{
	"id": "8c2f0721-6d55-4478-958f-bbbaec04ad1a",
	"created_at": "2026-04-06T00:13:38.294953Z",
	"updated_at": "2026-04-10T13:12:51.925568Z",
	"deleted_at": null,
	"sha1_hash": "94c03cdfbcd554e83b169beb1c18440588ca198c",
	"title": "GitHub – Home to AsyncRAT Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 895917,
	"plain_text": "GitHub – Home to AsyncRAT Backdoor\r\nPublished: 2021-02-19 · Archived: 2026-04-05 20:33:00 UTC\r\nThese days threat actors are hosting their encrypted malware in user familiar places such as Google Drive,\r\nOneDrive, Discord CDN, Pastebin amongst others and target a huge victim base. This abuse is not new for\r\nGitHub too, a popular code hosting platform. In this blog, we will be getting into the nuances of  AsyncRAT\r\nBackdoor hosted on the GitHub repository and its delivery mechanism, orchestrated in different stages. \r\nWhile monitoring the Twitter handles, we came across a tweet from @Glacius_ mentioning about the availability\r\nof AsyncRAT payload on GitHub as depicted in Figure 1.\r\nFigure 1: Tweet from @Glacius_  about AsyncRAT\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 1 of 9\n\nFrom Figure 2, we can notice that the above said attacker’s GitHub repository has multiple binaries. Contents of\r\nall these binaries are encoded in decimal format to avoid being identified and detected easily.\r\nFigure 2: GitHub repository where the malware binaries are present\r\nThis GitHub account was created on January 8, 2021 which is managed by Mohamed-Sayed with only 1 follower\r\nas shown in Figure 3. Also, we noticed that the attacker has added 2 new PE files on Jan 31st, 2021 in the “NEW”\r\nrepository; possibly the threat actor is planning for another campaign. On digging deeper, we found that this attack\r\nhas multi-stage payloads and finally executes the main payloads facebook.dll and stub.exe which were not\r\navailable in VirusTotal at the time of writing this blog. \r\nhttps://labs.k7computing.com/?p=21759\r\nPage 2 of 9\n\nFigure 3: https://github.com/hbankers\r\nNow, let’s get into the details about the multi-stage scripts and the main payloads. The complete flow of this attack\r\nand the multi-stage scripts used to execute the final payload using a process injector DLL has been depicted in\r\nFigure 4.\r\nFigure  4: Process Flow of this Malware\r\nThe initial binary fww.exe, a .NET file downloads the first stage payload “encoding.txt” from\r\n“hxxp[:]//f0509448[.]xsph[.]ru/hjebWnlfsjdlPz/encoding[.]txt” ( ip: 141.8.193.236 ) and executes the\r\nencoding.txt, a VBScript using “mshta.exe” as depicted in Figure 5. \r\nhttps://labs.k7computing.com/?p=21759\r\nPage 3 of 9\n\nFigure 5: Initial binary which executes the VBScript\r\nDecoding the 1st stage VBScript, we could see that it uses Wscript.Shell command to execute the PowerShell\r\nscript using PowerShell.exe and download the second stage payload “all.txt” from the same URL and execute the\r\ndownloaded file using Invoke-Expression (IEX) as depicted in Figure 6.\r\nFigure 6: Use of VBScript to download second stage payload\r\nThe second stage payload all.txt; a PowerShell script, before proceeding further checks if predefined AV files are\r\nrunning in the system. For  instance, “AVAST : AvastUI.exe”, “ESET : ecmds.exe”, “KASPERSKY :\r\navpui.exe”, “AVG : AVGUI.exe” as depicted in Figure 7.\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 4 of 9\n\nFigure 7: Checks for Famous AVs existing in the system\r\nOnce it is confirmed that none of the specified AVs are present in the system, all.txt continues its execution.  It sets\r\nServicepointmanager as TLS 1.2 security protocol (3072 represents TLS1.2 protocol) to communicate with its\r\nserver through a secure channel and downloads the third stage payload “ps1.txt” binary from the server. It\r\nconverts the hex value to ascii character using “[char] [byte]” instruction and stores the string in “asciiString”\r\nvariable and executes it using Invoke-Expression as depicted in Figure 8.\r\nFigure 8: PowerShell script is used to download ps1.txt\r\nRemoving all of the junk data from the PowerShell script, ps1.txt we can also see that it is downloading the DLL\r\n“hxxps[:]//raw[.]githubusercontent[.]com/hbankers/PE/main/PE03[.]txt” and the Hbanker exe file\r\n“hxxps[:]//raw[.]githubusercontent[.]com/hbankers/v1/main/Server[.]txt” as strings using “downloadstring”\r\nfunction. Now, ps1.txt script executes “Reflection.assembly::Load()” command \r\nto load the “HAPPY” method from the DLL, PE03.txt and execute the binary Server.txt (stored in the argument\r\nHCrypt of HAPPY method)   as depicted in Figure 9 and Figure 10.\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 5 of 9\n\nFigure 9: 4th stage script after removing junks\r\nFigure 10: List of APIs for Process Injection\r\nAPIs “ResumeThread, Wow64SetThreadContext, SetThreadContext, Wow64GetThreadContext,\r\nGetthreadContext, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, ZwUnmapViewOfSection,\r\nCreateProcessA” are used to inject the AsyncRAT payload (server.txt) in the memory of another file and then\r\nexecute the same. This technique is called the ProcessHallowing – Injection Technique.