AsyncRAT seeds family of more than 30 remote access trojans | CyberScoop<\/title> <meta name=\"description\" content=\"ESET researchers observed tens of thousands of machines infected with AsyncRAT and its variants over the past year. The open-source malware is a popular tool among cybercriminals.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/asyncrat-malware-variants-eset\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"AsyncRAT seeds family of more than 30 remote access trojans\"> <meta property=\"og:description\" content=\"ESET researchers observed tens of thousands of machines infected with AsyncRAT and its variants over the past year. The open-source malware is a popular tool among cybercriminals.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/asyncrat-malware-variants-eset\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-07-15T18:53:01+00:00\"> <meta property=\"article:modified_time\" content=\"2025-07-15T18:53:03+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1752599970g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1750115417g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1752075323g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85179\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85179\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fasyncrat-malware-variants-eset%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fasyncrat-malware-variants-eset%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85179 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/asyncrat-malware-variants-eset\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.589898989899\">\n<div class=\"single-article__header-content\" readability=\"34.573426573427\">\n<p> ESET researchers observed tens of thousands of machines infected with AsyncRAT and its variants over the past year. The open-source malware is a popular tool among cybercriminals. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85179\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Global network\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg 2309w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-2.jpg?resize=1498,843 1498w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Global network overlay on world map.<br \/>\n(World map courtesy of NASA) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"46.807926023778\"><body readability=\"94.876687668767\"><\/p>\n<p>AsyncRAT, the most prevalent remote access trojan observed in the wild, has <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/unmasking-asyncrat-navigating-labyrinth-forks\/\">spawned more than 30 forks and variants<\/a> that increase the impact of the open-source malware, making it a popular and sometimes disguised tool of choice for cybercriminals, ESET researchers said in a report released Tuesday. <\/p>\n<p>The open source remote access tool, which was first released on GitHub in 2019, shows up consistently in cyberattacks, most commonly distributed through spam campaigns, phishing and malicious ads, but also via exploited software vulnerabilities in more targeted operations, Nikola Kne\u017eevi\u0107, malware researcher at ESET, told CyberScoop.<\/p>\n<p>\u201cOver the past year alone, we have detected activity consistent with tens of thousands of unique infected machines associated with AsyncRAT and its variants,\u201d Kne\u017eevi\u0107 said.<\/p>\n<p>AsyncRAT remains the most widely deployed, but other variants have been widely distributed, accounting for a significant number of attacks linked to the tree of remote access trojans. ESET telemetry determined DcRat is the most widely distributed fork, accounting for 24% of unique sample infections, followed by VenomRAT at 8%.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOf all the forks we\u2019ve come across, we believe VenomRAT to be one of the more concerning ones, largely due to its enhanced stealth, plethora of plugins and offensive capabilities,\u201d Kne\u017eevi\u0107 said. \u201cUnlike its simpler cousin, DcRat, VenomRAT integrates many of its features directly into the client, reducing reliance on external modules and making it more self-contained. It is also frequently bundled with phishing kits and deployed in multi-stage attacks.\u201d<\/p>\n<p>ESET identified multiple forks of AsyncRAT in its report, noting that some clones that authors publicly acknowledged as jokes, have been observed in the wild. <\/p>\n<p>\u201cThe uniqueness of AsyncRAT or its variants doesn\u2019t lie in any single technical feature, but rather the sheer scale and fluidity of its evolution. Unlike other open-source modular remote access trojans, AsyncRAT has spawned an unusually large number of forks, ranging from serious threats like VenomRAT and DcRat to novelty variants like SantaRAT,\u201d Kne\u017eevi\u0107 said.<\/p>\n<p>AsyncRAT includes common remote access trojan functionalities, including keylogging, screen capturing and credential theft, but additional capabilities have popped up in various forks over time. <\/p>\n<p>\u201cThis diversity makes it more challenging to maintain consistent detection rules, as each fork may introduce altered configuration layouts, add new layers of obfuscation, or completely revamp the original codebase,\u201d Kne\u017eevi\u0107 said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Some forks, such as VenomRAT, could be considered and may appear as standalone malware because of the many features they contain, but they are all part of the same malware family, according to ESET. Defenders can usually identify forks in the malware\u2019s configuration settings and values. <\/p>\n<p>\u201cThey share a common lineage and exhibit overlapping traits, such as similar configuration structures, encryption routines, and plugin architectures, which make them relatively easy to classify,\u201d Kne\u017eevi\u0107 said. \u201cRecognizing these shared characteristics is crucial for defenders, as it allows for more effective detection and attribution, even when the malware has been heavily obfuscated or superficially rebranded.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9512195121951\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/asyncrat-malware-variants-eset\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AsyncRAT seeds family of more than 30 remote access trojans<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,1009,168,1073,4576,659,256,288],"tags":[286,86,1012,169,1076,4577,660,262,294],"class_list":["post-7800","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-eset","category-malware","category-open-source","category-rat","category-remote-access-trojan","category-research","category-threats","tag-cybercrime","tag-cybersecurity","tag-eset","tag-malware","tag-open-source","tag-rat","tag-remote-access-trojan","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/eset\/\" rel=\"category tag\">ESET<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rat\/\" rel=\"category tag\">RAT<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/remote-access-trojan\/\" rel=\"category tag\">Remote Access Trojan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7800"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7800\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7800,"date":"2025-07-15T13:53:01","date_gmt":"2025-07-15T18:53:01","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85179"},"modified":"2025-07-15T13:53:01","modified_gmt":"2025-07-15T18:53:01","slug":"asyncrat-seeds-family-of-more-than-30-remote-access-trojans","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/07\/15\/asyncrat-seeds-family-of-more-than-30-remote-access-trojans\/","title":{"rendered":"AsyncRAT seeds family of more than 30 remote access trojans"},"content":{"rendered":"