highPhishing

PhishingRAT: Inside a Vietnamese Operator's AsyncRAT Campaign With a Sandbox Pollution Engine That Fights Back

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentTimeline

phishingasyncratsocial-engineeringcryptominerc2brute-forceransomwareexploitdgamalware-analysis

TL;DR: A Vietnamese-speaking threat actor is running an active AsyncRAT campaign using a custom fork called "PhishingRAT" that includes something we have not seen before in commodity RAT variants: a sandbox noise generator that, when it detects analysis environments, floods network captures with fake phishing POSTs, SQL injection attempts, simulated ransomware activity, fake credit card submissions, and crypto miner behavior -- all designed to drown real C2 indicators in a sea of false-positive detections. Between March 7-10, 2026, the operator submitted at least 12 unique samples across three payload themes (PhishingRAT, RobloxHack, Spotify) to MalwareBazaar, rotating through three Cloudflare-proxied C2 domains. The operator's PDB path -- left in a debug build -- contains Vietnamese directory names that translate to "Work" and "standard malware version 3," and the group name "TestVT" confirms active detection testing against VirusTotal. This is a mid-tier cybercriminal with a creative evasion module bolted onto otherwise sloppy operational security.

Twelve Samples in Three Days

This investigation began with a single MalwareBazaar upload: a 38KB .NET executable named PhishingRAT.exe, tagged as AsyncRAT, submitted on March 10, 2026 with a Vietnamese origin. AsyncRAT is one of the most prolific open-source RATs in the wild -- a .NET-based remote access trojan whose source code lives openly on GitHub, forked and modified by everyone from script kiddies to mid-tier cybercrime groups. Most analysts would scan the config, extract the C2, file the IOC, and move on.

But one sample is never the whole story. Pivoting on the extracted configuration values -- the mutex, the AES key, the C2 domain -- revealed eleven more samples uploaded over the previous 72 hours. Three different filenames. Three different C2 domains. Two distinct build variants. One operator iterating at a pace that suggests either active testing against detection engines or parallel distribution campaigns running simultaneously.

The volume alone is notable. Twelve samples in three days from a single operator means roughly four builds per day. Combined with the group name TestVT -- "Test VirusTotal" -- the picture becomes clear: this operator is compiling, uploading to VT, checking detections, tweaking, and recompiling in rapid cycles. The samples are not twelve different campaigns; they are twelve iterations of the same campaign being stress-tested against the security industry's most widely used scanner aggregator.

What Was Found vs. What Was Known

Aspect	Prior Public Reporting	Our Findings
Sample Count	1 sample on MalwareBazaar	12+ samples across 3 payload themes
C2 Infrastructure	Unknown	3 domains mapped: datadreamers, sc88, indotech
Attribution	Anonymous MalwareBazaar submission	HIGH confidence Vietnamese-speaking operator
Anti-Analysis	Standard AsyncRAT VM checks	Custom sandbox noise generation module (10 categories of fake traffic)
Build Variants	Single sample analyzed	2 distinct builds: plaintext config (38KB) vs. encrypted config (46KB)
Server Certificate	Unknown	Extracted and decoded from encrypted variant (generated Mar 4, 2026)
Operator OPSEC	Not assessed	8 distinct failures catalogued

The gap between what a single-sample analysis reveals and what a campaign-level investigation uncovers is the entire point of threat intelligence. One sample gives you an IOC. Twelve samples give you an operator profile.

The Attack Chain

[Delivery]            [Execution]           [Persistence]          [C2]                [Actions]
PhishingRAT.exe  ---> .NET Runtime     ---> Registry Run Key  ---> datadreamers   ---> Keylogging
RobloxHack.exe        (asInvoker UAC)       "WindowsUpdate"       .in.net             Data Exfil
Spotify.exe                                 Schtask:               sc88.now            Remote Control
                                            "WindowsUpdate"        indotech.it.com     Plugin Execution
                                            Schtask:                                   Defender Disable
                                            "CryptoMiner"
                                                |
                                                v
                                     [If Sandbox Detected]
                                     Noise Generator activates:
                                     - Fake phishing POSTs
                                     - SQL injection traffic
                                     - Simulated ransomware
                                     - Fake credit card submissions
                                     - Crypto miner behavior
                                     - Port scanning simulation
                                     --> Flood PCAP with false positives

The delivery mechanism is social engineering -- the filenames tell you that much. RobloxHack.exe targets younger users looking for game exploits. Spotify.exe masquerades as a legitimate application. PhishingRAT.exe is the operator's internal name, likely never intended for victim-facing distribution. Three lure themes, same payload, different audiences.

