Daily Summary
AsyncRAT sample volume fell to 27 new samples on 2026-05-06, a sharp 50% decline from the 7-day average of 54. This marks a continued cooling trend after moderate activity earlier in the week. No geographic attribution is available for the samples, suggesting distributed or anonymized distribution.
New Samples Detected
The 27 new samples are dominated by executable files, with 21 .exe variants, followed by 3 .bat scripts, 1 .scr screensaver, 1 .rar archive, and 1 .js file. The presence of a .scr file is notable, as it is used less frequently and may indicate an attempt to bypass email filters that block .exe attachments. The single .js file suggests possible use of script-based loaders for initial delivery.
Distribution Methods
Based on the file type breakdown, AsyncRAT is primarily delivered via executable files, likely through phishing emails with direct .exe attachments or download links. The .bat scripts may be used as second-stage droppers, while the .rar archive could be used to compress payloads to evade attachment-size filters. The .scr file suggests some campaigns are adapting to use less-blocked extensions.
Detection Rate
Current detection rates for these 27 samples are not specified, but the decline in volume combined with the use of less common file types (.scr, .js) may indicate that newer variants are being crafted to evade signature-based detection. Security teams should verify coverage for script-based and archive-delivered payloads.
C2 Infrastructure
A total of 99 new C2 servers and 126 new IOCs were identified, indicating ongoing infrastructure turnover despite lower sample volume. This high ratio of new C2s per sample suggests operators are rapidly cycling domains or IPs to maintain resilience. No geographic patterns are available.
7-Day Trend
The 50% drop below the 7-day average confirms a clear downward trajectory in AsyncRAT sample submissions. Activity appears to be cooling, possibly due to a shift in focus to other malware families or a campaign pause.
Security Analysis
A non-obvious observation is the high number of new C2 servers relative to the low sample count. This mismatch suggests that operators are investing in infrastructure churn rather than volume, possibly to evade blocklists. Additionally, the appearance of a .scr sample alongside the typical .exe and .bat files indicates tactical experimentation with delivery formats. Defensive recommendation: Implement behavioral analysis rules for processes spawned from .scr and .js files, as these are less commonly monitored for AsyncRAT activity and may bypass standard detection.