New AsyncRAT Forks Discovered with Advanced Features Like Screamers and USB Spreaders

AsyncRAT has evolved from a straightforward remote access trojan into a complex ecosystem of forks and variants.

ESET researchers have mapped out the intricate web formed by AsyncRAT’s open-source codebase, revealing a constantly shifting threat landscape defined by new features, evasion techniques, and a parade of technical oddities.

The Roots of AsyncRAT:

AsyncRAT originated as an open-source project on GitHub in 2019, authored in C# and designed for remote access through functionalities like keylogging, screen capture, and credential theft.

While bearing conceptual resemblance to the older Quasar RAT, AsyncRAT is a from-scratch rewrite that notably borrows cryptographic code, particularly its Aes256 and Sha256 classes—from Quasar:

csharp// Snippet from AsyncRAT cryptography module
namespace Client.Algorithm
{
    public class Aes256
    {
        private static readonly byte[] Salt = { ... };
        // ...rest of cryptographic routines...
    }
}

The above snippet highlights the key technical detail: the salt value and encryption logic are virtually identical to Quasar, demonstrating how ideas are ported even between diverging codebases.

Despite this, AsyncRAT’s core is modular and highly extensible, fueling its rapid adoption.

DcRat, VenomRAT, and Joking Offshoots

AsyncRAT’s public release triggered a burst of derivative projects, each adding new tricks or disguises.

Two forks stand out:

• DcRat improves data serialization using MessagePack and implements advanced defense evasion:
  • AMSI/ETW patching disables Windows security features.
  • Antiprocess system kills processes like Taskmgr.exe, ProcessHacker.exe, and MsMpEng.exe.
  • Plugin expansion: From webcam access and Discord token theft to a ransomware plugin leveraging AES-256 encryption.

csharp// DcRat's AMSI patching routine
[DllImport("amsi.dll")]
public static extern int AmsiScanBuffer(IntPtr session, byte[] buffer, ...);

• VenomRAT mirrors DcRat’s modular structure but pushes feature bloat, making it a threat in its own right. While many derivatives like SantaRAT or BoratRAT start as jokes, even these have seen sporadic circulation in real-world campaigns.

Identification relies on examining the Version field in the AES-256 encrypted configuration—often readily visible—or investigating the Salt parameter or embedded X.509 certificates.

More advanced methods involve active probing of C&C servers and code structure analysis.

Exotic Plugins and Obfuscation Tactics

Beyond mainstream forks, niche variants show inventive plugin development:

Plugin Name	Functionality
Screamer.dll	Jump scare with built-in images and WAV playback
WormUsb.dll	Infects other executables via USB/PEN drives
Brute.dll	SSH and FTP credential brute-forcing
cliper.dll	Clipboard hijack—replaces wallet addresses
Signature Antivirus.dll	Deletes files matching attacker-supplied MD5s

The technical innovation sometimes borders on parody—JasonRAT obscures its strings with a custom Morse code variant (.--. .- ... ... .-- --- .-. -.. ...) and adopts variable names from esoteric “satanic” vocabularies.

NonEuclid RAT introduces plugins for geolocation harvesting (Maps.dll) and file brute-forcing, while XieBroRAT adds browser credential theft through BrowserGhost.dll and Cobalt Strike integration.

As the AsyncRAT ecosystem matures, the proliferation of ever-more modular and evasive forks significantly lowers the technical barrier for cybercriminals.

Security defenders should expect the evolution of even more obfuscated, plugin-rich forks, demanding constant vigilance and dynamic detection strategies to keep pace with these threats.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates

The post New AsyncRAT Forks Discovered with Advanced Features Like Screamers and USB Spreaders appeared first on Cyber Security News.