Daily Summary
QuasarRAT sample volume remained stable on 2026-04-25 with 5 new samples, matching the 7-day average of 5. Activity is unchanged from recent days, with no notable spike or drop in submissions. No new C2 servers were observed, indicating campaign-level consistency.
New Samples Detected
The 5 samples are evenly split between executable (.exe, 2) and scripting file types (.ps1, 2; .vbs, 1). This represents a notable shift from previous weeks where .exe dominated. The inclusion of two PowerShell scripts and one VBS file suggests operators are diversifying delivery payloads, likely to bypass static file-based detections.
Distribution Methods
Today’s file type distribution points to layered delivery: the .exe files are likely compiled loaders or droppers, while the scripting files (PowerShell and VBS) are typically used in phishing attachments or macro-enabled documents. This pattern aligns with campaigns using email lures to drop QuasarRAT payloads via script-based downloads.
Detection Rate
Current signature-based detection for QuasarRAT remains moderate, though the shift to scripting payloads may reduce initial detection rates for .ps1 and .vbs variants. Behavioral analysis (e.g., AMSI scanning, process injection detection) is critical for catching these samples, as static AV engines often miss obfuscated scripts.
C2 Infrastructure
No new C2 domains or IP addresses were identified today. This absence suggests existing infrastructure is being reused, or operators are rotating through previously observed servers. No geographic clustering is apparent from current data.
7-Day Trend
QuasarRAT activity has been steady over the past week, with daily sample counts oscillating between 4 and 6. No ramping up or cooling down is evident; the threat is maintaining a consistent, low-volume presence.
Security Analysis
A noteworthy observation is the deliberate pivot to scripting payloads alongside traditional executables. This hybrid approach increases operational flexibility and complicates detection. Defenders should prioritize email security rules blocking script attachments ( .ps1, .vbs) and implement execution policies restricting PowerShell from running remote content. Additionally, monitor for outbound connections to ports 4782 or 8080, common for QuasarRAT C2 traffic. Blocking .vbs execution via Group Policy is an actionable first step to reduce this family’s infection surface.