MessagePack Asynchronous RAT Protocol
Overview
A .NET C2 wire-format protocol used by asyncrat and conceptually related to the protobuf-net-asymmetric-client-rat-protocol seen in quasar. MessagePack-serialized objects are transmitted inside an AES-256-HMAC encrypted + TLS-wrapped TCP socket. The frame structure is: length-prefix → AES(HMAC(MessagePack(object))).
Detection / Fingerprint
- Embedded
MessagePackorMsgPacklibrary references in .NET PEs - capa hits:
create TCP socket,send data,receive data, plus AES/HMAC primitives - Network: TLS-wrapped TCP; no HTTP layer; no standard User-Agent
Implementation Patterns
- AsyncRAT: uses
System.Security.Cryptography.AesCng+ HMACSHA256; packets prefixed with 4-byte length; MessagePack library is typically embedded ILMerged or as a NuGet reference. - Quasar equivalent: protobuf-net instead of MessagePack; otherwise similar framing.
Cross-References
- asyncrat — primary family using this protocol
- quasar — uses protobuf-net for the same architectural slot
- protobuf-net-asymmetric-client-rat-protocol — parallel serialization choice