AsyncRAT "PhishingRAT" Variant: Vietnamese Operator Leaks Full Dev Path While Building a Sandbox Confusion Engine That Floods Analysts With Fake Exploits

TL;DR: A 38KB .NET binary recovered from MalwareBazaar on March 9, 2026 is a modified AsyncRAT variant dubbed "PhishingRAT" with live C2 infrastructure at alam[.]it[.]com behind Cloudflare. The operator left a Vietnamese-language PDB path in a Debug build, leaking their project directory structure and revealing this is at least the third iteration of their tooling. The variant's standout feature is a sandbox confusion engine that, when it detects analysis environments, floods behavioral reports with fake SQLi payloads, fake credential submissions, simulated port scans, and bogus ransomware activity -- burying the real C2 traffic in noise. The C2 domain was registered 8 days before analysis and has zero hits on any public threat intelligence feed. This is the first public disclosure.

---

A Debug Build With Everything Left In

This investigation started with a MalwareBazaar submission: a 38,912-byte PE32 .NET assembly that immediately revealed itself as something worth pulling apart. The binary is a Debug build -- not a Release build -- meaning it shipped with full PDB path information, debug strings, and developer-readable error messages still intact.

Property	Value
SHA-256	654eb29dae0b3c0f992bd324f787628ab97557d875db96f16f7b60590847b02f
MD5	cdc7b418e431365b895f221a9765e4d1
SHA1	31b2d69e6919580c0c8c4e4ea5e63fb5d9b6694c
File Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly
File Size	38,912 bytes (38 KB)
Internal Name	PhishingRAT.exe
.NET Framework	4.8 (CLR v4.0.30319)
PE Timestamp	2070-09-02 13:14:23 UTC (forged -- future date)
Build Config	Debug

The PDB path is where the OPSEC failures begin:

D:\Cong Viec\malware\AsyncRAT-C-Sharp\malware chuan 3\AsyncRAT-C-Sharp-master\AsyncRAT-C#\Client\obj\Debug\PhishingRAT.pdb

"Cong Viec" is Vietnamese for "Work." "Malware chuan 3" translates to "malware standard 3" or "malware correct version 3." The operator built this from the public AsyncRAT-C-Sharp-master GitHub repository, working from a Vietnamese-language project directory on their D: drive, and this is at least their third revision. They left every breadcrumb a threat analyst could ask for.

Extracted Configuration: The Full C2 Blueprint

AsyncRAT stores its configuration as Base64-encoded strings in the .NET assembly. Every field extracted cleanly:

Field	Value
C2 Host	alam[.]it[.]com
C2 Port	443
Version	0.5.7B
Install Path	%AppData%\AsyncRAT.exe
AES Key	MySuperSecretKey2026!@#456
Mutex	Global\]unique_rat_2026
Campaign Group	TestVT
Pastebin Fallback	null (disabled)
Server Cert Hash 1	4AC7E1292E6A56365EE0CA35FFD26F651CCEB7ACD1B127156C4DF0187E5CDB58
Server Cert Hash 2	1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B

The campaign group name "TestVT" is a blunt admission: the operator is actively testing detection rates against VirusTotal. The AES key -- MySuperSecretKey2026!@#456 -- is a human-memorable string, not a cryptographically random key. These are the hallmarks of a developer in the testing phase, not a production deployment.

Encryption Stack

The C2 communication uses a multi-layer encryption scheme inherited from stock AsyncRAT:

1. PBKDF2 key derivation via Rfc2898DeriveBytes using the plaintext AES key and a salt
2. AES-256-CBC with PKCS7 padding for payload encryption
3. HMAC-SHA256 for message authentication
4. TLS 1.3 transport via SslStream.AuthenticateAsClient()
5. X509 certificate pinning against the stored server signature hash
6. MessagePack binary serialization for structured C2 messages

The 26-character key combined with PBKDF2 derivation produces the 256-bit encryption key. Anyone with the extracted key and salt can decrypt captured C2 traffic.

The Sandbox Confusion Engine

This is the variant's most interesting capability and the reason it deserves a closer look. Standard AsyncRAT variants detect sandboxes and exit silently. PhishingRAT does the opposite -- when it detects an analysis environment, it detonates a noise generator designed to poison the behavioral report.

