Daily Summary
As of 2026-06-28, 30 new AsyncRAT samples were identified, representing a 27% increase over the 7-day average of 24 samples. This marks the third consecutive day of rising activity, driven primarily by script-based delivery formats.
New Samples Detected
The file type distribution today shows a notable shift away from traditional executables. PowerShell scripts (9 samples) and JavaScript files (8 samples) now account for over 56% of all detections, compared to a historical average of 38% for these formats. The presence of a single .21412187 extension sample suggests an attempt at unconventional file masking, potentially targeting environments with strict .exe execution policies. VBS samples (3) remain a secondary vector, while the lone .zip indicates possible container-based delivery that may be more prevalent on weekends.
7-Day Trend
The 27% surge above the 7-day average is significant but not anomalous. However, the sustained increase over the past three days aligns with patterns observed during the initial stages of phishing campaigns targeting European manufacturing sectors in Q2 2026. The volume is not yet at critical levels (peaks of 50+ daily samples have been seen in past campaigns), but the upward trajectory warrants monitoring.
C2 Infrastructure
100 new C2 servers were detected today, a marked increase from the recent daily average of 65-75. This expansion may indicate either a fresh deployment rotation or a campaign preparing for wider distribution. No geographic clustering is confirmed at this time, but historical correlations suggest that a rise in C2 server count often precedes a 48-72 hour surge in sample submissions.
IOC Highlights
Of the 130 new IOCs recorded, the most immediately actionable are the 100 C2 domains/IPs and the .21412187 extension sample. Analysts should prioritize blocking the script-based delivery vectors (powershell.exe and wscript.exe spawning anomalous child processes) over domain-based blocks, as the C2 infrastructure is expected to rotate quickly.
Security Analysis
Today’s sample composition—heavy on scripts, light on executables—mirrors the initial phase of the “ShadyEx” campaign from early 2026, where AsyncRAT was distributed via .js attachments masquerading as invoice PDFs. However, the absence of PowerShell-signed scripts in today’s haul suggests the operator may be targeting environments with PowerShell logging disabled, a tactic less seen in corporate breaches. Defensive teams should immediately enable and monitor ScriptBlock Logging in PowerShell 5.1+ environments, as this will capture the deobfuscation phase of the infection chain, providing earlier detection than traditional signature-based scanning on the final payload.