AsyncRAT’s Dark Evolution: How Open-Source Code Fuels a Growing Malware Empire

AsyncRAT, first introduced on GitHub in January 2019, has evolved into one of the most formidable tools in the cybercriminal arsenal. Its open-source architecture, written in C#, has laid the foundation for a multitude of forks and modifications, which have been leveraged to craft increasingly sophisticated strains of malware.

A recent analysis conducted by ESET researchers revealed how this seemingly unremarkable trojan—initially modest in functionality—has transformed into a full-fledged platform for managing compromised systems, thanks to its accessibility, modular design, and ease of configuration.

Originally conceived as a lightweight remote access tool, AsyncRAT was capable of capturing screenshots, logging keystrokes, stealing credentials, and executing commands issued by attackers. However, its true impact began to emerge with the proliferation of its forks, spread predominantly through phishing campaigns and malware loaders such as GuLoader and SmokeLoader. These delivery mechanisms disguise the malware as cracked software, fake updates, or malicious ads, targeting both individual users and corporate networks.

AsyncRAT became especially attractive to the criminal underground due to its adaptability. It quickly evolved to evade detection and gained advanced capabilities through plug-in modules. Over time, it gave rise to dozens of malware variants, including DCRat, Venom RAT, JasonRAT, XieBroRAT, and the lesser-known NonEuclid RAT.

DCRat, also known as DarkCrystal RAT, marked a significant leap forward from its AsyncRAT predecessor. It employs advanced evasion techniques such as AMSI and ETW patching to disable security monitoring systems. Additionally, it can capture audio and video through microphones and webcams, steal Discord tokens, and even encrypt the victim’s files. Venom RAT, inspired by DCRat, boasts its own suite of stealth features and improved functionality.

Other forks, like NonEuclid RAT, focus on brute-forcing SSH and FTP credentials, hijacking clipboard contents to steal cryptocurrency, and infecting other executable files. JasonRAT introduced geolocation-based targeting, while XieBroRAT was tailored for the Chinese market and developed capabilities to communicate with Cobalt Strike servers.

The lineage of AsyncRAT can be traced back to an earlier project—Quasar RAT—also built in C# and released on GitHub in 2015. While the two share a common heritage and employ similar cryptographic techniques for decrypting configurations, AsyncRAT represents more of a reimagining than a direct fork.

The public availability of such tools has dramatically lowered the barrier to entry for cybercrime. Even novice threat actors can now orchestrate complex malware campaigns with minimal effort—especially when coupled with the automation potential of large language models. This trend fuels the rise of the “malware-as-a-service” model, with preconfigured AsyncRAT builds and plug-ins being openly traded on Telegram and dark web forums.

Adding to the challenge is the increasingly blurred line between malicious software, legitimate remote administration tools, and penetration testing utilities. This ambiguity complicates threat identification and the development of effective defenses. For security professionals, it underscores the importance of behavioral analysis, tracking command-and-control channels, and understanding modern techniques such as fileless persistence, clipboard hijacking, and credential theft.