{
	"id": "d7b9c00d-8fd9-4b77-b695-fb871e4c0b3a",
	"created_at": "2026-04-06T00:21:47.45721Z",
	"updated_at": "2026-04-10T03:20:25.354455Z",
	"deleted_at": null,
	"sha1_hash": "8034b8fe3bd7752c6c2c65ad06e7d257d4438432",
	"title": "New Threat Campaign Identified: AsyncRAT Introduces a New Delivery Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1922722,
	"plain_text": "New Threat Campaign Identified: AsyncRAT Introduces a New\r\nDelivery Technique\r\nBy Michael Dereviashkin\r\nArchived: 2026-04-05 19:08:24 UTC\r\nMorphisec, through its breach prevention with Automated Moving Target Defense technology, has identified a\r\nnew, sophisticated campaign delivery which has been successfully evading the radar of many security vendors.\r\nThrough a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a\r\nremote access trojan) designed to remotely monitor and control its infected computers through a secure, encrypted\r\nconnection. This campaign has been in effect for a period of 4 to 5 months, with the lowest detection rates as\r\npresented through VirusTotal.\r\nMorphisec backtraced the campaign to September 12, 2021. This campaign continued its evolution while\r\ndelivering formally known crypter as a service, such as HCrypt and Alosh. This blog post explains the campaign\r\ndelivery vector in detail.\r\nTechnical Details\r\nIn many cases, victims received an email message with an html attachment in the form of a receipt: Receipt-\r\n\u003cdigits\u003e.html.\r\nBelow is an example of such an email message:\r\nFigure 1: Fake receipt \r\nWhen the victim decides to open the receipt, they see the following webpage that requests them to save a\r\ndownloaded ISO file. They believe it's a regular file download that will go through all the channels of gateway and\r\nnetwork security scanners. Surprisingly, that's not the case. \r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 1 of 11\n\nIn fact, the ISO download is generated within the victim’s browser by the JavaScript code that is embedded inside\r\nthe HTML receipt file, and it is not downloaded from a remote server. In the next section, we will describe how\r\nthis code successfully generates the file.\r\nFigure 2: Decoy receipt download\r\nFigure 3: Low detection rate by AV solutions\r\nStage 1: HTML and Javascript Loader\r\nAs mentioned earlier, the ISO file is not being delivered as a file blob object over the network, but instead it is\r\nbeing delivered as a base64 string. This base64toblob function gets a Base64 encoded string as an input and is\r\nresponsible for the decoding to ASCII by a window.atob. Next, the result is converted to a byte array from which a\r\nnew blob is created. The blob type is set according to a given mime type (in this case, application/octet-stream). \r\nWe found that the earlier variants weren't obfuscated:\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 2 of 11\n\nFigure 4: Generation of the iso file\r\nIn the below snapshot, it's clearly demonstrated how the blob is injected as part of the URL object while\r\nmimicking the download of the ISO file as if it had been delivered remotely.\r\nFigure 5: Assignment of blob to url\r\nOnce the user opens the generated ISO, it is automatically mounted as a DVD Drive (under windows 10). The\r\nmount contains either a .bat or a .vbs file inside.\r\nFigure 6: Auto-Mount for ISO files\r\nThe .bat/.vbs file that is included in the auto-mounted drive is responsible for downloading and executing the next\r\nstage as part of a powershell process execution:\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 3 of 11\n\nDeobfuscated:\r\nStage 2: Reflective .NET Injection\r\nThe PowerShell file code that's executed is responsible for:\r\nCreating persistancy through Schedule Task\r\nExecuting a dropped .vbs file, usually at %ProgramData% \r\nUnpacking an Base64 encoded and deflate compressed .NET module\r\nInjecting the .NET module payload in-memory(dropper)\r\nFigure 7: Persistency\r\nStage 3: The Dropper\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 4 of 11\n\nThe injected .NET module's main purpose is to fill the role of a dropper while its working path is primarily at\r\n%ProgramData%.