The detection checks are standard fare:

Technique	Implementation
VirtualBox detection	Checks for VBoxGuest.sys, VBoxSF.sys drivers
VMware detection	Checks for Vmmouse.sys, vmhgfs.sys drivers, vmtoolsd process
Sandboxie detection	Checks for SbieDll.dll loaded
Debugger detection	CheckRemoteDebuggerPresent API
WMI VM check	Queries Win32_ComputerSystem for "VIRTUAL" in Manufacturer/Model
Small disk detection	Checks total disk size
Process name scan	Enumerates running processes for known sandbox tools

But the response to detection is anything but standard. When the sandbox flag trips, PhishingRAT launches a barrage of fake malicious activity:

HTTP flood: Rapid requests to the C2 domain with flood paths like /flood, /probe?port=, /malware.exe, /crypto_miner.exe

Fake credential submissions: POSTs fabricated credentials (test@gmail.com / password123!) to authentication endpoints -- /signin, /account, /wallet_login, /bank_auth

Fake credit card exfiltration: Submits test card number 4111111111111111 with CVV 123

SQL injection simulation: Sends ' OR '1'='1 payloads

XSS simulation: Sends <script>alert(document.cookie)</script> payloads

Command injection simulation: Sends ; whoami & net user hacker P@ssw0rd /add

C2 beacon simulation: Generates structured fake beacon traffic with bid/session parameters

Port scan simulation: Sends probe requests across multiple ports

Fake keylogger output: Writes Fake keystrokes: username=admin password=123456 to C:\Temp\keylog.txt

Ransomware simulation: Generates fake encryption activity using key ransomkey1234567890123456789012

The strategic logic is sound: a sandbox report for this binary will flag SQL injection, credential theft, ransomware activity, port scanning, XSS, command injection, DDoS flooding, and keylogging. All of it is fake. The actual AsyncRAT C2 communication -- the only real threat -- gets buried under dozens of flagged behaviors that analysts must now triage individually. For automated sandboxes that produce summary verdicts, the signal-to-noise ratio collapses.

Beyond Standard AsyncRAT: Additional Capabilities

DDoS / HTTP Flood

PhishingRAT includes a functional HTTP flood capability using a spoofed Chrome 128 User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

This is not simulation code -- it can be directed at arbitrary targets. Adding DDoS capability to a RAT extends the operator's monetization options: infected machines become both data sources and attack infrastructure.

Enhanced Persistence

The persistence mechanisms go well beyond the standard AsyncRAT registry key:

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
Task:     "WindowsUpdate" — runs at logon as SYSTEM
Task:     "CryptoMiner" — runs every minute, downloads PowerShell payload from C2
Process:  RtlSetProcessIsCritical — marks process as system-critical (BSOD on termination)
Defender: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1

The RtlSetProcessIsCritical call is particularly aggressive: terminating the process triggers a Blue Screen of Death. Combined with the "CryptoMiner" scheduled task that runs every minute and pulls fresh PowerShell from the C2, the operator has built a persistent, self-healing foothold that resists manual removal.

Infrastructure: Freshly Registered, Cloudflare-Fronted, Zero Intel Coverage

Network Infrastructure

Property	Value	Status
C2 Domain	alam[.]it[.]com	LIVE
IPv4 #1	104.21.47.70 (Cloudflare)	LIVE
IPv4 #2	172.67.170.164 (Cloudflare)	LIVE
C2 Port	443 (HTTPS/TLS 1.3)	LIVE
CDN	Cloudflare (AS13335)	Active
HTTP Response	403 Forbidden (WAF)	Blocking direct web requests

Domain Registration

Property	Value
Domain	alam[.]it[.]com
TLD	.it.com (third-level via it.com registry)
Registrar	Spaceship, Inc. (IANA ID 3862)
Registration	2026-03-01 02:53:45 UTC
Last Updated	2026-03-04 03:27:28 UTC
Registrant	Private Person (WHOIS privacy)
Nameservers	mona.ns.cloudflare.com, ruben.ns.cloudflare.com
DNSSEC	Unsigned

The .it.com TLD is a deliberate choice. It is a third-level domain sold by the it.com registry -- unusual enough to avoid common domain reputation blacklists while appearing legitimate at first glance. The WHOIS privacy service, Cloudflare CDN fronting, and 403 response to direct requests create a clean operational profile.

Certificate Timeline

Certificate Transparency logs reveal an interesting history:

2025-01-24  First certificate issued (domain active under previous operator or purpose)
2025-01-24  ...continuous Let's Encrypt renewals every ~2 months...
2025-11-28  Added www subdomain to certificate
2026-03-01  Domain registered/renewed at Spaceship, Inc.
2026-03-04  Cloudflare nameservers configured
2026-03-04  Three new certificates issued — including first-ever WILDCARD (*.alam[.]it[.]com)
2026-03-04  Cloudflare proxy activated
2026-03-09  Sample appeared on MalwareBazaar
2026-03-09  THIS ANALYSIS

The March 4 pivot is significant: the operator moved the domain behind Cloudflare and simultaneously obtained a wildcard certificate for *.alam[.]it[.]com. Wildcard certificates enable subdomain-based infrastructure scaling without additional certificate issuance. This suggests the operator plans to expand beyond a single C2 endpoint -- possibly staging different campaign phases on different subdomains.

