{ "id": "44ae101c-bc53-4f84-86f5-0bcaafe44f00", "created_at": "2026-04-06T00:11:08.739526Z", "updated_at": "2026-04-10T03:21:37.094105Z", "deleted_at": null, "sha1_hash": "a461bba0d9dc46b692e7aa96ee8abd8a6e09926a", "title": "AsyncRAT C2 Activity at Internet Scale - Censys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4238194, "plain_text": "AsyncRAT C2 Activity at Internet Scale - Censys\r\nBy Josue\r\nPublished: 2026-01-29 · Archived: 2026-04-05 20:04:08 UTC\r\nExecutive Summary\r\nAsyncRAT is an open-source .NET remote access trojan (RAT) implemented in C# and first released publicly in\r\n2019. AsyncRAT has since become widely adopted by criminal operators for persistent remote access,\r\nsurveillance, and data theft. The malware supports remote command execution, file transfer, keylogging, screen\r\ncapture, and credential harvesting, typically communicating with command-and-control (C2) servers over\r\na custom TCP protocol with traffic encrypted via SSL/TLS, often using self-signed certificates that may\r\npresent CN=AsyncRAT Server. \r\nAs of January 2026, Censys is tracking 57 active AsyncRAT-associated hosts exposed on the public internet.\r\nThese hosts are primarily concentrated within a small number of VPS-focused autonomous systems and frequently\r\nreuse a distinctive self-signed TLS certificate identifying the service as an “AsyncRAT Server,” enabling scalable\r\ndiscovery of related infrastructure beyond sample-based detection.\r\nOperationally, AsyncRAT enables long-lived unauthorized access and post-compromise control, making it a\r\nreliable tool for credential theft, lateral movement staging, and follow-on payload delivery.\r\nCount of AsyncRAT assets in the Censys Platform Threat Hunt Module\r\nBackground\r\nAsyncRAT was released publicly in 2019 by the developer known as NYAN-x-CAT and distributed via an open\r\nGitHub repository. Since its release, the codebase has been widely copied, modified, and redistributed across\r\ncriminal communities, contributing to its persistent presence in commodity malware ecosystems.\r\nThe project has not undergone a formal rebrand in the way some families have, but it has spawned multiple\r\nclosely related forks and derivatives, including DCRat (DarkCrystal RAT) and VenomRAT, which retain\r\noverlapping functionality and infrastructure patterns. This fragmentation complicates tracking when analysts rely\r\nsolely on family names rather than shared technical artifacts.\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 1 of 10\n\nAsyncRAT is most commonly delivered through malspam campaigns using compressed archives or document-based lures, as well as through loader chains that deploy the RAT as a secondary payload after initial execution. In\r\nsome cases, AsyncRAT appears alongside other commodity tooling, enabling operators to blend its activity into\r\nhigh-volume background noise.\r\nCapabilities\r\nOnce deployed, AsyncRAT provides operators with a broad set of post-compromise capabilities:\r\nRemote command execution and interactive shell access\r\nCredential theft via keylogging and memory access\r\nFile upload, download, and arbitrary payload staging\r\nPersistence through scheduled tasks, registry run keys, or services\r\nFollow-on tooling deployment and lateral movement preparation\r\nTechnical Characteristics\r\nAsyncRAT deployments exhibit several recurring technical traits observable across campaigns:\r\nCommon filenames and artifacts: Though the AsyncRAT builder defaults to “AsyncClient.exe”,\r\noperators frequently use generic or misleading executable names, or masqueraded system binaries;\r\nregistry-based persistence commonly leverages standard Run key locations. \r\nNetwork behavior: AsyncRAT typically communicates with C2 servers over a custom TCP protocol,\r\noften exposed on non-standard ports such as 8808, 6606, and 7707, rather than embedding traffic within\r\ncommon application protocols \r\nTLS characteristics: Many deployments wrap C2 traffic in SSL/TLS using self-signed certificates,\r\nfrequently presenting a common name such as “AsyncRAT Server”\r\nAsyncRAT Server Client\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 2 of 10\n\nAsyncRAT client builder default connection options\r\nAsyncRAT Server About Information\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 3 of 10\n\nAsyncRAT Server Default Network Configuration\r\nAsyncRAT Server Certificate Configuration and Default Certificate Name\r\nOperational Context\r\nAsyncRAT remains relevant due to its low barrier to entry, ease of customization, and continued reuse across a\r\nwide range of operators. While often associated with opportunistic campaigns, its infrastructure and tooling have\r\nalso appeared in more targeted activity, underscoring how commodity RATs continue to serve as building blocks\r\nfor diverse threat models. Reuse of distinctive TLS artifacts and concentration within a limited set of VPS\r\nproviders further amplifies its visibility at internet scale.