Daily Summary
QuasarRAT sample submissions surged to 15 today, a 94% increase over the 7-day average of 8. This marks the third consecutive day of above-average activity, suggesting an active campaign phase. No new C2 servers were observed, but 15 fresh IOCs were generated from today’s samples.
New Samples Detected
Today’s 15 samples show an even split between executables and PowerShell scripts—5 each, or 67% of total. Two MSI installers, two batch files, and one VBScript round out the set. This 50/50 binary-to-script ratio is a sharp departure from the 7-day norm, where executables typically accounted for 70-80% of samples. The uptick in PowerShell scripts suggests attackers are testing fileless delivery vectors, possibly to bypass application whitelisting or AV scans. Naming patterns appear randomized, with no common themes.
Distribution Methods
The file type distribution indicates a hybrid delivery approach. The 5 .ps1 files and 2 .bat files point to phishing emails with links to script hosts or attached scripts disguised as invoices or reports. The 5 .exe and 2 .msi files suggest secondary droppers or bundled installers, potentially hosted on compromised websites or file-sharing services. The single .vbs file may be used as a launcher in email macros. This mix of script-first and executable payloads mirrors recent QuasarRAT campaigns targeting logistics and manufacturing sectors.
Detection Rate
Based on current IOC submissions, detection across major AV engines remains moderate—most signature-based engines flag common QuasarRAT variants, but the script-based samples (especially .ps1 and .bat) show lower detection rates. The 5 PowerShell samples likely employ obfuscation (e.g., Base64 encoding, variable renaming) to evade AMSI and static analysis. Defenders should prioritize behavioral detection for PowerShell execution with network callbacks.
C2 Infrastructure
No new C2 servers were identified today, and no geographic patterns emerged. All 15 IOCs are likely associated with existing C2 infrastructure used in ongoing campaigns. The absence of new servers may indicate operators reusing stable infrastructure or shifting to decentralized hosting (e.g., cloud services or CDNs) that evades easy attribution.
7-Day Trend
Today’s spike to 15 samples is the week’s highest single-day count, following a gradual climb from 5-7 daily samples early in the week. Activity is clearly ramping up, not cooling down, suggesting an active campaign phase.
Security Analysis
A notable shift today is the near-equal use of PowerShell scripts and executables—a tactic typically associated with initial access rather than persistence. This suggests QuasarRAT operators may be combining phishing with living-off-the-land binaries (LOLBins) to reduce file-based artifacts. Actionable recommendation: monitor for PowerShell executions that connect to external IPs on port 443 or 8080, and restrict PowerShell execution policy to signed scripts via Group Policy in critical environments.