Exclusively using variant names to track threats has significant limitations. Unique names like ArchosaurRAT or ShiningForceRAT create clear queries, generating a minimal amount of false positives. At the same time, searching under more general names leads to critical conflicts with legitimate organizations. For example, requests about PhoenixRAT intersect with industrial equipment of the Phoenix Contact GmbH company, and results for PegasusRAT get lost in the information noise from NSO Group products. Therefore, detection systems need a verified sample of the certificate or control panel contents, not just a name match.
The evolution of the AsyncRAT ecosystem demonstrates the need to transition from classic file signature blocking to tracking infrastructure patterns. Malefactors will continue to create new code branches, yet their reliance on outdated TLS certificate structures remains a powerful tool for defense teams. Analyzing this metadata can significantly increase the efficiency of detecting C2 environments.
iIT Distribution is a distributor of solutions for information security and IT infrastructure. The iITD expert team provides comprehensive support during consulting, design, deployment, and configuration of advanced Threat Intelligence systems. Collaboration with iIT Distribution guarantees qualified support at all stages of partner projects, helping teams adapt to the evolving threat landscape.