Trojan:MSIL/AsyncRAT!AMTB stands out as the primary Microsoft Intermediate Language (MSIL) variant of AsyncRAT, a versatile remote access trojan developed in C# and compiled to MSIL for launching within the .NET framework. First released on GitHub in 2019 as an open-source tool marketed for legitimate remote administration, this MSIL version has since been repurposed and weaponized by threat actors, The core MSIL compilation enhances its modularity, portability, and ease of customization, leading to over 465 documented forks by late 2025. This adaptability stems from its open-source roots, allowing threat actors to integrate plugins for advanced features while maintaining full control over compromised Windows devices. 

The infection process for this MSIL variant begins with phishing emails delivering malicious attachments such as ZIP, ISO, or HTML files. It runs scripts to deploy the payload into directories like %ProgramData% or C:\Users\Public, often using fileless techniques like reflective loading into legitimate .NET processes such as RegSvcs.exe to evade detection. 

The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the AsyncRAT family.