Daily Summary
AsyncRAT activity surged on May 2, 2026, with 55 new samples detected, an 82% increase over the 7-day average of 30. This marks the highest single-day volume in the current observation window, signaling a possible coordinated campaign or updated builder distribution.
New Samples Detected
Executables (.exe) dominate at 35 samples, but script-based payloads (.ps1, .bat, .js) together account for 16 samples (29%), a notable shift from the typical 20% script ratio. The inclusion of 3 archived samples (.zip and .rar) suggests some actors are layering delivery with password-protected archives, likely to bypass email gateway scans. No consistent naming pattern emerged, though several .exe samples used names mimicking system utilities (e.g., “svchost_update.exe”).
Distribution Methods
The file type breakdown points to multi-vector delivery. The 9 PowerShell scripts (.ps1) suggest phishing emails with macro or link-to-download tactics, while the .bat and .js files indicate secondary stages in USB droppers or web redirects. The majority of .exe samples likely arrive via malvertising or fake download portals. The archived samples indicate a small portion uses password-protected archives sent via email to evade initial detection.
Detection Rate
Preliminary static-rule scans show roughly 70-75% detection across common AV engines for current samples, slightly lower than the typical 80% for AsyncRAT. The uptick in obfuscated PowerShell and bat files evades signature-based engines at higher rates. Analysts should verify endpoint detections and update machine learning models if available.
C2 Infrastructure
New C2 infrastructure expanded significantly today, with 100 fresh servers and 155 total IOCs (IPs, domains). While geographic data is pending, the spike in registrations may indicate a rapid deployment of ephemeral servers, possibly using DGA or public cloud IP ranges. Historical patterns suggest a high churn rate for these C2s within 48 hours.
7-Day Trend
Today’s 82% surge above the 7-day average breaks a relatively stable week of 25-35 daily samples. Activity appears to be ramping up, likely driven by a new builder release or targeted campaigns against specific sectors.
Security Analysis
A non-obvious observation: the 16 script-based samples diverge from AsyncRAT’s typical heavy reliance on packed executables, suggesting actors are testing lower-sophistication delivery paths while maintaining high-volume .exe drops. This hybrid approach may reflect an attempt to harvest credentials or establish persistence without triggering EDR alerts focused on binary executions. Actionable recommendation: Enable script block logging and AMSI on endpoints, and restrict execution of .ps1, .bat, and .js files from non-approved paths via AppLocker or WDAC rules.