AsyncRAT
Also known as: Async RAT, YOURSHELLNOTMINE
AsyncRAT is an open-source .NET remote access trojan first published on GitHub in 2019. It's now one of the most prevalent malware families in active use. The source code's availability has produced over 40 documented forks, including DcRAT, VenomRAT, and SilverRAT, making it less a single tool than a family of families.
The C2 protocol runs custom TCP over TLS with self-signed certificates (default CN "AsyncRAT Server"), AES-256 encrypted configuration, and gzip-compressed MessagePack payloads. Capabilities include keylogging, remote desktop, screen and webcam capture, credential harvesting, file management, PowerShell execution, and process injection.
Operators heavily favor Cloudflare tunneling and cloud-hosted reverse proxies over traditional bulletproof hosting. Most configure C2 on standard web ports (443, 80) rather than AsyncRAT's well-known defaults (6606, 7707, 8808).
Delivery methods include HTML smuggling, cracked-software lures, and abuse of Cloudflare's TryCloudflare service for WebDAV staging. Both commodity cybercrime operators and tracked threat actors use AsyncRAT, including TA2541 (aviation/defense targeting since 2017), Blind Eagle/APT-C-36 (South American government/financial), and Storm-1865 (hospitality sector).
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 14, 2026 | 438 |
| Apr 13, 2026 | 283 |
| Apr 12, 2026 | 97 |
| Apr 11, 2026 | 173 |
| Apr 10, 2026 | 264 |
| Apr 9, 2026 | 608 |
| Apr 8, 2026 | 1058 |
Further Reading
The most thorough public teardown. Covers config decryption, keylogger internals, persistence mechanisms, credential stealing, and anti-analysis with decompiled source.
Protocol-level research documenting the custom packet format inside TLS. Demonstrates unauthenticated server fingerprinting without relying on certificate or JARM indicators.
Censys tracked 57 active servers. 98% use the default self-signed certificate CN, making certificate-based C2 hunting reliable.
ESET's fork taxonomy mapping 40+ variants and their relationships, including DcRAT, VenomRAT, and SilverRAT.
Documents current-generation delivery tradecraft: Cloudflare TryCloudflare tunneling for WebDAV staging, Dropbox payloads, and Python-based APC injection.
23 detection rules mapped to MITRE ATT&CK with Splunk SPL queries covering scheduled tasks, registry persistence, process hollowing, and scripting interpreters.
Proofpoint's report on TA2541, the threat actor targeting aviation, aerospace, and defense with AsyncRAT since 2017 through bulk phishing campaigns.
Real incident case study documenting detection of AsyncRAT C2 on port 6606 via anomalous self-signed SSL connection, through to autonomous containment.
ANY.RUN's analysis of AsyncRAT operators leaving open directories exposing their staging infrastructure, payloads, and operational tooling.
Network-level detection methodology for identifying AsyncRAT traffic from metadata when the payload is TLS-encrypted.