S1087: AsyncRAT
Analyst context for executives and security teams
AsyncRAT is a Windows remote access tool that is open source and has been reported by ATT&CK as used in malicious campaigns. Its business significance is not just the tool name: the mapped behaviors span user-driven execution, persistence with scheduled tasks, discovery, credential collection through keylogging, screen/video capture, file transfer, and command-and-control using dynamic resolution/proxying. That combination makes it relevant to incident response readiness, phishing resilience, endpoint visibility, and evidence that SOC teams can follow an intrusion beyond the initial file execution.
Executive priority
Treat AsyncRAT coverage as a practical test of Windows endpoint and email-led intrusion resilience. Leaders should ask whether the organization can prove visibility from malicious attachment opening through persistence, discovery, credential capture, and outbound command-and-control. Because ATT&CK relates this tool to multiple campaigns/groups, including aviation/transportation-themed TA2541 activity and Operation AkaiRyū, it is useful for threat-informed control validation, but local exposure should be based on telemetry and business context rather than assuming targeting.
Technical view
ATT&CK provides no official detection text for AsyncRAT, so defenders should build validation around the mapped techniques and the Windows platform. Prioritize visibility into suspicious file execution from email/download paths, cmd.exe usage, scheduled task creation or modification, process/user/network/system-time/storage discovery, file ingress, screen or video capture behavior, keylogging indicators, hidden windows, native API-heavy execution patterns, and outbound C2 patterns involving dynamic DNS/DGA-like behavior or multi-hop proxy infrastructure. Relationships to T1566.001, T1204.002, T1053.005, T1059.003, T1056.001, T1113, T1125, T1105, T1090.003, T1568/T1568.002, and multiple discovery/evasion techniques should drive detection engineering test cases.
Likely telemetry
- Email security logs and attachment detonation/opening records for spearphishing attachment scenarios
- Windows process creation telemetry with command line, parent-child relationships, and user context
- Scheduled task creation, modification, and execution events
- Endpoint file creation/download telemetry for ingress tool transfer
- DNS query logs, proxy logs, firewall/netflow, and outbound connection metadata
Detection direction
- Do not rely on a single AsyncRAT signature; validate behavior chains across initial access, execution, persistence, discovery, collection, and C2.
- Tune for suspicious scheduled tasks linked to recently delivered or user-opened files, unusual parent processes, or unexpected command-shell execution.
- Correlate user-driven file execution with subsequent discovery activity, file transfer, screen/video capture, or keylogging indicators to reduce false positives.
- Review DNS and egress analytics for dynamic resolution or DGA-like patterns, but account for legitimate dynamic services and proxy infrastructure.
- Include anti-analysis blind spots in testing: system checks and debugger evasion may reduce sandbox visibility, so endpoint and network telemetry remain important.
Mitigation priorities
- Start with phishing and malicious attachment risk reduction: attachment controls, user reporting workflows, and execution policy review for high-risk file types.
- Harden and monitor Windows persistence surfaces, especially Task Scheduler, with least privilege and change visibility.
- Maintain endpoint controls capable of detecting or blocking suspicious RAT behaviors such as unauthorized screen/video capture, keylogging, hidden execution, and tool transfer.
- Strengthen DNS, proxy, and egress governance so unusual outbound C2 patterns can be investigated and contained quickly.
- Protect credentials and interactive sessions with least privilege and rapid response procedures, since keylogging is a mapped behavior.
Analyst notes and limits
This take is based only on the supplied ATT&CK S1087 object, its external references, and relationships. AsyncRAT is listed as a Windows tool with no official ATT&CK detection guidance and no object-level tactics specified. The defensive direction therefore comes from the related ATT&CK techniques and reported campaign/group relationships, not from a guaranteed detection recipe.
The supplied object does not include indicators, command examples, malware configuration details, hashes, network infrastructure, or official detection analytics. Technique relationships include some platforms beyond Windows, but the AsyncRAT object itself is Windows, so platform assumptions should remain Windows-focused unless local evidence shows otherwise.
AsyncRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1622 | Debugger Evasion | AsyncRAT can use the `CheckRemoteDebuggerPresent` function to detect the presence of a debugger.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | AsyncRAT can be deployed via batch script.CitationESET MirrorFace 2025 |
| Enterprise | T1106 | Native API | AsyncRAT has the ability to use OS APIs including `CheckRemoteDebuggerPresent`.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1124 | System Time Discovery | AsyncRAT can check whether the current system hour and day of the week are within operating hours defined it its configuration.CitationESET MirrorFace 2025 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | AsyncRAT use a DGA to generate a C2 domains.CitationESET MirrorFace 2025 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1680 | Local Storage Discovery | AsyncRAT can check the disk size through the values obtained with `DeviceInfo.`CitationTelefonica Snip3 December 2021 |
| Enterprise | T1033 | System Owner/User Discovery | AsyncRAT can check if the current user of a compromised system is an administrator. CitationTelefonica Snip3 December 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | AsyncRAT has been delivered via malicious email attachments.CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1568 | Dynamic Resolution | AsyncRAT can be configured to use dynamic DNS.CitationAsyncRAT GitHub |
| Enterprise | T1564.003 | Hidden Window Sub-technique | AsyncRAT can hide the execution of scheduled tasks using `ProcessWindowStyle.Hidden`.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | AsyncRAT can identify strings such as Virtual, vmware, or VirtualBox to detect virtualized environments.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1125 | Video Capture | AsyncRAT can record screen content on targeted systems.CitationAsyncRAT GitHub |
| Enterprise | T1105 | Ingress Tool Transfer | AsyncRAT has the ability to download files including over SFTP.CitationAsyncRAT GitHubCitationESET MirrorFace 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | AsyncRAT has been executed through victims opening malicious file attachments.CitationRecorded Future TAG-144 AUG 2025 |
| Enterprise | T1057 | Process Discovery | AsyncRAT can examine running processes to determine if a debugger is present.CitationTelefonica Snip3 December 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | AsyncRAT can enumerate the NetBIOS name on targeted machines.CitationESET MirrorFace 2025 |
| Enterprise | T1113 | Screen Capture | AsyncRAT has the ability to view the screen on compromised hosts.CitationAsyncRAT GitHub |
| Enterprise | T1056.001 | Keylogging Sub-technique | AsyncRAT can capture keystrokes on the victim’s machine.CitationAsyncRAT GitHub |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | AsyncRAT can create a scheduled task to maintain persistence on system start-up.CitationTelefonica Snip3 December 2021 |
Groups, software, and campaigns
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3df7c39cce79… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Morphisec Snip3 May 2021
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
Open source URL -
[2]
Cisco Operation Layover September 2021
Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
Open source URL -
[3]
Telefonica Snip3 December 2021
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
Open source URL -
[4]
mitre-attack S1087Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.