Daily Summary
AsyncRAT sample volume held steady at 12 new samples, matching the 7-day average of 12 exactly (2% difference, stable trend). No notable spike or decline was observed, indicating sustained but not escalating activity for this RAT family.
New Samples Detected
The 12 new samples were distributed across four file types: 5 VBS scripts, 4 EXE binaries, 2 BAT files, and 1 XLS spreadsheet. The dominance of VBS files (42%) marks a slight shift away from EXE-based delivery seen earlier in the week, where EXE accounted for 50% of samples. Naming patterns remain obfuscated, using random alphanumeric strings to evade hash-based blocking.
Distribution Methods
Delivery appears tied to phishing campaigns leveraging VBS and BAT scripts as initial downloaders. The lone XLS file suggests occasional macro-enabled attachments, though the low count indicates this vector is secondary. No evidence of direct EXE downloads via drive-by URLs was observed today.
Detection Rate
Current signatures on major AV platforms show mixed effectiveness. The VBS samples, which often leverage obfuscation via encoded strings and variable renaming, exhibit lower detection rates (60-70%) compared to EXE variants (85-90%). The single XLS file likely relies on macro execution and may evade detection if macros are disabled by default in newer Office versions.
C2 Infrastructure
100 new C2 domains and IPs were added to tracking, with 112 new IOCs total. Geographic clustering of C2 hosts is absent from today’s data, suggesting decentralized hosting on bulletproof providers or compromised legitimate domains. No repeat C2s from prior weeks were identified.
7-Day Trend
Activity has been stable throughout the week, with sample counts fluctuating between 10 and 14 daily and averaging 12. There is no indication of a campaign ramp-up or imminent surge.
Security Analysis
A non-obvious observation: the shift toward VBS-based payloads may exploit gaps in email gateway scanning that focus on PE files. This tactic mirrors recent AsyncRAT campaigns that use script-based loaders to download the final RAT payload in stages, bypassing initial static analysis. Defensive teams should prioritize behavioral analysis of VBS and BAT execution, including PowerShell invocation patterns. Actionable recommendation: Enable script block logging in PowerShell and deploy AMSI bypass detection rules to catch VBS scripts that load .NET assemblies reflectivey.