AsyncRAT Activity
By eSentire Threat Response Unit (TRU)
Archived: 2026-04-06 01:09:20 UTC
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters
and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the
Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced
Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We
outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
How did we find it?
Our Machine Learning PowerShell classifier detected the attempt to retrieve the second stage PowerShell
script.
Our 24/7 SOC cyber analysts were alerted and investigated.
What did we do?
Our SOC cyber analysts investigated and confirmed that the activity is malicious.
Isolated the host on the customer’s behalf to contain this incident in accordance with the customer’s
business policies.
What can you learn from this TRU positive?
AsyncRAT is an open-source project. Successful delivery and infection of AsyncRAT requires layers of
obfuscation and code injection.
We covered this infection chain previously.
The infection chain requires the user to follow several steps to grant the adversary code execution
capabilities. Unfortunately, mounting ISOs or executing scripting files in Windows is trivial and similar
infection chains are increasingly common.
Layers of embedded files may thwart email filtering. The malicious payload is only retrieved when the user
has completed several manual steps.
https://www.esentire.com/blog/asyncrat-activity
Page 1 of 5

Recommendations from our Threat Response Unit (TRU) Team:
Attacks such as this rely on user execution. Using phishing and security awareness training, increase your
employees’ awareness of:
Email-based attacks (e.g., business email compromise (BEC) attacks), particularly those delivering
HTML or ISO files.
Unknown ISO or script files (VBS, JS). These file types pose a risk and shouldn’t be opened.
Create new “Open With” parameters for script files (.js, .jse, .hta, .vbs) so they open with notepad.exe. This
setting is found in the Group Policy Management Console under User
Configuration > Preferences > Control Panel Settings > Folder Options.
By default, these script files are executed automatically using Windows Script Host (wscript.exe) or
Microsoft HTML Application host (mshta.exe) when double-clicked by a user.
ISO files are mounted as a drive when double-clicked by users by default, consider deregistering this file
extension in Windows File Explorer.
Ask Yourself...
1. Are your users sufficiently aware of techniques bypassing email filtering?
2. What level of visibility do you have across your network, endpoint, and overall environment to detect
malicious behavior at scale?
3. Can you respond to remote access malware in a timely manner?
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next
Level MDR, connect with an eSentire Security Specialist now.
https://www.esentire.com/blog/asyncrat-activity
Page 2 of 5

GET STARTED
ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your
organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7
Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and
works as an extension of your security team to continuously improve our Managed Detection and Response
service. By providing complete visibility across your attack surface and performing global threat sweeps and
proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending
your organization against known and unknown threats.
https://www.esentire.com/blog/asyncrat-activity
Page 3 of 5

Back to blog
Take Your Cybersecurity Program to the Next Level with eSentire MDR.
BUILD A QUOTE
in this blog
What did we find?How did we find it?What did we do?What can you learn from this TRU positive?
Recommendations from our Threat Response Unit (TRU) Team:
https://www.esentire.com/blog/asyncrat-activity
Page 4 of 5

Source: https://www.esentire.com/blog/asyncrat-activity
https://www.esentire.com/blog/asyncrat-activity
Page 5 of 5