Daily Summary
AsyncRAT activity surged today with 57 new samples, a 56% increase over the 7-day average of 36. This marks the highest single-day count in the past week, driven predominantly by executable payloads and a notable uptick in PowerShell delivery.
New Samples Detected
Executables (.exe) dominate at 39 samples (68% of total), consistent with recent campaigns, but PowerShell scripts (.ps1) climbed to 8 samples, up from an average of 3. This shift suggests actors are testing alternative execution methods to evade early detection. Batch files (.bat) and JavaScript (.js) account for smaller fractions, while archive-based delivery (.zip and .rar) remains minimal but persists.
Distribution Methods
Delivery appears to rely on direct executable downloads via fake update prompts or phishing emails with attached PowerShell scripts. The presence of batch files and JavaScript suggests some campaigns use script-based droppers to fetch AsyncRAT from remote hosts, reducing initial static detection. Archived payloads, though rare, may be masked as invoice or document attachments.
Detection Rate
Initial sandbox testing shows current variants achieve a moderate detection rate (approximately 60-70% on VT), down from the weekly average of 75%. New obfuscated PowerShell scripts and packed executables are likely evading signature-based engines.
C2 Infrastructure
100 new C2 servers were identified today, a sharp increase from the weekly average of 45. No geographic clustering is evident; IPs are distributed across Europe, North America, and Asia. Many domains follow random alphanumeric patterns and may be auto-generated.
7-Day Trend
Activity has been steadily rising since April 28, with today’s spike representing a clear escalation. The rolling average now stands 36% above last week’s baseline, indicating a sustained campaign surge.
Security Analysis
A non-obvious observation: the concurrent rise in both executables and PowerShell scripts suggests threat actors are A/B testing delivery formats to maximize infection rates. Historically, AsyncRAT campaigns favor single-file executables, but this dual-lane approach may indicate a shift toward modular payload staging. Recommend prioritizing behavioral detection rules for process creation from script hosts (powershell.exe, wscript.exe) launching network connections, regardless of file extension.