\r\nAsyncRAT (Server.txt) carries  multiple features like checking for Anti-analysing techniques, network connection\r\nusing SSL certificate, persistence techniques etc. The attacker pre-defines the domain name, port number, ssl\r\ncertificate, version, mutex, key etc., and its values are in a sophisticated base64 encoded format and to decode the\r\nstring it uses aesCryptoServiceProvider in addition to base64 decoder to get the original value as depicted in\r\nFigure 11.\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 6 of 9\n\nFigure 11: Decoded string of pre-defined values\r\nThe domain which attacker tries to connect is “fat7e0recovery[.]ddns[.]net” via the port number 6666 as\r\ndepicted in Figure 12. The Mutex value is “AsyncMutex_6SI8OkPnk” and it also has a server certificate\r\n“CN=AsyncRAT Server” valid from 17-01-2021 to 31-12-9999. This SSL certificate is used to encrypt the\r\npackets between the compromised system and the server.\r\nFigure 12: Connecting the domain using the port specified\r\nIn order to detect virtual machines, AsyncRAT uses Anti-analysis techniques like \r\nChecks if the disk size is less than or equal to 50GB \r\nChecks whether the OS is XP \r\nLooks for the VM names like “Virtualbox”, “vm” or “Virtual” strings in system manufacturing data \r\nChecks for SbieDll.dll in the system to detect sandboxie virtual machines \r\nUses CheckRemoteDebuggerPresent API to check for debugger as depicted in Figure 13.\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 7 of 9\n\nFigure 13: Anti-analysis Technique\r\nTo be persistent in the system, AsyncRAT confirms if the user login has admin privilege. If yes, it creates a\r\nscheduled task as depicted in Figure 14, where fileinfo.name represents the currently running malware file.\r\nFigure 14: Creates scheduled task using cmd\r\nIf the AsyncRAT does not run with admin privilege, it creates a run entry under CurrentUser\\Run for persistence.\r\nRun registry key is in reversed order and the StrReverse command is employed to retrieve the actual data\r\n“Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run”  as depicted in Figure 15.\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 8 of 9\n\nFigure 15: Run registry key for persistence\r\nConclusion\r\nAttackers are not only very interested in creating new malware but also trying to use every single possibility to\r\nhost/spread their payloads. In this case, AsyncRAT is spread using the credibility of popular code hosting\r\nplatforms to evade detection from Anti-Virus engines. We are constantly monitoring such techniques and ensuring\r\nthat we provide  proactive protection against such malware attacks. As always we recommend our customers to\r\nuse the K7 security products  to protect your data and keep it updated to stay protected from the latest threats. \r\nIndicators Of Compromise (IOCs)\r\nMD5 File Name K7 Detection Name\r\n527EE147DC7B2E5D768945DCC7D87326 fww.exe\r\nTrojan-Downloader\r\n(005771b51)\r\n4FAC2D80A7C3AEA83D61432F66A25B69 Facebook.dll Trojan (004cf1da1)\r\n416C48AEF6DDF720BE0D8B68DD2F0BD0 stub.exe Trojan (005678321)\r\nURLs\r\nFat7e0recovery[.]ddns[.]net:6666\r\nhxxps[:]//raw[.]githubusercontent[.]com/hbankers/PE/main/PE03[.]txt\r\nhxxps[:]//raw[.]githubusercontent[.]com/hbankers/v1/main/Server[.]txt\r\nhxxp[:]//f0509448[.]xsph[.]ru/hjebWnlfsjdlPz/encoding[.]txt\r\nSource: https://labs.k7computing.com/?p=21759\r\nhttps://labs.k7computing.com/?p=21759\r\nPage 9 of 9\n\n   https://labs.k7computing.com/?p=21759   \nGitHub -Home to AsyncRAT Backdoor   \nPublished: 2021-02-19 · Archived: 2026-04-05 20:33:00 UTC   \nThese days threat actors are hosting their encrypted malware in user familiar places such as Google Drive,\nOneDrive, Discord CDN, Pastebin amongst others and target a huge victim base. This abuse is not new for\nGitHub too, a popular code hosting platform. In this blog, we will be getting into the nuances of AsyncRAT\nBackdoor hosted on the GitHub repository and its delivery mechanism, orchestrated in different stages.\nWhile monitoring the Twitter handles, we came across a tweet from @Glacius_ mentioning about the availability\nof AsyncRAT payload on GitHub as depicted in Figure 1.   \nFigure 1: Tweet from @Glacius_ about AsyncRAT   \n   Page 1 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/?p=21759"
	],
	"report_names": [
		"?p=21759"
	],
	"threat_actors": [],
	"ts_created_at": 1775434418,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94c03cdfbcd554e83b169beb1c18440588ca198c.pdf",
		"text": "https://archive.orkl.eu/94c03cdfbcd554e83b169beb1c18440588ca198c.txt",
		"img": "https://archive.orkl.eu/94c03cdfbcd554e83b169beb1c18440588ca198c.jpg"
	}
}