Threat Actor Assessment

Attribution

• Confidence: MEDIUM
• Region: Vietnam
• Motivation: Financial (cybercrime)
• Sophistication: Intermediate

Evidence Chain

1. PDB path language: "Cong Viec" = Vietnamese for "Work"
2. PDB path language: "malware chuan 3" = Vietnamese for "malware standard/correct version 3"
3. Regional context: Vietnamese threat actors have documented history deploying AsyncRAT and commodity RATs targeting financial data across Asia
4. Domain choice: "alam" means "nature/world" in Malay/Indonesian, languages in the Southeast Asian region
5. Registration timing: Domain registered at 02:53 UTC, consistent with GMT+7 (9:53 AM in Vietnam)

OPSEC Failures (Comprehensive)

The operator made at least 8 distinct operational security mistakes:

1. Full PDB path with Vietnamese language -- directly reveals nationality, project structure, and iteration count
2. Debug build shipped -- includes symbols, debug strings, and additional metadata
3. Hardcoded test credentials -- test@gmail.com / password123! in sandbox confusion code
4. Verbose debug strings -- [DEBUG] InitializeSettings called - Using plaintext config left in binary
5. Weak AES key -- MySuperSecretKey2026!@#456 is a memorizable password, not a random key
6. Campaign group name -- "TestVT" explicitly reveals VirusTotal testing workflow
7. Forged PE timestamp -- set to 2070, obviously fake, draws attention instead of blending in
8. Sequential versioning -- "malware chuan 3" confirms at least two prior versions exist

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	Command and Scripting Interpreter	T1059.003	cmd.exe /c for persistence scripts
Persistence	Registry Run Keys	T1547.001	HKCU\...\Run\WindowsUpdate
Persistence	Scheduled Task/Job	T1053.005	"WindowsUpdate" (logon) + "CryptoMiner" (1-min)
Defense Evasion	Virtualization/Sandbox Evasion	T1497	VM drivers, debugger, WMI, process checks
Defense Evasion	Impair Defenses	T1562.001	Disables Defender via DisableAntiSpyware
Defense Evasion	Obfuscated Files or Information	T1027	Base64-encoded config, reversed registry strings
Discovery	System Information Discovery	T1082	OS, hardware, AV, admin status, HWID
Collection	Screen Capture	T1113	System.Drawing screenshot capability
Collection	Keylogging	T1056.001	GetForegroundWindow/GetWindowText monitoring
Command and Control	Web Protocols	T1071.001	HTTPS port 443 through Cloudflare CDN
Command and Control	Encrypted Channel	T1573.002	AES-256/PBKDF2 + X509 + HMAC over TLS 1.3
Command and Control	Data Encoding	T1132.001	MessagePack binary serialization
Impact	Network Denial of Service	T1498.001	HTTP flood/DDoS against arbitrary targets

Indicators of Compromise

Network Indicators

# C2 Domain
alam[.]it[.]com

# Cloudflare Proxy IPs (shared infrastructure -- block the domain, not the IPs)
104[.]21[.]47[.]70
172[.]67[.]170[.]164

# IPv6
2606:4700:3034::6815:2f46
2606:4700:3037::ac43:aaa4

File Indicators

SHA256: 654eb29dae0b3c0f992bd324f787628ab97557d875db96f16f7b60590847b02f
MD5:    cdc7b418e431365b895f221a9765e4d1
SHA1:   31b2d69e6919580c0c8c4e4ea5e63fb5d9b6694c

Host-Based Indicators

# Mutex
Global\]unique_rat_2026

# Install path
%AppData%\AsyncRAT.exe

# Registry persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

# Defender disabling
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1

# Scheduled tasks
WindowsUpdate  (logon trigger, SYSTEM)
CryptoMiner    (1-minute interval, downloads PowerShell from C2)

# AES key (for C2 traffic decryption)
MySuperSecretKey2026!@#456

# Server certificate hashes
4AC7E1292E6A56365EE0CA35FFD26F651CCEB7ACD1B127156C4DF0187E5CDB58
1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B

# PDB path (developer fingerprint)
D:\Cong Viec\malware\AsyncRAT-C-Sharp\malware chuan 3\AsyncRAT-C-Sharp-master\AsyncRAT-C#\Client\obj\Debug\PhishingRAT.pdb

Sandbox Confusion Artifacts

These paths will appear in sandbox behavioral reports but are fake indicators generated by the confusion engine -- do not treat them as real threats:

/flood
/probe?port=
/beacon?bid=
/malware.exe
/crypto_miner.exe
/ransom_payload.exe
/stealer.exe
/keylogger.log
/update/payload.bin