Malware Analysis: Two Builds, One Family

Build 1: PhishingRAT (Plaintext Config)

The primary variant is lean. At 38,912 bytes (38KB), this is a stripped-down AsyncRAT client with minimal obfuscation -- the configuration sits in plaintext .NET metadata, readable without even decompiling the binary.

Attribute	Value
SHA-256	`61b1bf909875d0ae463f2f5351e2b5f2c969abe95150a805d73a96dcbb651379`
MD5	`3c7fc20755929c8cde6b41da7767214f`
SHA-1	`9c66b95178c80f888f0e201352f5e03e440eb168`
Imphash	`f34d5f2d4577ed6d9ceec516c1f5a744`
Size	38,912 bytes
First Seen	2026-03-10
SSDEEP	`384:X7DC9cMCcE84mr1H2bnTn8QHmp2M7739393bayse6QxnC7O+WRl3uuhGfrNP7UUq:XnCIcE8r1WbTpwFRbJpB+WWP7L/1Xj+`

The extracted configuration reads like a tutorial example:

Config Field	Value
C2 Host	`datadreamers[.]in[.]net`
C2 Ports	443, 80
Version	0.5.7B
AES Key	`MySuperSecretKey2026!@#456`
Mutex	`Global\]unique_rat_2026`
Install Folder	`%AppData%`
Install File	`AsyncRAT.exe`
Group	`TestVT`
Anti-Analysis	false
HWID Method	SHA256
Pastebin	null

That AES key -- MySuperSecretKey2026!@#456 -- is the kind of thing that makes reverse engineers smile. Year-based, predictable, and literally contains the words "My Super Secret Key." The mutex is equally distinctive: Global\]unique_rat_2026 contains a stray bracket that makes it trivially searchable across endpoint telemetry. And the group name TestVT removes any ambiguity about what the operator is doing with these builds.

Seven samples share this configuration, all pointing to datadreamers[.]in[.]net as their C2. Two earlier samples (March 7) use sc88[.]now instead, suggesting the operator migrated C2 domains between the v1 and v2 builds.

Build 2: RobloxHack/Spotify (Encrypted Config)

The second variant is larger (46,592 bytes) and more mature. Instead of plaintext configuration, it uses AES-256-CBC encryption with the standard AsyncRAT salt value -- the same cryptographic approach used by the upstream AsyncRAT builder.

Config Field	Value
C2 Host	`indotech[.]it[.]com` (decrypted from AES-256-CBC)
AES Key	`CxVWP9G0j5VCsJt2HEORLA1CblHvt9Wt`
Salt	Standard AsyncRAT (`bfeb1e56fbcd973bb219...`)
Install File	`RobloxHack.exe`
Server Certificate	CN=AsyncRAT Server, generated 2026-03-04, 4096-bit RSA, SHA-512

The server certificate is significant. It was generated on March 4, 2026 -- three days before the first samples appeared on MalwareBazaar. This gives us the operator's infrastructure setup timeline: certificate generated March 4, first samples compiled and tested March 7, campaign iterations continuing through March 10. The certificate uses a 4096-bit RSA key with SHA-512 signature and an expiration date of 9999-12-31 -- the AsyncRAT default, which every sample using the standard builder inherits.

The Spotify.exe variant shares the same 46KB file size and build characteristics as RobloxHack.exe, but its C2 configuration could not be extracted -- either the encryption key differs or the config is corrupted. Both samples appeared on March 7 alongside the RobloxHack variant.

The Sandbox Noise Generator: When Malware Fights the Analysts

This is the finding that elevates this campaign from "yet another AsyncRAT fork" to something worth writing about.

Standard AsyncRAT includes basic sandbox detection: check for VMware drivers, VirtualBox Guest Additions, Sandboxie's SbieDll.dll, and WMI manufacturer strings. When a sandbox is detected, the typical response is to exit silently or sleep indefinitely. The goal is to appear benign -- to make the sandbox report say "no malicious behavior observed."