\r\nFigure 8: .NET Module Dropper\r\nAbove, we can see that the Visual Basic file is written to the ProgramDatainternet folder. Immediately after the\r\nexecution, there is an attempt to delete traces. \r\nThe dropper creates three files: \r\nNet.vbs - obfuscated invocation of Net.bat\r\nNet.bat - invocation of Net.ps1\r\nNet.ps1 - next stage injection\r\nDeobfuscated Net.vbs content:\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 5 of 11\n\nNet.bat:\r\nNet.ps1:\r\nFigure 9: Antivirus Check\r\nThe check for AV solutions present on the machine is designed to skip features such as:\r\n**If user is in the built-in administrator group then perform:\r\nUAC bypass using Disk Cleanup\r\nDisable of action center notifications\r\nSet of windows defender exclusion \r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 6 of 11\n\nFigure 10: UAC bypass + Windows Defender exclusion\r\nFigure 11: Disable of action center notifications\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 7 of 11\n\nFigure 12: Reflective load and process hollowing\r\nIn most cases, attackers have delivered AsyncRAT as the final payload that was hiding within the legitimate .NET\r\naspnet_compiler.exe process.\r\nIndicators of Compromise (IOCs)\r\nHTML Fa5f4847181550f1332f943882bc89ab48302a3d6d6efc1a364b2af7dec119b2\r\n50d308118008908832fe9c7fa78169ef8aaa960450c788a2c41af0eb5e0a62db\r\nF3b17523ef01ccf96faa276ec78f774831d9747f1e8effac902c04ec51408cc5\r\nA0989ec9ad1b74c5e8dedca4a02dcbb06abdd86ec05d1712bfc560bf209e3b39\r\nA4565fbb5570c30085fb77c674b4f1b7d069bdd2350747304efc911c905c3e31\r\n43b0cf93776bbdd72d582b9ed5a95d015ca682ca2d642e9509d374c79cca098e\r\n159ef0dcef607e1ce0996c565a5f3e82a501dcf1b6063c03ee8d30137e77d743\r\nC24a0a1bf44d6b4c59ba752df79cef3c42c84f574072336320deba29b1b9100c\r\n1a3c935784376edd36d7d486307df5f628841ee49189dbaf643d21d00a84cef3\r\n8a67bb1e9eb625935b02c504dd4fced1d12f0b4b7784eeaf0bd94e1c741ee99a\r\n3730660dd06fdae513b757199be9846d1e022d5d70c1f246a583c55f19b87242\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 8 of 11\n\n75b4ab33e788181c36cfde764254e9e7c4d1a981b7832bbc60009fcdec7f586c\r\nE4ad32aa6d0f839342fc22b71530f04a4ab756e15f35707654828360fbd0aeef\r\nA02aa1c7d3e066a9e45266e4279ec2b433003bc570406e6770bd4ff22a91902e\r\n6f7f33619daa8226b9d17bcf4972b77ac448b8b11e394b9633cd4177434cf24f\r\nD25f66ed468c20472354ee60c4c1d0ecbe0c0e5f6515263e4f7146224b72f0a2\r\nb3b17bd9b11b502ec01308952bf74cf80618b4c75269c7d833fc381d75635a43\r\nAfef7b47f0cb7ab0ff30d2cc887381e1745c7536a123098633a4e31ebbcc60cb\r\n55f4d7297800a4a4142be065e1674229cb1b120e8ade7b4ff7938affcfdb85c6\r\nB545bcc50adce9c788034f230c48a3c1a528874399226d12ca2d5395f6af00c1\r\nAsyncRAT\r\n58BEE75D7A00CA8D8C0E9FBBC8ADA035B82DE90CBACF63F1AC7E1DB0E771AA28\r\nB49F3B8AAE24C6AE2026E86A1D12F2487DD768C1326BFC7E3BB610DB7A0E857B\r\n39FEF91CA4778FA05C5A4081F772B47E5728B61D37358707DF5F45717D0B2A8C\r\nAD506EAE3573368A97ECE57F9FB38AF83E16AD4D0273633CA57FBAE991A90C0A\r\nE8BF9507841E5873D248EBDD303D499762D10B59F90BE56441E068FBA28AB6D9\r\n206159F87A621F278D884539B21E1EBABCF7C250E94935D5BA72F5B25D3EB777\r\nBC59B8C66B46AE091A1A81FA88172C8736F83B75904FFE8A21D098D3F4AAD244\r\nD445D834E59E52B133C15B6E77F0633B32B2932282D66AB93777FEFED07342D4\r\n2E8BC122CD796D2D9D12C30245E5DF506902E5600449274690246287F03FABED\r\n907BF4192509BA05DE03D98005053E7E46C884A3A5C7FE4CC002CF87F67359B3\r\nF0CFA28585CA50CD64E6A618F5629EB39391BA0697D0604989C7DAC00946A599\r\n57EE165285FBB3FE294D7155B033F32AB8D343055BA7BA8D90C810E143E53AD9\r\nc2 Pop11.ddns[.]net:6666\r\nWthcv.sytes[.]net:7400\r\n2pop.ddns[.]net:6666\r\n11l19secondpop.ddns[.]net:6666\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 9 of 11\n\nNewsa.ddns[.]net:6606\r\nElliotgateway.ddns[.]net:5555\r\nPython.myvnc[.]com:7707\r\nNewopt.servehttp[.]com:7707\r\nNomako.ddns[.]net:6606\r\nPython.blogsyte[.com:6606\r\nEmails\r\n1241b9486d3d7c74c0bb1f2a7bdd81ff9597b2c92f2af8a5b3819b296c400336\r\nD67bd08e03a5e2054aae8458b0c549cec2f988a9e703d3ed755626d840990a0e\r\n845c7c30fb7c1ca0de473f7e9d41c2b1a337d5e4919854461da6002e1fbc8fa3\r\nWe Are Here to Help\r\nThis new attack campaign is bad news, especially since most NGAV and EDR vendors’ solutions are failing to\r\ndetect and stop this threat; however, the good news for Morphisec customers is that our Automated Moving Target\r\nDefense (AMTD) technology is stopping these attacks. Gartner is calling AMTD \"the future of cyber\" as it can\r\nuniquely detect and prevent ransomware, zero-day and other advanced attacks that often bypass NGAV, EDR, and\r\nother defenses. \r\nhs-cta-img-2b-bde6-4b6a-abb3-0063c3\r\nAbout the author\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 10 of 11\n\nMichael Dereviashkin\r\nSource: https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nhttps://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign"
	],
	"report_names": [
		"asyncrat-new-delivery-technique-new-threat-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434907,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8034b8fe3bd7752c6c2c65ad06e7d257d4438432.pdf",
		"text": "https://archive.orkl.eu/8034b8fe3bd7752c6c2c65ad06e7d257d4438432.txt",
		"img": "https://archive.orkl.eu/8034b8fe3bd7752c6c2c65ad06e7d257d4438432.jpg"
	}
}