#AsyncRAT

Open-source .NET Remote Access Trojan, common in Latin American and European mass-phishing campaigns


#AsyncRAT

Open-source .NET RAT, common in Latam + EU mass phishing

IOCs by window

Today

0

IOCs tagged #AsyncRAT

Week

14

IOCs tagged #AsyncRAT

Month

34

IOCs tagged #AsyncRAT

Year

1,635

IOCs tagged #AsyncRAT

Counts as of 2026-04-29. Regenerated daily.

About #AsyncRAT

  • Type: open-source .NET Remote Access Trojan with a public GitHub source tree. Supports keylogging, screen capture, file management, password recovery, audio / video capture and remote shell.
  • Abuse pattern: extremely common in commodity Latin American and European mass-phishing campaigns. Forks (DcRat, VenomRAT) share core code and are often co-tagged. Delivery is typically via PDF / DOC / ISO email attachments and AutoIt or PowerShell loaders.
  • Detection signals: default certificate AsyncRAT Server, TCP C2 on ports 6606 / 7707 / 8808, .NET assembly metadata strings, Confuser / Confuser2 obfuscation patterns, registry persistence.
  • References: Malpedia · NYAN-x-CAT/AsyncRAT-C-Sharp.

Recent IOCs tagged #AsyncRAT

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/asyncrat.

Date Type Value Source
Apr 27, 21:17 domain dianegov.co @hipdead010
Apr 27, 21:17 url http://dianegov.co @hipdead010
Apr 27, 21:17 domain consultaprocesosramajudicialgov.run.place @hipdead010
Apr 27, 21:17 url http://consultaprocesosramajudicialgov.run.place @hipdead010
Apr 27, 21:17 ip 151.243.109.231 @hipdead010
Apr 27, 21:17 sha256 02a4812ad5c4caf9f3f3887589f1b2cb9895680c10bffcd762826d4a19b4... @hipdead010
Apr 27, 10:26 domain d.tmpfile.link @smica83
Apr 27, 10:26 url https://d.tmpfile.link/public/2026-04-27/afe0c156-084a-480c-... @smica83
Apr 27, 10:26 domain lapoire6.hopto.org @smica83
Apr 27, 10:26 url http://lapoire6.hopto.org @smica83

Related tags

Tags that frequently co-occur with #AsyncRAT.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is AsyncRAT?

AsyncRAT is an open-source .NET Remote Access Trojan with a publicly available GitHub source tree. It supports keylogging, screen capture, file management, browser-password recovery, audio / video capture and remote shell. Its open nature makes it an extremely common base for commodity malware operators in Latin America and Europe; popular forks like DcRat and VenomRAT share most of the codebase.

How is AsyncRAT distinguished from its forks (DcRat, VenomRAT)?

All three share the same .NET core code base. Differentiation typically comes from network indicators (default ports, certificate strings) and added features in the forks - DcRat and VenomRAT include capabilities AsyncRAT does not. Researchers often co-tag IOCs when the family attribution is uncertain.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. AsyncRAT-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this AsyncRAT subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

AsyncRAT IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).