Unmasking AsyncRAT New Infection Chain

This report analyzes an active AsyncRAT campaign delivered via spam-linked HTML that unpacks an ISO containing a WSF which retrieves staged PowerShell scripts; the chain writes multiple non-PE scripts to ProgramData, establishes persistence, and injects a PE into RegSvcs.exe to run AsyncRAT, which logs keystrokes, steals credentials/browser and crypto-related data, and exfiltrates to 45.12.253.107:8808. The analysis includes file hashes and URLs as IOCs and highlights the use of obfuscation and living-off-the-land techniques to evade detection.