Table of Contents
Picture this: you download what looks like a normal program — maybe a cracked utility, a PDF someone emailed you, or an update that popped up at just the right time. Nothing happens. No warning, no flashing screen. You go about your day.
But behind the scenes, someone on the other side of the world just got the keys to your computer. They can watch your screen, read your keystrokes, open your files, and even turn on your webcam. And they can do all of this without you noticing for weeks or months.
That's exactly what AsyncRAT does. And a fresh sample of it was flagged by ThreatChain on April 7, 2025 — confirmed malicious by nearly every major security tool in the industry.
What Is AsyncRAT, Exactly?
AsyncRAT is a "Remote Access Trojan." Let's break that down:
- Remote Access means someone can control your computer from anywhere in the world, as if they were sitting at your desk.
- Trojan means it disguises itself as something harmless to get onto your machine — just like the wooden horse from the old Greek story.
Think of it like this: imagine handing a stranger a copy of your house key, your filing cabinet key, and a pair of binoculars pointed at your desk — except you didn't know you did it.
AsyncRAT has been around since at least 2019. Its source code is publicly available on GitHub, which means any aspiring cybercriminal can grab it, customize it, and start attacking people. That accessibility is what makes it so widespread and dangerous. It's not some rare, exotic weapon — it's the criminal equivalent of a cheap handgun that anyone can get.
Who Should Care About This?
If you use a Windows computer, you're a potential target. But AsyncRAT campaigns frequently go after:
- Small businesses that don't have a dedicated IT security team
- Freelancers and remote workers who download software from informal sources
- Anyone who opens email attachments without double-checking the sender
The malware is especially popular in campaigns targeting businesses because a single infected employee laptop can give attackers access to shared drives, email accounts, customer databases, and financial systems.
This Specific Sample: What We Know
The sample ThreatChain flagged is a small Windows executable — only about 48 kilobytes, which is tiny. For context, a single smartphone photo is usually 50 times larger. That small size is intentional: it helps the malware slip past simple size-based filters and download quickly.
Here are the key details:
| Detail | Value |
|---|---|
| File name | 118f6f175a840830421c090e05b15358.exe (also seen as Stub.exe) |
| File type | Windows .exe (built with .NET, Microsoft's programming framework) |
| Size | ~48 KB |
| Origin | Infrastructure traced to the Netherlands |
| Detection rate | 59 out of 75 antivirus engines flagged it as malicious |
| SHA-256 hash | 4c3b97c157d08ee298edb5d30fa86a3b90b04fedfbe517e7e0307b6013eacbf0 |
That 59/75 detection rate means the overwhelming majority of security tools recognize this file as dangerous. Multiple independent labs — ANY.RUN, CAPE, VMRay, Kaspersky, Intezer, and others — all independently confirmed it as AsyncRAT.
The name Stub.exe is telling. In the AsyncRAT ecosystem, a "stub" is the piece of malware that gets sent to the victim. The attacker uses a separate "builder" tool to create it, baking in the address of their command server and choosing what features to enable. It's like ordering a custom spy kit online: pick your options, click generate, and out pops a weapon.
How the Attack Actually Works
Here's what a typical AsyncRAT infection looks like, step by step:
Step 1: The bait. You receive something that looks legitimate — a phishing email with an attached "invoice," a link to download a "free tool," or a file shared through a messaging app. You click, you open, you run.
Step 2: The quiet setup. The malware installs itself and takes steps to survive restarts. One technique this sample is flagged for is called registry persistence — it writes a small entry into your Windows Registry (the system's internal configuration database) so that the malware launches every time you turn on your computer. Think of it like the malware writing its name on the guest list at a club so the bouncer lets it back in every night.
Step 3: Phoning home. AsyncRAT connects to a C2 server — short for "command and control." This is the attacker's remote control. Once the connection is live, the attacker can send commands and receive data. The communication is often encrypted, which means your network monitoring tools might see traffic going out but can't easily tell what's being said.
Step 4: Total control. Now the attacker can: - Log every keystroke you type (passwords, messages, credit card numbers) - Watch your screen in real time - Browse and steal your files - Download additional malware (ransomware, cryptocurrency miners, you name it) - Activate your webcam or microphone
This sample also includes an anti-debugging check — a technique where the malware looks around to see if it's being examined by a security researcher. If it detects analysis tools, it can change its behavior or shut down entirely. It's like a burglar who checks for security cameras before breaking in.
The Real-World Impact
AsyncRAT infections don't usually announce themselves with a dramatic ransom note. They're quiet. That's what makes them worse in some ways.
A small accounting firm might lose months of client financial records to an attacker who siphoned data slowly. A freelance designer could have their banking credentials stolen through keylogging. A startup might discover that a competitor somehow got access to their product roadmap — because an employee's laptop was compromised three months ago and nobody noticed.
And because AsyncRAT is often just the first step, the damage can cascade. Attackers frequently use it as a beachhead to deploy ransomware later, once they've mapped out what's valuable on your network.
How to Protect Yourself
You don't need a six-figure security budget. Here are five concrete things you can do right now:
-
Don't open unexpected attachments — even from people you know. If your "accountant" sends a surprise invoice as an .exe file, call them and ask. Attackers spoof email addresses all the time. Real invoices come as PDFs, not executable programs.
-
Keep Windows and your apps updated. Many AsyncRAT campaigns exploit known vulnerabilities that already have fixes available. Turning on automatic updates is one of the simplest, highest-impact things you can do.
-
Use an antivirus — and make sure it's actually running. This particular sample is caught by 59 out of 75 engines. Even Windows Defender (the free antivirus built into Windows) is catching AsyncRAT variants. But it only works if it's turned on and up to date.
-
Never download cracked or pirated software. This is one of the most common delivery methods for AsyncRAT. That "free" version of Photoshop or that game crack? There's a meaningful chance it comes bundled with a remote access trojan. The software is free because you are the product.
-
Back up your important files to a separate location. An external hard drive you disconnect after backups, or a cloud backup service. If an attacker does get in and deploys ransomware as a follow-up, your backups are your lifeline.
Bonus for IT admins and developers: If you want to check whether this specific sample has touched your environment, search your systems for the SHA-256 hash listed above, or look for files named Stub.exe or umxpxlmo.exe in unusual locations. Monitor for unexpected outbound connections, especially from .NET processes you don't recognize.
AsyncRAT isn't glamorous. It doesn't make headlines the way a massive ransomware attack does. But that's exactly why it works — it's quiet, it's cheap, it's everywhere, and it gives attackers everything they need to ruin your day, your quarter, or your business. The good news? Basic security hygiene stops most of these attacks cold. You don't have to be a cybersecurity expert. You just have to be a little bit careful.
This sample is available as a password-protected ZIP (password: infected) for security researchers.
Protect Your Infrastructure with ThreatChain SIEM
Real-time threat detection powered by 2.6M+ indicators. Search any hash, domain, wallet, or IP.
View Pricing