Backdoor:MSIL/AsyncRAT!atmn (Asynchronous Remote Access Trojan) is a sophisticated and persistent backdoor threat compiled as Microsoft Intermediate Language (MSIL) code to target Windows devices with the .NET framework. This MSIL-based construction gives this AsyncRAT variant compatibility across Windows versions and lets it use the .NET libraries for harmful activities such as screen capture and process injection. It started as a public, open-source remote administration tool, which led to many obfuscated variants. This variant changes over time to avoid static detection signatures, which presents a major detection challenge. The central goal of AsyncRAT is to create a hidden and lasting channel for remote control. It does this by embedding itself in Windows processes and keeping communication open with servers operated by threat actors.

The infection process often starts with phishing campaigns or software bundles, where the harmful payload pretends to be a legitimate file. After launching, it uses methods to ensure it remains on the device, such as setting up scheduled tasks or adding registry run keys. It employs process hollowing to insert its code into trusted Windows processes. This lets AsyncRAT perform a broad set of malicious actions without raising alarms. Its capabilities are comprehensive, allowing threat actors to record keystrokes, steal credentials and files from browsers and cryptocurrency wallets, capture audio and video, and turn the infected device into a proxy for more attacks.