{
	"id": "b9372aa0-fb8b-4ca3-940f-701bb037ac54",
	"created_at": "2026-04-06T00:12:07.95525Z",
	"updated_at": "2026-04-10T03:21:09.325987Z",
	"deleted_at": null,
	"sha1_hash": "9c20275b81bc735ca66bbb6d72f9e7bfc877cbb4",
	"title": "AsyncRAT Being Distributed as Windows Help File (*.chm) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1721771,
	"plain_text": "AsyncRAT Being Distributed as Windows Help File (*.chm) -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-01-31 · Archived: 2026-04-02 11:14:22 UTC\r\nThe distribution method of malware has been diversifying as of late. Among these methods, a malware strain that\r\nuses the Windows Help file (*.chm) has been on the rise since last year, and has been covered multiple times in\r\nASEC blog posts like the ones listed below.\r\nAPT Attack Being Distributed as Windows Help File (*.chm)\r\nMalicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea\r\nBackdoor (*.chm) Disguised as Document Editing Software and Messenger Application\r\nMalicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm)\r\nAgentTesla Distributed Through Windows Help File (*.chm)\r\nCHM Malware Types with Anti-Sandbox Technique and Targeting Companies\r\nMalicious CHM Being Distributed to Korean Universities\r\nRecently, the distribution of AsyncRAT through CHM has been confirmed. The overall operation process is shown\r\nin Figure 1, and each step will be explained below.\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 1 of 8\n\nFirst, unlike the types covered in the past, a blank Help screen is created when the CHM file is executed.\r\nThe contents of the malicious script that is run under the noses of users can be seen in Figure 3. It clearly has a\r\nsimpler structure compared to previous types. This script uses mshta to execute a malicious command that exists\r\nin the address “hxxps://2023foco.com[.]br/plmckv.hta”.\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 2 of 8\n\nA malicious VBScript exists within this address and a portion of its command is shown in Figure 5. The malicious\r\nVBScript has fragmented strings to evade detection, and is responsible for executing PowerShell commands.\r\nThere are 2 PowerShell commands that are executed. The commands respectively download and execute the vbs\r\nand hta files from the following URL.\r\nDownload URL\r\nhxxp://2023foco.com[.]br/vvvvv.txt (C:\\ProgramData\\v.vbs)\r\nhxxps://2023foco.com[.]br/serverhta.hta (C:\\ProgramData\\v.hta)\r\n1. v.vbs\r\nFirst, as shown in Figure 6, the v.vbs file is obfuscated to the point of being incomprehensible.\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 3 of 8\n\nThe PowerShell command can be seen once it is unobfuscated. This command loads a .NET DLL that is encoded\r\nwithin the script. This DLL receives malicious data from the URL that is transmitted to the loader file as an\r\nargument and loads it in the memory.\r\nThe loaded DLL receives the reversed malicious URL as an argument. It then downloads additional data from the\r\nURL before loading and executing it in the\r\n“C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegAsm.exe” process.\r\nDownload URL\r\nhxxps://2023foco.com[.]br/dcreverso.txt\r\nThe data that has been downloaded and executed by the loader is what performs the actual malicious behavior.\r\nThis data is AsyncRat, an open-source RAT malware publicly available on GitHub. This malware is capable of\r\nperforming various malicious behaviors by receiving commands from the threat actor through their C2. The\r\ndefault features include Anti-VM, keylogging, and remote shell. Additionally, it possesses the strings necessary for\r\nmalicious C2 and porting behaviors but in an encrypted form. It is then decrypted like in Figure 10 and used.\r\nC2\r\n51.79.116[.]37:8848\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 4 of 8\n\n2. v.hta\r\nv.hta is capable of executing additional commands and creating startup programs. Its first feature of executing\r\nadditional commands is done by receiving them from the URL below through a PowerShell command.\r\nDownload URL\r\nhxxps://2023foco.com[.]br/2.txt\r\nThe additional command downloads data from the two respective URLs with a PowerShell command and\r\nexecutes one of them like in Figure 12. At this stage, the path\r\n“C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe” and the remaining data are transmitted\r\nas arguments. Currently, the first URL is inaccessible, so the exact process cannot be checked. However, the\r\ndownloaded data is assumed to be a loader. It is presumed that the remaining data is injected into a normal process\r\nthat is transmitted as an argument through the loader. This is a common method that malware strains use to evade\r\nbehavior detection.\r\nDownload URL\r\nhxxps://2023foco.com[.]br/printa.txt (Infostealer)\r\nhxxps://2023foco.com[.]br/runpe.jpg (Loader 추정)\r\nThe data assumed to be injected and executed has been identified as an Infostealer. As shown in Figure 13, this\r\nmalware is capable of taking screenshots of a user’s PC screen and sending them to the threat actor via SMTP.\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 5 of 8\n\nThe second feature that v.hta is capable of is creating startup programs. An LNK file is created in the following\r\ndirectory and configured to run the v.vbs file. Additionally, it uses the icon of a normal file (C:\\Program Files\r\n(x86)\\Internet Explorer\\iexplore.exe) for the shortcut icon to avoid suspicion.\r\nLNK file creation path\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Viual Frontal Hotel.lnk\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 6 of 8\n\nRecently, malware is being distributed in various forms such as CHM. A majority of these malware strains use\r\nnormal processes when loading their malicious data in order to avoid detection.  Moreover, the malware is being\r\nexecuted in fileless format, making it difficult the for users to identify what type of malware was executed. Users\r\nshould refrain from opening files from unknown sources and must run periodic checkups on their PC.\r\n[File Detection]\r\nTrojan/Win.Generic.C5303722 (2022.11.12.01)\r\nMalware/Win32.RL_Generic.C4363035 (2021.03.06.01)\r\nTrojan/Win.Agent.C4526491 (2021.06.30.03)\r\nDownloader/CHM.Generic (2023.02.02.00)\r\nDownloader/HTML.Generic (2023.02.02.00)\r\nDownloader/VBS.Generic (2023.02.02.00)\r\nMD5\r\n407b0b88187916dc2e38c8d796c10804\r\n824584841251baa953b21feb5f516bed\r\nac64e8e7eb01755cc363167dd7653d53\r\nb810d06b6ead297da6d145fca80c80b2\r\nc45f6c4e3222c4308c80c945fb3ac4dc\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 7 of 8\n\nURL\r\nhttp[:]//2023foco[.]com[.]br/vvvvv[.]txt\r\nhttp[:]//51[.]79[.]116[.]37[:]8848/\r\nhttps[:]//2023foco[.]com[.]br/2[.]txt\r\nhttps[:]//2023foco[.]com[.]br/dcreverso[.]txt\r\nhttps[:]//2023foco[.]com[.]br/plmckv[.]hta\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/47525/\r\nhttps://asec.ahnlab.com/en/47525/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/47525/"
	],
	"report_names": [
		"47525"
	],
	"threat_actors": [],
	"ts_created_at": 1775434327,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c20275b81bc735ca66bbb6d72f9e7bfc877cbb4.pdf",
		"text": "https://archive.orkl.eu/9c20275b81bc735ca66bbb6d72f9e7bfc877cbb4.txt",
		"img": "https://archive.orkl.eu/9c20275b81bc735ca66bbb6d72f9e7bfc877cbb4.jpg"
	}
}