{"id":2774,"date":"2025-09-11T20:52:54","date_gmt":"2025-09-11T20:52:54","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/11\/fileless-malware-deploys-advanced-rat-via-legitimate-tools\/"},"modified":"2025-09-11T20:52:54","modified_gmt":"2025-09-11T20:52:54","slug":"fileless-malware-deploys-advanced-rat-via-legitimate-tools","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/11\/fileless-malware-deploys-advanced-rat-via-legitimate-tools\/","title":{"rendered":"Fileless Malware Deploys Advanced RAT via Legitimate Tools"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A sophisticated fileless malware campaign exploiting legitimate system tools has been uncovered by cybersecurity researchers.<\/p>\n<p>The attack bypasses traditional disk-based detection by executing malicious code entirely in memory, making it difficult to detect, analyze or remove.<\/p>\n<p>Investigators found the operation ultimately delivered AsyncRAT, a powerful remote access Trojan (RAT), through a multi-stage fileless loader.<\/p>\n<h2>Initial Access via Compromised Remote Tool<\/h2>\n<p>According to an advisory published by LevelBlue on Wednesday, the breach began with a compromised ScreenConnect client \u2013 a widely used remote access platform.<\/p>\n<p>Threat actors established an interactive session via the domain relay.shipperzone[.]online, linked to unauthorized ScreenConnect deployments. During this session, a VBScript called Update.vbs executed through WScript triggered a PowerShell command to download two payloads.<\/p>\n<p>The files, logs.ldk and logs.ldr, were saved to the C:UsersPublic directory but never written as executables on disk. They were loaded directly into memory using reflection.<\/p>\n<p>The first payload was converted into a byte array, while the second was executed directly. The script retrieved encoded data from the web, decoded it in memory and invoked a .NET assembly to run the attack \u2013\u00a0a hallmark of fileless malware.<\/p>\n<p><em>Read more on fileless malware execution techniques: PowerShell-Based Loader Deploys Remcos RAT in New Fileless Attack<\/em><\/p>\n<h2>The AsyncRAT Infection Chain<\/h2>\n<p>A first-stage .NET assembly, Obfuscator.dll, acts as a launcher for the AsyncRAT infection chain.<\/p>\n<p>The LevelBlue analysis revealed three core classes:<\/p>\n<ul>\n<li>\n<p>Class A, which initializes the runtime environment<\/p>\n<\/li>\n<li>\n<p>Class Core, which establishes persistence through a scheduled task disguised as \u201cSkype Updater\u201d\u00a0and loads additional payloads<\/p>\n<\/li>\n<li>\n<p>Class Tafce5, which disables Windows security logging, patches script scanning and resolves APIs dynamically<\/p>\n<\/li>\n<\/ul>\n<p>The modular design allowed\u00a0the malware to evade detection while preparing the system for the RAT payload.<\/p>\n<p>Meanwhile, AsyncClient.exe functions as the command-and-control (C2) engine. It maintains persistent access, performs system reconnaissance and executes attacker-supplied commands.<\/p>\n<p>Key capabilities include:<\/p>\n<ul>\n<li>\n<p>AES-256 decryption of embedded settings, including C2 domains like 3osch20[.]duckdns[.]org, infection flags and target directories such as %AppData%<\/p>\n<\/li>\n<li>\n<p>TCP-based communication with custom packet protocols for command dispatch<\/p>\n<\/li>\n<li>\n<p>Data exfiltration, including operating system details, privilege levels, antivirus status, active window titles and browser extensions such as MetaMask and Phantom<\/p>\n<\/li>\n<li>\n<p>Keylogging with context capture, ensuring persistence through scheduled tasks<\/p>\n<\/li>\n<\/ul>\n<p>\u201cBy breaking down key elements, we can understand how the malware maintains persistence, dynamically loads payloads, and exfiltrates sensitive data like credentials, clipboard contents and browser artifacts,\u201d\u00a0reads the advisory.<\/p>\n<p>\u201cThese findings enable the creation of targeted detection signatures and support endpoint hardening based on observed behaviors.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A sophisticated fileless malware campaign exploiting legitimate system tools has been uncovered by cybersecurity researchers. The attack bypasses traditional disk-based detection by executing malicious code entirely in memory, making it difficult to detect, analyze or remove. Investigators found the operation ultimately delivered AsyncRAT, a powerful remote access Trojan (RAT), through a multi-stage fileless loader. Initial<\/p>\n","protected":false},"author":2,"featured_media":2775,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2774","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2774-2a0ba613-083c-4cea-b9fb-67e62a3d48c4-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2774"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2774\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2775"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2774"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}