Daily Summary
AsyncRAT activity on 2026-06-21 shows 20 new samples, an 18% decline from the 7-day average of 24. While sample volume is moderate, a surge of 100 new C2 servers signals possible infrastructure expansion or rotation. The trend is declining overall, but the C2 count warrants attention.
New Samples Detected
The VBScript (.vbs) category led with 8 samples, followed by 7 executables (.exe). Unusual file types included one sample with the extension .78229344, likely a renamed or obfuscated payload, and one .scr file, a legacy screensaver executable often used for stealth. The .js (2) and .msi (1) samples suggest continued diversity in delivery payloads, though no single format dominates today.
C2 Infrastructure
100 new C2 servers were recorded today, a notable spike given the declining sample trend. This may indicate the threat actors are rotating or expanding their command infrastructure to evade blacklists rather than increasing attack volume. The discrepancy between sample count (down) and C2 count (up) could reflect a shift toward smaller, more targeted deployments with dedicated servers per victim.
IOC Highlights
120 new IOCs were documented today, covering IP addresses, domains, and file hashes. The high IOC-to-sample ratio (6:1) suggests each sample may be tied to multiple C2 endpoints or supporting infrastructure nodes. SOC teams should prioritize the newly observed C2 IPs over hashes, as the latter may change faster than the infrastructure.
Security Analysis
The inverse relationship between declining sample volume and rising C2 server count is atypical for AsyncRAT campaigns. Historically, C2 growth correlates with sample surges, suggesting today’s activity may represent a pre-deployment phase or a cleanup operation retiring old servers. Analysts should monitor for a catch-up spike in samples within 48-72 hours, as threat actors often prepare infrastructure before mass-distributing payloads. Recommendation: Block all new C2 IPs at the perimeter immediately, but retain behavioral detection for file-based samples, as the Infrastructure-as-a-Service model implies the IP list will shift before signatures stabilize.