> Technique · Rust Async RAT Framework_

~/packetpursuit $ cat /intel/techniques/rust-async-rat-framework.md

typetechniqueconfidencemediumcreated2026-05-30updated2026-05-30rustcompilerc2-protocolanti-analysiscode-injectionresearch-target

Rust Async RAT Framework

A recurring build pattern observed in modern Windows RAT/stealer families: native Rust compiled with the MSVC toolchain, using tokio for async I/O, tokio-tungstenite for WebSocket C2, serde_json for structured tasking, and BCrypt/CryptUnprotectData for config encryption. The builder emits a single PE32+ GUI executable with no packing, heavy IAT (300+ imports), and embedded AES-GCM config JSON toggling 50+ features.

Detection / Fingerprint

  • Strings contain .cargo\registry\src\index.crates.io-<hash>\tokio-1.x\src\... paths
  • Embedded ServerMessage adjacently-tagged enum with 50–80 variants
  • Hardcoded WebSocket host/port, auth token, and E2E AES-GCM string (e.g. dolphin-e2e-aes256gcm-v1)
  • Heavy Electron/browser injection JavaScript shipped as string literals inside the Rust binary
  • Large .rdata section (>1 MB) containing serialized JSON field names and task enums
  • No UPX packing; entropy typically 6.0–7.0 in .xdata/.rdata and ~8.0 in .datax

Reproduce on your own VMs

  1. Install Rust nightly + cargo on Windows x64.
  2. Add dependencies to Cargo.toml:
    • tokio = { version = "1.52", features = ["full"] }
    • tokio-tungstenite = "0.21"
    • serde = { version = "1.0", features = ["derive"] }
    • serde_json = "1.0"
    • windows = { version = "0.52", features = ["Win32_Security_Cryptography", ...] }
  3. Define a ServerMessage enum with #[serde(tag = "type")] and ~10 representative variants.
  4. Encrypt a JSON config blob via AES-GCM (key derived from a static passphrase) and embed with include_bytes!.
  5. At runtime decrypt via BCryptOpenAlgorithmProviderBCryptGenerateSymmetricKeyBCryptDecrypt.
  6. Build with cargo build --release --target x86_64-pc-windows-msvc.
  7. Sign (optional) or strip; observe strings for tokio-1.52.1 paths and ServerMessage variant names.

Defensive Countermeasures

  • YARA on .cargo\registry\src\index.crates.io string clusters + large ServerMessage enum.
  • Network: block hardcoded WebSocket SNI + monitor for Upgrade: websocket headers from non-browser signed binaries.
  • Endpoint: CreateRemoteThread + SetWindowsHookEx into Electron processes from a non-canonical NVIDIA or RuntimeBroker image.

Pages where observed

  • dolphin — full deep-dive with 80+ task types, browser/wallet injection, polymorphic morph.