Daily Summary
AsyncRAT sample volume surged to 49 new specimens, 233% above the 7-day average of 15. This marks the sharpest single-day spike observed in the current campaign cycle, signaling aggressive distribution efforts.
New Samples Detected
Executables dominate with 27 .exe files (55% of total), but PowerShell scripts (9), batch files (5), and JavaScript (1) indicate a shift toward living-off-the-land tactics. Compressed archives (.zip, .rar) account for 8% of samples, likely used to bypass email gateway scanners. A notable .scr file surfaced, suggesting fake screensaver lures remain in rotation.
Distribution Methods
The absence of macro-enabled documents suggests attackers favoring script-based delivery. PowerShell and batch files point to phishing campaigns with embedded downloaders or email attachments invoking mshta.exe. The .dll sample may be sideloaded via legitimate executables-a technique previously tied to Asian threat groups.
Detection Rate
Initial scans of today’s samples show 82% detection across major engines, but the PowerShell and JS samples evade static signatures at higher rates (65% detection). Two .exe variants use XOR-encrypted payloads not yet fingerprinted by several low-tier AVs.
C2 Infrastructure
100 new C2 servers were observed, with 70% hosted on bulletproof providers in Eastern Europe. No clear geographic targeting emerged, but 14 IPs share ASNs previously linked to crypting services supporting AsyncRAT operations.
7-Day Trend
Today’s 49 samples break a week-long plateau of 12-18 daily samples, indicating a campaign pivot rather than a gradual ramp. If activity sustains tomorrow, expect SOC queues to overflow with alerting from endpoint tools.
Security Analysis
A non-obvious behavioral change is the inclusion of .ps1 files using base64-encoded reflective loading-a departure from the typical raw socket injection. This suggests AsyncRAT operators are aligning with pre-built PowerShell frameworks to evade memory scanners. Defensive recommendation: block PowerShell execution from Office applications and restrict Outbound connections to known high-risk ASNs via firewall rule sets updated every 8 hours.