{
	"id": "0bb9ae76-6c7b-4321-9b31-3094902bb8b4",
	"created_at": "2026-04-06T00:17:17.285327Z",
	"updated_at": "2026-04-10T13:12:25.86788Z",
	"deleted_at": null,
	"sha1_hash": "a158f78e5873ed2b7576dbdd0e69342524d5ae65",
	"title": "AsyncRAT Distributed via WSF Script",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2558034,
	"plain_text": "AsyncRAT Distributed via WSF Script\r\nBy ATCP\r\nPublished: 2023-11-30 · Archived: 2026-04-05 23:05:47 UTC\r\nThe AhnLab Security Emergency response Center (ASEC) analysis team previously posted about AsyncRAT\r\nbeing distributed via files with the .chm extension. [1] It was recently discovered that this type of AsyncRAT\r\nmalware is now being distributed in WSF script format. The WSF file was found to be distributed in a compressed\r\nfile (.zip) format through URLs contained within emails.\r\n[Download URLs]\r\n1. https://*****************.com.br/Pay5baea1WP7.zip\r\n2. https://************.za.com/Order_ed333c91f0fd.zip\r\n3. https://*************.com/PAY37846wp.zip\r\n4. https://*****.****.co/eBills37890913.zip\r\nDecompressing the first downloaded zip file yields a file with a .wsf file extension. This file mostly consists of\r\ncomments as shown in the image below and only contains one \u003cscript\u003e tag in the middle.\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 1 of 8\n\nWhen this script is executed, a Visual Basic script is downloaded and run as shown below. This script downloads a\r\n.jpg file (a zip file disguised as a jpg file) from the same C2 address.\r\nAfterwards, it changes the file extension of this jpg file to .zip before decompressing it. The command string that\r\nexecutes the file Error.vbs also contained in the compressed file is created into an xml file\r\n(C:\\Users\\Public\\temp.xml) and run with PowerShell.\r\nThe downloaded zip file contains many other scripts aside from the Error.vbs file.\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 2 of 8\n\nAfterwards, the remaining files (bat, ps1) are all executed in order. The role and execution flow of each file are\r\ngiven below.\r\nError.vbs: Checking for administrator permission and executing Error.bat\r\nError.bat: Bypassing UAC and executing Error.ps1\r\nError.ps1: Creating the shortcut file C:\\Users\\Public\\Chrome.lnk, registering it to autorun (registry), then\r\nexecuting it\r\npwng.bat: Bypassing UAC and executing pwng.ps1\r\npwng.ps1: Fileless attack\r\nThe file pwng.ps1 which is executed last converts the contained strings into a .NET binary before loading and\r\nexecuting the binary. It runs by executing a legitimate process (aspnet_compiler.exe) and injecting a malicious\r\nbinary into this process. During these steps, three obfuscated variables are used.\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 3 of 8\n\n[Meaning of Key Variables]\r\n$jsewy: Malware that performs the features of AsyncRAT (the file to be injected into aspnet_compiler.exe)\r\n$jsewty: Malware that performs the injection feature\r\n$KRDESEY: The process the malware is injected into\r\n(C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe)\r\nThe malware executed in the end is identified as AsyncRAT which has information exfiltration and backdoor\r\nfeatures. The key behaviors are as follows.\r\n1. Maintaining Persistence\r\n– Using schtasks to add a scheduled task\r\n– Adding a registry\r\n– Creating a bat file that executes and terminates itself\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 4 of 8\n\n2. Exfiltrating Information\r\n– Computer information: OS version, users, anti-malware product list, etc.\r\n– UserData information in browsers: Chrome, Brave-Browser, Edge\r\n– Cryptocurrency wallet information: RabbyWallet, Atomic, Exodus, Ledger_Live, Electrum, Coinomi, Binance,\r\nBitcoin\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 5 of 8\n\nAdditionally, the C2 server where this information is sent is contained within the file as an encrypted string and is\r\ndisplayed as follows upon execution. The threat actor combines this C2 domain and multiple port numbers to\r\nmake multiple connection attempts.\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 6 of 8\n\nAs such, the threat actor distributes the same malware in various ways, using elaborate fileless methods without\r\nEXE files. Users must always be cautious when opening files or external links contained within emails and use\r\nmonitoring features in security products to identify and restrict access from threat actors.\r\n[File Detection]\r\nDownloader/Script.Agent (2023.11.29.02)\r\nTrojan/VBS.RUNNER.SC194987 (2023.11.30.04)\r\nTrojan/BAT.RUNNER.SC194988 (2023.11.30.04)\r\nTrojan/BAT.RUNNER.SC194985 (2023.11.30.04)\r\nTrojan/PowerShell.Runner.SC194986 (2023.11.30.04)\r\nTrojan/PowerShell.Generic.SC194981 (2023.11.30.04)\r\nTrojan/PowerShell.Generic.SC194982 (2023.11.30.04)\r\nTrojan/Win.Injector (2023.11.30.04)\r\nBackdoor/Win.AsyncRAT (2022.07.12.00)\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 7 of 8\n\nSource: https://asec.ahnlab.com/en/59573/\r\nhttps://asec.ahnlab.com/en/59573/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/59573/"
	],
	"report_names": [
		"59573"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a158f78e5873ed2b7576dbdd0e69342524d5ae65.pdf",
		"text": "https://archive.orkl.eu/a158f78e5873ed2b7576dbdd0e69342524d5ae65.txt",
		"img": "https://archive.orkl.eu/a158f78e5873ed2b7576dbdd0e69342524d5ae65.jpg"
	}
}