Detection Opportunities

YARA

rule AsyncRAT_PhishingRAT_Variant {
    meta:
        description = "Detects PhishingRAT - modified AsyncRAT with sandbox confusion and DDoS"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        sha256 = "654eb29dae0b3c0f992bd324f787628ab97557d875db96f16f7b60590847b02f"
    strings:
        $pdb = "PhishingRAT.pdb" ascii wide
        $cfg1 = "TXlTdXBlclNlY3JldEtleTIwMjYhQCM0NTY=" ascii wide
        $cfg2 = "R2xvYmFsXF11bmlxdWVfcmF0XzIwMjY=" ascii wide
        $cfg3 = "alam.it.com" ascii wide
        $cfg4 = "TestVT" ascii wide
        $phish1 = "[DEBUG] Sandbox detected - sending heavy suspicious traffic" ascii wide
        $phish2 = "[C2 BEACON] Starting beacon simulation" ascii wide
        $phish3 = "[DEBUG] Extreme persistence added" ascii wide
        $phish4 = "ransomkey1234567890123456789012" ascii wide
        $vn1 = "Cong Viec" ascii wide
        $vn2 = "malware chuan" ascii wide
        $hash1 = "4AC7E1292E6A56365EE0CA35FFD26F651CCEB7ACD1B127156C4DF0187E5CDB58" ascii wide
    condition:
        uint16(0) == 0x5A4D and filesize < 100KB and
        (
            ($pdb and any of ($cfg*)) or
            (2 of ($phish*)) or
            (any of ($vn*) and any of ($cfg*)) or
            $hash1
        )
}

rule AsyncRAT_PhishingRAT_Config {
    meta:
        description = "Detects AsyncRAT PhishingRAT by unique config strings"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
    strings:
        $s1 = "MySuperSecretKey2026" ascii wide
        $s2 = "unique_rat_2026" ascii wide
        $s3 = "PhishingRAT" ascii wide
        $s4 = "TestVT" ascii wide
        $s5 = "0.5.7B" ascii wide
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

Suricata

# C2 Domain DNS Query
alert dns any any -> any any (msg:"ASYNCRAT PhishingRAT C2 DNS (alam.it.com)"; \
  dns.query; content:"alam.it.com"; nocase; \
  classtype:trojan-activity; sid:2026030901; rev:1;)

# C2 TLS SNI Match
alert tls any any -> any 443 (msg:"ASYNCRAT PhishingRAT C2 TLS SNI (alam.it.com)"; \
  tls.sni; content:"alam.it.com"; \
  classtype:trojan-activity; sid:2026030902; rev:1;)

# Sandbox Confusion - Fake Beacon Pattern
alert http any any -> any any (msg:"ASYNCRAT PhishingRAT Beacon Simulation"; \
  http.uri; content:"/beacon?bid="; \
  classtype:trojan-activity; sid:2026030903; rev:1;)

# Sandbox Confusion - Fake Credit Card Exfil
alert http any any -> any any (msg:"ASYNCRAT PhishingRAT Fake Card Submission"; \
  http.method; content:"POST"; http.request_body; content:"4111111111111111"; \
  classtype:trojan-activity; sid:2026030905; rev:1;)

# C2 Certificate Serial Match
alert tls any any -> any 443 (msg:"ASYNCRAT PhishingRAT C2 TLS Cert Serial"; \
  tls.cert_serial; content:"066b7197d9d35a9e86c627b0cd3c691dbf76"; \
  classtype:trojan-activity; sid:2026030909; rev:1;)

Hunting Queries

Endpoint (Sysmon / EDR):

• Mutex creation: Global\]unique_rat_2026
• Scheduled task named "CryptoMiner" with 1-minute interval running as SYSTEM
• Scheduled task named "WindowsUpdate" with logon trigger pointing to a non-Microsoft binary
• Registry write to DisableAntiSpyware under Windows Defender policies
• Process AsyncRAT.exe running from %AppData%
• File write to C:\Temp\keylog.txt (sandbox confusion artifact)

Network (DNS/Proxy logs):

• Any DNS resolution of alam[.]it[.]com
• TLS connections to port 443 with SNI alam[.]it[.]com
• Monitor .it.com subdomains generally -- this is an unusual TLD often used to evade reputation systems

Threat Intelligence Pivots:

• Monitor CT logs for new certificates on alam[.]it[.]com and *.alam[.]it[.]com -- the wildcard suggests subdomain expansion is planned
• Track the Cloudflare NS pair mona / ruben for additional domains under the same account
• Search for additional AsyncRAT samples with AES key containing 2026 or mutex pattern unique_rat
• Watch for "malware chuan 4" -- the sequential naming convention implies the next version is coming

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. C2 infrastructure confirmed LIVE at time of analysis. Zero prior reporting on any public threat intelligence feed. Classification: TLP:CLEAR