AsyncRAT evolves as ESET tracks its most popular malware forks

AsyncRAT is an open-source remote access trojan that first appeared on GitHub in 2019. It includes a range of typical RAT capabilities, such as keylogging, screen capture, credential theft, and more. Its simplicity and open-source design have made it a popular tool among cybercriminals, leading to its widespread use in various cyberattacks.

Over time, AsyncRAT has become a mainstay of the modern malware ecosystem, spawning a wide array of variants and forks, which are customized offshoots that build on and extend the original tool. A new analysis from ESET Research highlights the most significant of these forks, tracing their evolution and mapping the connections between them.

Extended fork hierarchy list (Source: ESET)

“AsyncRAT introduced significant improvements, particularly in its modular architecture and enhanced stealth features, making it more adaptable and harder to detect in modern threat environments. Its plug-in-based architecture and ease of modification have sparked the proliferation of many forks, pushing the boundaries even further,” says ESET researcher Nikola Knežević.

Many of the AsyncRAT forks build on its original foundation. Some variants introduce new features and enhancements, while others are little more than repackaged versions of the same tool. According to ESET telemetry, the most widely used variants among attackers are DcRat, VenomRAT, and SilverRAT.

DcRat stands out for its expanded feature set compared to AsyncRAT, while VenomRAT pushes things further with even more capabilities. But not every fork is entirely serious. Some, like SantaRAT and BoratRAT, were created as jokes, although researchers have still observed them being used in real-world attacks.

In its analysis, ESET Research also highlights a few lesser-known forks that extend AsyncRAT’s functionality in unique ways. These niche versions are typically developed by individual authors or small groups and account for less than 1% of AsyncRAT-related samples.

“The widespread availability of frameworks such as AsyncRAT significantly lowers the barrier to entry for aspiring cybercriminals, enabling even novices to deploy sophisticated malware with minimal effort. This development further accelerates the creation and customization of malicious tools. This evolution underscores the importance of proactive detection strategies and deeper behavioral analyses to effectively address emerging threats,” Knežević explained.