\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 4 of 10\n\nThe following section summarizes Censys visibility into infrastructure and prevalence trends associated with\r\nAsyncRAT.\r\nCensys Perspective\r\nOut of the 57 total assets hosting AsyncRAT, we analyzed how they were distributed across infrastructure and\r\nfound evidence of a decentralized hosting strategy favoring budget VPS providers and resellers. The dominance of\r\nAPIVERSA (13% of hosts), Contabo networks (11% combined), and AS-COLOCROSSING (5.5%) indicates\r\noperators prioritize low-cost, abuse-tolerant hosting over major cloud providers. \r\nGeographic concentration in the US, Netherlands, and Germany aligns with data center density in these regions\r\nrather than operator location.\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 5 of 10\n\nThe near-universal use of the default “AsyncRAT Server” certificate (98%) suggests operators are deploying\r\nunmodified or lightly customized versions of the RAT, creating a highly reliable detection pivot. \r\nMultiple hosts running 3-5 AsyncRAT instances on sequential ports (e.g., 185.196.9.158 with ports 4501-4504)\r\nindicate either multi-campaign infrastructure or redundancy configurations.\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 6 of 10\n\nCase Study\r\nAnother approach to hunting AsyncRAT with Censys Platform is to go after exposed clients.  By searching for the\r\nknown default name of the AsyncRAT client (AsyncClient.exe) we are able to discover AsyncRAT samples staged\r\nin Open Directories using the Censys Open Directory details view. \r\nAn AsyncRAT payload (client) hosted in an open directory\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 7 of 10\n\nConfiguration using rat-king-parser validating this is an AsyncRAT sample\r\nStatic analysis confirms the payload is AsyncRAT. The sample implements the canonical AsyncRAT client\r\narchitecture, including MessagePack-encoded command routing using a top-level Packet field, a plugin-based\r\nexecution model that dynamically loads compressed assemblies in memory and invokes a\r\nstandardized Plugin.Plugin.Run() entrypoint, and an AES-encrypted configuration schema containing the standard\r\nAsyncRAT fields (Hosts, Ports, MTX, Install, BDOS, Pastebin, Group). The client initializes a self-signed TLS\r\nchannel using an embedded X.509 certificate whose decrypted subject is “AsyncRAT Server”, and passes that\r\ncertificate directly into the client socket and plugin runtime. \r\nTo disambiguate between AsyncRAT and VenomRAT (which shares much of the original codebase) we searched\r\nfor VenomRAT-specific modules.  No VenomRAT-specific modules or configuration expansions (e.g., HVNC,\r\nclipper, Telegram control) were observed, supporting classification as AsyncRAT rather than a VenomRAT fork.\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 8 of 10\n\nManual validation of configuration in dnSpy showing the AES256 encrypted strings\r\nManual decryption of ‘Hosts’ value using Powershell to validate rat-king-parser extraction\r\nNotable Findings\r\nThe presence of a Chinese-localized certificate variant (“AsyncRAT 服务器”) and a “bullet-proof” hostname in\r\ncertificate data indicates geographic expansion of operator demographics beyond the typical Eastern European and\r\nLatin American threat actor communities historically associated with AsyncRAT.\r\nThese infrastructure patterns inform how defenders can prioritize detection and blocking, detailed in the following\r\nsection.\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 9 of 10\n\nAndrew Northern\r\nPrincipal Security Researcher\r\nAndrew Northern is a Principal Security Researcher with Censys ARC focused on tracking the apex predators of\r\nthe initial-access e-crime landscape. His work targets the most capable operators, uncovering novel attack chains\r\nand dynamic web-delivered malware while mapping the infrastructure that enables them. He has earned multiple\r\nMITRE ATT\u0026CK citations, discovered and named several espionage-focused malware families, and published\r\nresearch that exposes previously unknown tradecraft.\r\nSource: https://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nhttps://censys.com/blog/asyncrat-c2-activity-at-internet-scale\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://censys.com/blog/asyncrat-c2-activity-at-internet-scale" ], "report_names": [ "asyncrat-c2-activity-at-internet-scale" ], "threat_actors": [], "ts_created_at": 1775434268, "ts_updated_at": 1775791297, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a461bba0d9dc46b692e7aa96ee8abd8a6e09926a.pdf", "text": "https://archive.orkl.eu/a461bba0d9dc46b692e7aa96ee8abd8a6e09926a.txt", "img": "https://archive.orkl.eu/a461bba0d9dc46b692e7aa96ee8abd8a6e09926a.jpg" } }