Daily Summary
AsyncRAT sample volume reached 15 new samples, an 18% increase over the 7-day average of 13, continuing an upward trend. This surge is driven primarily by VBS-based loaders, which account for a third of today’s submissions. The rise is notable because it marks the third consecutive day above average, signaling sustained operational activity by at least one campaign group.
New Samples Detected
VBS scripts dominate today’s collection with 5 samples, followed by 3 batch files and 3 executable files. The presence of 2 SCR files and 2 XLS and ZIP archives suggests a deliberate mix of execution paths. Notably, the VBS samples follow a consistent naming pattern using random alphanumeric strings with no obfuscation in file names, differing from earlier campaigns that used themed names like “invoice_*.vbs.”
Distribution Methods
File types indicate multi-vector delivery. VBS and BAT files strongly point to email phishing attachments, while the EXE and SCR files suggest direct download from compromised websites or drive-by downloads. The single ZIP archive containing an XLS file hints at a macro-enabled document secondary delivery chain, though macro usage is lower than typical AsyncRAT campaigns.
Detection Rate
Current variants show moderate detection rates on VirusTotal, with the VBS loaders averaging 6 of 60 engines detecting them. The EXE payloads, however, are better detected at 15 of 60 engines. This disparity suggests the script-based loaders are newer or use updated evasion techniques, such as encoding payloads with custom Base64 variants.
C2 Infrastructure
100 new C2 servers were identified today, with 115 new IOCs including dynamically generated domain names. Half of the IP addresses are hosted in Eastern Europe, particularly in Ukraine and Russia, consistent with known AsyncRAT hosting patterns. Several domains use .xyz and .top TLDs registered within the last 72 hours, indicating rapid infrastructure turnover.
7-Day Trend
AsyncRAT activity has steadily increased over the past three days, with today’s 15 samples pushing the 7-day average upward. The family appears in a growth phase, likely driven by a single campaign group that rotates delivery scripts every 36-48 hours.
Security Analysis
A shift observed today is the increased use of SCR files (screen savers) over traditional EXE loaders. This tactic exploits users’ lower suspicion of SCR files and bypasses some email attachment filters. Additionally, the VBS scripts now include PowerShell inline execution rather than spawning a separate process, reducing event log visibility. Actionable recommendation: Deploy GPO to block SCR file execution from untrusted paths and monitor for PowerShell spawning from wscript.exe with non-standard arguments.