PhishingRAT takes the opposite approach. When it detects a sandbox, it does not hide. It attacks the analysis process itself.

Instead of going quiet, the malware activates a noise generator that floods the network with ten categories of deliberately suspicious traffic:

1. Web vulnerability scanning Requests to /.env, /wp-login.php, /adminer.php, /phpmyadmin, /server-status -- the exact paths that web application scanners probe. Any sandbox that flags "suspicious URL patterns" will now have dozens of hits to triage, none of them real.

2. Malware download simulation HTTP requests for /malware.exe, /payload.dll, /crypto_miner.exe, /stealer.exe. These are designed to trigger download-based detection signatures.

3. Phishing POST simulation Login form submissions with fake credentials (test@gmail[.]com / password123!). Sandbox analysis that flags credential submission behavior will flag these instead of the real C2 traffic.

4. Fake credit card exfiltration Submits card number 4111111111111111 (the standard Visa test card) with CVV 123. Financial data exfiltration is a high-priority detection category, and flooding it with known test values pollutes the signal.

5. Exploit simulation SQL injection payloads, XSS attempts, command injection strings. These are crafted to trigger IDS/IPS signatures for web application attacks.

6. C2 beacon simulation POST requests to /beacon?bid={hwid} with fake exfiltration data. This mimics standard C2 beacon patterns, creating noise that is indistinguishable from real beacon traffic in automated analysis.

7. Port scanning simulation High-volume probes across multiple ports. This triggers network scanning detection rules and adds volume to PCAP files.

8. Fake persistence Downloads a fake payload binary, creates a scheduled task named CryptoMiner (set to run every minute with powershell miner.ps1), and attempts to disable Windows Defender via registry modification. These are real system modifications, but they serve the noise generator rather than the actual RAT functionality.

9. Fake keylogger output Writes C:\Temp\keylog.txt with fabricated credential data. Sandbox file-system monitoring will flag this as keylogger behavior.

10. Fake ransomware activity Simulates file encryption with a hardcoded key. This is the nuclear option in noise generation -- ransomware detection is the highest-priority alert category in most sandbox systems.

A debug string found in the binary confirms the intent: [DNS FORCE] Resolving host to trigger DNS query in PCAP. The operator is explicitly aware that sandbox analysis relies on PCAP inspection, and the noise generator is purpose-built to make those PCAPs unusable.

Why This Matters

The conventional wisdom in sandbox evasion is stealth: detect the sandbox, go quiet, look clean. PhishingRAT inverts this completely. Instead of hiding from analysis, it makes analysis unreliable by generating so many true-positive detections that the real indicators become impossible to isolate without manual review.

Consider the analyst workflow. A sandbox processes the sample and produces a report with 47 network IOCs, 12 file-system modifications, 8 persistence mechanisms, and 6 exploit attempts. Which of those are real C2 infrastructure and which are noise? An automated triage system cannot tell. A human analyst can -- but that takes time, and most SOCs are processing hundreds of samples per day.

This technique is not entirely novel in concept -- researchers have discussed "sandbox flooding" as a theoretical evasion vector -- but finding it implemented in a commodity RAT variant operated by what appears to be a single individual is notable. It suggests the technique is migrating from APT-grade tradecraft into the cybercrime mainstream.

The Developer's Fingerprint

The PDB path is the single most damaging artifact in this campaign:

D:\Cong Viec\malware\AsyncRAT-C-Sharp\malware chuan 3\AsyncRAT-C-Sharp-master\AsyncRAT-C#\Client\obj\Debug\PhishingRAT.pdb

This path tells a complete story:

D:\Cong Viec\ -- Vietnamese for "Work." The operator has a dedicated working directory for malware development, organized on their D: drive.
malware\AsyncRAT-C-Sharp\ -- No attempt to disguise what this is. The parent directory is literally called "malware."
malware chuan 3\ -- Vietnamese for "standard malware version 3." This is the third iteration of this project. There was a version 1 and a version 2 before it.
AsyncRAT-C-Sharp-master\ -- Cloned directly from the GitHub repository. The -master suffix is the default when downloading a ZIP of the main branch.
obj\Debug\ -- Compiled in Debug mode, not Release. Debug builds include PDB paths, extra symbols, and debug strings -- none of which should survive into production malware.

The PDB path alone provides HIGH confidence attribution to a Vietnamese-speaking developer. Combined with MalwareBazaar's origin country metadata (VN) and the directory structure suggesting organized, iterative malware development, the attribution picture is clear: this is a Vietnamese-speaking individual running a financially motivated cybercrime operation, currently on their third major iteration of AsyncRAT customization.

Infrastructure Analysis: Three Domains, Two Cloudflare Zones, One Dead End

Domain Inventory

Domain	Registrar	Created	NS Pair	Cloudflare IPs	Status
`datadreamers[.]in[.]net`	Namecheap	2025-11-10	grant/mona	104.21.91.43, 172.67.209.228	LIVE (403)
`sc88[.]now`	Unknown	~2026-01-12	adele/sterling	172.67.166.85, 104.21.34.238	LIVE (301 to piracy site)
`indotech[.]it[.]com`	Unknown	Unknown	N/A	N/A	DEAD (no resolution)

All three domains sit behind Cloudflare, which is both a tactical advantage for the operator and an investigative obstacle. Cloudflare's reverse proxy means the actual origin server IP is not exposed through DNS resolution. The IP addresses visible in DNS records (104.21.x.x, 172.67.x.x) belong to Cloudflare's CDN -- shared infrastructure used by millions of legitimate websites.

Two Zones, Possibly Two Accounts

The nameserver pairs reveal something about the operator's Cloudflare setup:

Zone 1 (grant.ns.cloudflare.com / mona.ns.cloudflare.com): datadreamers[.]in[.]net
Zone 2 (adele.ns.cloudflare.com / sterling.ns.cloudflare.com): sc88[.]now

Different NS pairs in Cloudflare typically indicate different zones, which may mean different accounts. The operator may be using separate Cloudflare accounts per domain as a compartmentalization measure -- if one account gets burned via abuse report, the other domains survive.

Certificate Timeline

Certificate Transparency logs paint a picture of infrastructure evolution:

datadreamers[.]in[.]net: 35+ certificates logged since March 2024. Multiple CAs used (Let's Encrypt, Sectigo, GoDaddy, DigiCert, Google Trust). Previously hosted on 103.13.112.160 -- an Indian cPanel provider (rupensen.in). Wildcard certificate issued March 8, 2026, coinciding with the campaign's active phase. The migration from an Indian hosting provider to Cloudflare suggests infrastructure maturation.
sc88[.]now: First certificate appeared January 12, 2026. Wildcard certificates from Google Trust Services and Let's Encrypt. This domain is newer and was likely set up specifically for this campaign.
sc88[.]now currently returns a 301 redirect to mp4moviez[.]za[.]com -- a piracy streaming site. This could be the domain's original purpose (piracy infrastructure repurposed for C2), a decoy redirect for non-C2 traffic, or an indicator that the operator has abandoned this domain and it has been recycled.

Hosting Hierarchy

Tier 0: Cloudflare CDN (reverse proxy, hides origin IPs)
  |
  +-- datadreamers[.]in[.]net  [ACTIVE C2]
  |     NS: grant/mona (Cloudflare Zone 1)
  |     Registrar: Namecheap (registered 2025-11-10)
  |     History: previously on 103.13.112.160 (Indian cPanel host)
  |     Wildcard cert: 2026-03-08
  |
  +-- sc88[.]now  [DEPRECATED C2, now redirects]
  |     NS: adele/sterling (Cloudflare Zone 2)
  |     First cert: 2026-01-12
  |     Current: 301 --> mp4moviez[.]za[.]com
  |
  +-- indotech[.]it[.]com  [DEAD]
        No DNS resolution
        Used only by encrypted-config variants (RobloxHack)

The infrastructure tells a story of domain rotation: indotech[.]it[.]com was likely the original C2 (used by the older encrypted-config builds), sc88[.]now was the second phase (used by PhishingRAT v1 on March 7), and datadreamers[.]in[.]net is the current active C2 (used by all PhishingRAT v2 samples from March 9-10). Each rotation leaves the previous domain behind, burning infrastructure faster than most operators would prefer -- further evidence of an operator still iterating on their setup.

Threat Actor Profile

Attribution Assessment

Confidence: HIGH Country/Region: Vietnam Motivation: Financial (cybercrime) Sophistication: Intermediate -- creative sandbox evasion bolted onto poor operational security

Evidence chain:

PDB path contains Vietnamese text: "Cong Viec" (Work), "malware chuan" (standard malware)
MalwareBazaar origin_country metadata: VN
Directory structure shows organized, versioned malware development ("malware chuan 3" = third iteration)
Indian hosting infrastructure (prior to Cloudflare migration) is consistent with Southeast Asian cybercrime operations
Debug build with PDB path exposure is consistent with intermediate-skill operator

This is not APT32/OceanLotus or any known Vietnamese state-sponsored group. The OPSEC profile -- debug builds, predictable encryption keys, "TestVT" group names -- is consistent with a solo or small-team cybercriminal operation rather than a resourced threat group.

Eight OPSEC Failures

The operator's security discipline is, to put it diplomatically, inconsistent:

PDB path exposure: Full developer directory path with Vietnamese-language folder names baked into every binary
Debug build: Compiled in Debug mode instead of Release, preserving symbols, PDB paths, and debug strings that would otherwise be stripped
Debug strings in production: Multiple [DEBUG] messages left in the binary, including the sandbox noise generator's [DNS FORCE] log line
Group name "TestVT": Explicitly reveals the operator is testing detection rates against VirusTotal
Plaintext configuration: PhishingRAT v1 and v2 store the entire config unencrypted in .NET metadata -- C2 domain, ports, AES key, mutex, all readable with strings
Weak AES key: MySuperSecretKey2026!@#456 is year-based, human-readable, and would fall to any dictionary-style brute force
Reused mutex: Global\]unique_rat_2026 is identical across all plaintext-config samples, enabling cross-sample correlation and endpoint hunting
Twelve samples in three days: Every MalwareBazaar upload creates a public, permanent record. Uploading 12 variants in 72 hours provides defenders with a comprehensive sample set for building detection signatures

The contradiction between the sandbox noise generator (a genuinely creative anti-analysis technique) and the catastrophic OPSEC failures everywhere else suggests the operator may have borrowed or purchased the noise module from a more skilled developer, then integrated it into their own otherwise unsophisticated build pipeline.

Operator Timeline

Date	Event	Significance
2025-11-10	`datadreamers[.]in[.]net` registered via Namecheap	Infrastructure preparation, 4 months before campaign
2026-01-12	First certificate for `sc88[.]now`	Second C2 domain established
2026-03-04	AsyncRAT server certificate generated	Server-side infrastructure stood up
2026-03-05	New certificates for datadreamers (Cloudflare migration)	Moved from Indian hosting to Cloudflare
2026-03-07	PhishingRAT v1 + RobloxHack + Spotify variants uploaded	Campaign launch, 3 payload themes
2026-03-08	Wildcard cert for `datadreamers[.]in[.]net`	Infrastructure hardening
2026-03-09	PhishingRAT v2 (6 samples uploaded in one day)	Aggressive iteration/VT testing
2026-03-10	Latest sample submitted	Campaign ongoing

The four-month gap between domain registration (November 2025) and campaign launch (March 2026) is worth noting. Either the operator was planning well ahead, or datadreamers[.]in[.]net was originally used for something else and was repurposed for this campaign. The 35+ certificates in CT logs since March 2024 suggest the latter -- this domain has a longer history than this AsyncRAT campaign.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	User Execution	T1204	Social engineering via RobloxHack/Spotify lures
Persistence	Registry Run Keys	T1547.001	`HKLM\...\CurrentVersion\Run\WindowsUpdate` --> `%AppData%\AsyncRAT.exe`
Persistence	Scheduled Task	T1053.005	"WindowsUpdate" (onlogon, SYSTEM) + "CryptoMiner" (every minute)
Defense Evasion	Virtualization/Sandbox Evasion	T1497.001	VMware, VirtualBox, Sandboxie, WMI manufacturer checks
Defense Evasion	Obfuscated Files or Information	T1027	Base64/AES config encoding in encrypted variant
Defense Evasion	Impair Defenses	T1562.001	Windows Defender disabled via registry modification
Defense Evasion	Masquerading	T1036.005	Installs as `AsyncRAT.exe` under generic "WindowsUpdate" name
Discovery	System Information Discovery	T1082	OS version, CPU, RAM, AV product, admin status enumeration
Command and Control	Web Protocols	T1071.001	HTTPS to Cloudflare-proxied domains on ports 443/80
Command and Control	Encrypted Channel	T1573.001	AES-256-CBC with HMAC-SHA256 for C2 communication
Collection	Input Capture: Keylogging	T1056.001	Keyboard capture module
Impact	Resource Hijacking	T1496	CryptoMiner scheduled task (noise generator, but real system impact)

