Daily Summary
QuasarRAT activity surged today with 15 new samples, an 81% increase over the 7-day average of 8. This marks a notable escalation after several days of moderate, below-average counts earlier in the week.
New Samples Detected
Samples are evenly split between executable files (5 .exe) and PowerShell scripts (5 .ps1), with smaller counts for MSI installers (2), batch files (2), and VBScript (1). This distribution indicates a deliberate shift toward script-based delivery alongside traditional executables, possibly to evade static analysis that focuses on PE files. No new naming patterns were observed, but the increased .ps1 share suggests attackers are leveraging living off the land (LOLBAS) techniques to load the RAT in memory.
Distribution Methods
File types point to multi-vector delivery. The .exe and .msi samples likely arrive via email attachments or fake software downloads, while the .ps1, .bat, and .vbs files are consistent with phishing campaigns that include malicious macros or links to hosted scripts. The absence of .doc or .pdf files today suggests attackers are shifting away from macro-enabled Office documents toward more native scripting methods, which may bypass email attachment filters.
Detection Rate
Current AV detection for QuasarRAT remains generally high, but the script-heavy variants may have slightly lower detection rates. PowerShell payloads that use obfuscation or load the RAT in an encrypted form can evade signature-based checks. SOC teams should prioritize behavioral detection rules for PowerShell spawning network connections or writing executables.
C2 Infrastructure
No new C2 servers were observed today, indicating that attackers are recycling existing infrastructure. All 15 new IOCs are tied to known C2 endpoints, suggesting sustained use of previously established channels rather than expansion.
7-Day Trend
After a quiet start to the week with only 4-6 daily samples, activity has climbed sharply, now well above the running average. This spike suggests a new campaign push or automated distribution cycle, but it remains to be seen if this will sustain or revert.
Security Analysis
Today’s shift toward script-based payloads is notable because QuasarRAT has historically relied on compiled executables. The equal split between .exe and .ps1 indicates the threat actor may be testing script delivery for lower detection rates. Additionally, the lack of new C2 servers suggests they trust existing channels, possibly using domain fronting or fast flux to maintain persistence. Defensive recommendation: enable PowerShell script block logging and monitor for common QuasarRAT network patterns (e.g., periodic check-ins to non-standard ports, base64-encoded traffic).