A sophisticated fileless malware campaign exploiting legitimate system tools has been uncovered by cybersecurity researchers.
The attack bypasses traditional disk-based detection by executing malicious code entirely in memory, making it difficult to detect, analyze or remove.
Investigators found the operation ultimately delivered AsyncRAT, a powerful remote access Trojan (RAT), through a multi-stage fileless loader.
Initial Access via Compromised Remote Tool
According to an advisory published by LevelBlue on Wednesday, the breach began with a compromised ScreenConnect client – a widely used remote access platform.
Threat actors established an interactive session via the domain relay.shipperzone[.]online, linked to unauthorized ScreenConnect deployments. During this session, a VBScript called Update.vbs executed through WScript triggered a PowerShell command to download two payloads.
The files, logs.ldk and logs.ldr, were saved to the C:UsersPublic directory but never written as executables on disk. They were loaded directly into memory using reflection.
The first payload was converted into a byte array, while the second was executed directly. The script retrieved encoded data from the web, decoded it in memory and invoked a .NET assembly to run the attack – a hallmark of fileless malware.
Read more on fileless malware execution techniques: PowerShell-Based Loader Deploys Remcos RAT in New Fileless Attack
The AsyncRAT Infection Chain
A first-stage .NET assembly, Obfuscator.dll, acts as a launcher for the AsyncRAT infection chain.
The LevelBlue analysis revealed three core classes:
-
Class A, which initializes the runtime environment
-
Class Core, which establishes persistence through a scheduled task disguised as “Skype Updater” and loads additional payloads
-
Class Tafce5, which disables Windows security logging, patches script scanning and resolves APIs dynamically
The modular design allowed the malware to evade detection while preparing the system for the RAT payload.
Meanwhile, AsyncClient.exe functions as the command-and-control (C2) engine. It maintains persistent access, performs system reconnaissance and executes attacker-supplied commands.
Key capabilities include:
-
AES-256 decryption of embedded settings, including C2 domains like 3osch20[.]duckdns[.]org, infection flags and target directories such as %AppData%
-
TCP-based communication with custom packet protocols for command dispatch
-
Data exfiltration, including operating system details, privilege levels, antivirus status, active window titles and browser extensions such as MetaMask and Phantom
-
Keylogging with context capture, ensuring persistence through scheduled tasks
“By breaking down key elements, we can understand how the malware maintains persistence, dynamically loads payloads, and exfiltrates sensitive data like credentials, clipboard contents and browser artifacts,” reads the advisory.
“These findings enable the creation of targeted detection signatures and support endpoint hardening based on observed behaviors.”
