The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being disseminated via WSF script format. The WSF file was found to be disseminated in a compressed file (.zip) format through URLs included in emails.
AsyncRAT spreads through a variety of strategies and tactics. Malspam and phishing efforts, which mimic legitimate messages like DHL shipment updates with malicious file attachments, are the most prevalent infection vectors.
Threat actors are still creating and using cutting-edge and unique ways to spread AsyncRAT, such as “fileless” injection, which loads the main AsyncRAT binary into memory and runs it without requiring the target system to have a file installed.
The AhnLab Security Emergency Response Center (ASEC) reports that the downloaded zip file is decompressed to produce a file with the .wsf file extension.
This file just has one <script> tag in the middle and is primarily made up of comments, as seen in the image below.
Upon executing this script, a Visual Basic script is downloaded and executed. From the same C2 address, this script downloads a.jpg file, which is a zip file masquerading as a jpg file.
It then converts this jpg file’s extension to.zip before decompressing it. An XML file containing the command string to launch the Error.vbs file included in the compressed file is produced and executed using PowerShell.
Before loading and running the binary, the last file to be executed, pwng.ps1, converts the contained strings into a.NET binary.
Three obfuscated variables are used in these phases such as:
“The malware executed in the end is identified as AsyncRAT which has information exfiltration and backdoor features”, researchers said.
The threat actor uses complex fileless techniques without the need for EXE files to spread the same malware in different ways.
When opening files or external links from emails, users should always exercise caution. Users are advised to utilize security product monitoring tools to recognize and block access from threat actors.
Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…
Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular…
The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus…
The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has…
The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent…
The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant…