AsyncRAT C2 Activity at Internet Scale

AsyncRAT is an open-source .NET remote access trojan widely adopted by criminal operators for persistent access, credential theft (keylogging, memory access, clipboard hijacking), and payload staging; Censys observed 57 internet-exposed AsyncRAT hosts that commonly reuse a default self-signed "AsyncRAT Server" TLS certificate and concentrate on low-cost VPS providers, enabling scalable detection. The report documents technical artifacts (custom TCP C2 on non-standard ports, MessagePack/AES configuration, plugin runtime), delivery vectors (malspam, loader chains, open directories), a static-analysis case study validating AsyncRAT samples, and practical host- and network-based detection and blocking recommendations.