF160A78505880BA\r\ncliper.dll MSIL/AsyncRAT.C\r\nNonEuclid clipboard\r\nhijacker plugin.\r\n4FB0CAAD6E345947EE2D\r\n30E795B711F91C6A4819\r\nStub.exe MSIL/AsyncRAT.A AsyncRAT client.\r\nFD9CF01CEA7DE8631C34\r\nB988A7AAD55587A162FA\r\nStub.exe MSIL/AsyncRAT.A 3LoshRAT client.\r\nB8AB93E958E0DE4BE276\r\n6B2537832EDB37030429\r\nClient.exe MSIL/AsyncRAT.A DcRat client.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 12 of 15\n\nSHA-1 Filename Detection Description\r\n68B58483D0E4E7CC2478\r\nD6B4FC00064ADE3D7DB3\r\nMicrosoft_Edge\r\n_Driver.exe\r\nMSIL/AsyncRAT.A VenomRAT client.\r\n4F69E0CE283D273B724C\r\nE107DF89F11C556A7A4E\r\nClient.exe MSIL/AsyncRAT.C BoratRAT client.\r\nE4F87568473536E35006\r\nD1BD4D4C26A8809F3F91\r\nClient.exe MSIL/AsyncRAT.A Anarchy Panel client.\r\nD10B8197732437E9BF84\r\n0FEA46A30EFF62892A4E\r\nClient.exe MSIL/AsyncRAT.A CollapseRAT client.\r\n0DC28EA51F0D96E0D1BC\r\n78DF829C81A84332C5F1\r\ndwm.exe MSIL/AsyncRAT.A Shadow X RAT client.\r\nE5B511E7550CBADE74E7\r\n5EADE8F413A89D963FE5\r\nClientAny.exe MSIL/AsyncRAT.A LMTeamRAT client.\r\n3124F58428184FDF75E2\r\n1B1E5A58CADF9DD2BA03\r\nStub.exe MSIL/AsyncRAT.A PhoenixRAT client.\r\n8402AA507CF5B1BBFAB5\r\n3E3BF7A7D4500796A978\r\nClient.exe MSIL/AsyncRAT.A EchoRAT client.\r\nAB2C6F9695346FAA9495\r\nB4AB837085C1524FFDDF\r\nClient.exe MSIL/AsyncRAT.A XieBroRAT client.\r\n3E6CD9D07B8ECE706697\r\nF332AC9F32DE5ECAF086\r\ntempClient.exe MSIL/AsyncRAT.C NonEuclid RAT client.\r\nFF4592A8BCB58F5CF6BD\r\n70B882E886EC6906EECD\r\nServant.exe MSIL/AsyncRAT.A JasonRAT client.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nDefense\r\nEvasion\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nDcRat terminates security tools such as\r\nTaskmgr.exe and MsMpEng.exe.\r\nT1562.004\r\nImpair Defenses: Disable or\r\nModify System Firewall\r\nDcRat leverages AMSI and ETW bypass\r\ntechniques to evade detection.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 13 of 15\n\nTactic ID Name Description\r\nT1027.013\r\nObfuscated Files or Information:\r\nEncrypted/Encoded File\r\nJasonRAT employs modified Morse code\r\nand obscure variable names to hinder\r\nanalysis.\r\nCredential\r\nAccess\r\nT1539 Steal Web Session Cookie\r\nDcRat leverages a plugin to steal Discord\r\ntokens from compromised machines.\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nXieBroRAT uses a plugin to collect\r\nbrowser credentials.\r\nT1110.003 Brute Force: Password Spraying\r\nNonEuclid uses a plugin to brute force\r\nSSH and FTP credentials.\r\nDiscovery T1614.001\r\nSystem Location Discovery:\r\nSystem Language Discovery\r\nNonEuclid uses a plugin that collects\r\ngeolocation data from compromised\r\nsystems.\r\nCollection\r\nT1123 Audio Capture\r\nDcRat has a microphone plugin that\r\nenables audio capture from the victim’s\r\ndevice.\r\nT1125 Video Capture\r\nDcRat includes a webcam plugin that\r\nallows remote access to the victim’s\r\ncamera.\r\nT1115 Clipboard Data\r\nNonEuclid uses a plugin that monitors\r\nthe clipboard to intercept and replace\r\ncryptocurrency wallet addresses.\r\nImpact T1486 Data Encrypted for Impact\r\nDcRat features a ransomware plugin\r\ncapable of encrypting files on the\r\nvictim’s system.\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 14 of 15\n\nSource: https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nhttps://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/"
	],
	"report_names": [
		"unmasking-asyncrat-navigating-labyrinth-forks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79c3db2be3ed78e20c1348c05824cb6fcf9fc965.pdf",
		"text": "https://archive.orkl.eu/79c3db2be3ed78e20c1348c05824cb6fcf9fc965.txt",
		"img": "https://archive.orkl.eu/79c3db2be3ed78e20c1348c05824cb6fcf9fc965.jpg"
	}
}