Indicators of Compromise

Network Indicators

Indicator	Type	Context	Status
`datadreamers[.]in[.]net`	Domain	Primary C2 (PhishingRAT v2)	LIVE (Cloudflare, returns 403)
`sc88[.]now`	Domain	C2 (PhishingRAT v1)	LIVE (301 to piracy site)
`indotech[.]it[.]com`	Domain	C2 (RobloxHack variant)	DEAD
`104[.]21[.]91[.]43`	IP	Cloudflare CDN (datadreamers)	Shared infrastructure
`172[.]67[.]209[.]228`	IP	Cloudflare CDN (datadreamers)	Shared infrastructure
`172[.]67[.]166[.]85`	IP	Cloudflare CDN (sc88)	Shared infrastructure
`104[.]21[.]34[.]238`	IP	Cloudflare CDN (sc88)	Shared infrastructure

File Indicators

# PhishingRAT v2 samples (38,912 bytes, C2: datadreamers[.]in[.]net)
61b1bf909875d0ae463f2f5351e2b5f2c969abe95150a805d73a96dcbb651379
654eb29dae0b3c0f992bd324f787628ab97557d875db96f16f7b60590847b02f
665c5e458cefeb7395243c3cdabbadc57b84d78ab4b411969677ab54c8a88fcd
85e630a240fcb06832fa731e1b81fd607bcacab06665a12827e014a3bf6a7a34
261ca704d693db3a77d4b69c1d28e338092c9cedc42b2f794d0508e4515a79b6
8e09b0322b18cbb0be8a32eb58374fac7a1868095f68024f87c41e89649c133c
4a2e4cca2efac0ccf4a7c8f2b5e4b28f95536ec1707c26127cafe215c1280792

# PhishingRAT v1 samples (38,400 bytes, C2: sc88[.]now)
48c8cc4947d4ef59bd849396e84a52493ad14cee265d2ae772ca4ba173f6f2cb
2f354cfa595f102401a8f160208dcf6474fce66b3b80673a5f3ea6e2c25f8c43

# RobloxHack variant (46,592 bytes, C2: indotech[.]it[.]com)
a40193b7b352fe3a14cfe1ca65c9b5250c663f0240cbcda9be70b7898e57f31f

# Spotify variants (46,592 bytes, C2: unknown/encrypted)
3efd75280f8f0c640d174d0fb55df5f3d17a10c4248bbb705281bd74bdf2d381
9c970c29df4fb1398940809e6e7a9bc5088eaca54eed4cdd878c06fd0ed030b2

# Primary sample additional hashes
MD5:     3c7fc20755929c8cde6b41da7767214f
SHA1:    9c66b95178c80f888f0e201352f5e03e440eb168
Imphash: f34d5f2d4577ed6d9ceec516c1f5a744

Behavioral Indicators

# Mutex (all plaintext-config variants)
Global\]unique_rat_2026

# Registry persistence
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
  --> %AppData%\AsyncRAT.exe

# Scheduled tasks
Name: WindowsUpdate  | Trigger: onlogon | User: SYSTEM | RunLevel: HIGHEST
Name: CryptoMiner    | Trigger: every minute | Action: powershell miner.ps1

# Installation path
%AppData%\AsyncRAT.exe

# PDB path (developer fingerprint)
D:\Cong Viec\malware\AsyncRAT-C-Sharp\malware chuan 3\AsyncRAT-C-Sharp-master\AsyncRAT-C#\Client\obj\Debug\PhishingRAT.pdb

# Sandbox noise artifacts (present only in analysis environments)
C:\Temp\keylog.txt           (fake keylogger output)
C:\Temp\downloaded_payload.bin  (fake downloaded payload)

