Several organizations, including those managing U.S. critical infrastructure, have been targeted by an AsyncRAT malware campaign during the past 11 months, BleepingComputer reports.
Attackers have also used a loader that would identify eligibility for AsyncRAT compromise, with the loader launching decoy payloads in analysis environments. Further examination of the campaign revealed attackers' utilization of a domain generation algorithm enabling weekly generation of new C2 domains. Domains used by the threat actors were also noted to adhere to a structure that consists of eight random alphanumeric characters, have South Africa as the country code, and are in the "top" TLD.
Digital Ocean has also been used for hosting all the domains, noted researchers, who have not linked the campaign to a particular threat operation.