Daily Summary
Activity for AsyncRAT dropped sharply on 2026-05-31, with only 8 new samples detected - a 78% decline compared to the 7-day average of 37. This steep reduction suggests either a temporary pause in distribution or a pivot to other malware families.
7-Day Trend
Today’s sample count of 8 represents a 78% decrease from the 7-day average of 37, well exceeding the 25% deviation threshold. The trend line for the past week had been relatively stable, with daily counts ranging between 29 and 44 samples. This drop is notable as AsyncRAT campaigns typically maintain more consistent volumes, suggesting operator-level disruption or a strategic shift.
New Samples Detected
Of the 8 new samples, 7 were executable files (.exe) and 1 was an archive (.rar). The .rar sample is unusual for AsyncRAT, as the malware is typically delivered via direct .exe download. The .rar file likely represents an attempt to evade initial static analysis or to package the payload with additional files. The samples showed no compressed or bundled .NET variants, indicating the operators are leaning on simple, single-file delivery.
IOC Highlights
There are 108 new IOCs to analyze. Of these, 100 are new C2 servers - a high number given the low sample count. This ratio (100 C2s from 8 samples) suggests the C2 infrastructure is either heavily rotated per victim or automated to generate fresh domains and IPs on the fly. Security teams should treat the full IOC set as high risk, as these addresses may be short-lived but currently active.
C2 Infrastructure
The sudden addition of 100 new C2 servers, paired with only 8 samples, indicates a shift toward one-shot C2 infrastructure. AsyncRAT operators may be testing a new automated domain generation or IP rotation system. Unlike prior campaigns that re-used C2s for days or weeks, this pattern points to rapid churn - likely to frustrate sinkholing and blocking efforts. Analysts should monitor if this rotation persists or reverts to longer-lived servers.
Security Analysis
The spike in C2 count against a sample volume decline resembles a tactic previously observed in Stellar-C2 campaigns, where operators pre-provisioned infrastructure at scale before a major distribution push. However, here the sample count fell, suggesting either a failed campaign launch or deliberate low-visibility testing. Defensive teams should prioritize blocking all 100 newly observed C2 IPs and domains immediately, as the samples submitted today likely indicate that these servers are live and serving beacons. If sample volumes remain low for 48-72 hours, this may be the tail end of a campaign rather than the start of one.