# AES key (PhishingRAT v2 config encryption)
MySuperSecretKey2026!@#456

# AES key (RobloxHack config encryption)
CxVWP9G0j5VCsJt2HEORLA1CblHvt9Wt

Detection Guidance

Network Detection (Suricata)

alert dns $HOME_NET any -> any any (
  msg:"MALWARE PhishingRAT AsyncRAT C2 - datadreamers";
  dns.query; content:"datadreamers.in.net"; nocase;
  sid:2026031001; rev:1;)

alert dns $HOME_NET any -> any any (
  msg:"MALWARE PhishingRAT AsyncRAT C2 - sc88";
  dns.query; content:"sc88.now"; nocase;
  sid:2026031002; rev:1;)

alert dns $HOME_NET any -> any any (
  msg:"MALWARE PhishingRAT AsyncRAT C2 - indotech";
  dns.query; content:"indotech.it.com"; nocase;
  sid:2026031003; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"MALWARE PhishingRAT Sandbox Noise - Beacon Simulation";
  flow:to_server,established;
  content:"/beacon?bid="; http_uri;
  sid:2026031004; rev:1;)

Endpoint Detection

Registry hunt:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate

Look for values pointing to %AppData%\AsyncRAT.exe or any executable in %AppData% registered under the name "WindowsUpdate."

Mutex hunt: Search for the handle Global\]unique_rat_2026 across running processes. The stray bracket character makes this mutex highly distinctive and unlikely to produce false positives.

Scheduled task hunt:

schtasks /query /tn "WindowsUpdate" /v
schtasks /query /tn "CryptoMiner" /v

The "CryptoMiner" task running powershell miner.ps1 every minute is particularly noisy and easy to detect.

YARA (key detection logic): Five YARA rules are available in the investigation package covering: PDB path matching, plaintext config string detection, sandbox noise module identification, RobloxHack variant detection, and a generic Vietnamese AsyncRAT builder rule. Deploy these to endpoint detection platforms for retroactive and real-time scanning.

Sandbox Analysis Caveat

If you are processing these samples in a sandbox environment, be aware that the noise generator will activate. Your analysis report will contain dozens of network IOCs, file-system modifications, and behavioral indicators that are deliberately fabricated. The real C2 infrastructure is limited to the three domains listed above. Everything else -- the phishing POSTs, the SQL injection traffic, the fake ransomware, the crypto miner -- is designed to waste your time.

Recommended Actions

Immediate (24-48 hours)

Block datadreamers[.]in[.]net, sc88[.]now, and indotech[.]it[.]com at DNS and proxy layers
Search endpoint telemetry for mutex Global\]unique_rat_2026
Hunt for WindowsUpdate registry run key pointing to %AppData%\AsyncRAT.exe
Search for scheduled tasks named "WindowsUpdate" and "CryptoMiner"
Deploy Suricata rules above to network monitoring infrastructure

Short-term (1-2 weeks)

Submit abuse reports to Namecheap (datadreamers registration) and Cloudflare (both active domains)
Monitor MalwareBazaar for new samples sharing the PDB path, mutex, AES key, or imphash
Set up Certificate Transparency log monitoring for new certificates issued to these domains
Deploy YARA rules to endpoint detection and file scanning infrastructure

Medium-term (1-3 months)

Monitor for new domains registered by this operator (pivot on Namecheap registrar patterns and Cloudflare NS pairs)
Track imphash f34d5f2d4577ed6d9ceec516c1f5a744 across threat intelligence platforms
Submit IOCs to MISP, OTX, and relevant ISACs
Brief SOC analysts on the sandbox noise generator technique -- understanding that this evasion method exists will prevent wasted triage time on future encounters

References

MalwareBazaar: Primary Sample
CAPEv2 Sandbox: Analysis 56906
AsyncRAT Source: NYAN-x-CAT/AsyncRAT-C-Sharp (GitHub)
LevelBlue Labs: AsyncRAT Loader: Obfuscation, DGAs, Decoys
Lumu: AsyncRAT 2026 Analysis, Evolution, and Defense

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 12 samples linked. 3 C2 domains mapped. 1 sandbox noise generator dissected. 1 operator who named their folder "malware." Classification: TLP:CLEAR