Daily Summary
AsyncRAT activity on 2026-05-17 remains stable with 51 new samples detected, slightly above the 7-day average of 46 (a 12% uptick). Although the overall volume is not alarming, the recovery of C2 infrastructure continues strongly, with 100 new C2 servers recorded today, indicating sustained operational investment by threat actors. No unusual geographic targeting or distribution method shifts were observed.
New Samples Detected
The file type distribution today is heavily skewed toward executable payloads, with .exe accounting for 50 of 51 samples. The lone .vbs file is a minor deviation from the near-exclusive .exe composition of recent weeks, possibly representing a residual or test sample rather than a broader shift in packaging. No novel file names or naming conventions were identified.
C2 Infrastructure
Today marks the third consecutive day of 100+ new C2 servers being deployed - a notable increase from the recent 7-day average of approximately 80-85 new servers per day. While domains remain the primary C2 channel (70 of 100), we observed 30 IP-based C2 endpoints, which may indicate efforts to rotate infrastructure harder to block via DNS security controls. The sustained volume suggests either an ongoing campaign expansion or a batch release of previously prepared infrastructure.
IOC Highlights
A total of 151 new IOCs were cataloged, consisting of 100 C2 servers and 51 sample hashes. Among the C2 servers, 30 are IP addresses - a higher-than-normal ratio of IP-based C2 relative to recent weeks where domains dominated. This may reflect a tactical shift toward IP-based resilience or a specific campaign targeting environments with weak IP reputation filtering.
Security Analysis
A notable pattern emerging is the asynchronous scaling between sample volume (flat) and C2 infrastructure (rising). This suggests threat actors are stockpiling C2 capacity in anticipation of a larger campaign rather than reacting to current detection failures. Defenders should preemptively block the newly identified IP-based C2s (30 IPs) at the perimeter, as these are less likely to be used for benign purposes and may be part of a planned high-volume attack wave within the next 72 hours.