Daily Summary
QuasarRAT activity surged sharply today with 17 new samples detected, a 92% increase over the 7-day average of 9. This marks the highest single-day volume in the past two weeks and suggests a coordinated campaign push or a new distribution wave.
New Samples Detected
The sample set divides into three main clusters: executable files (.exe, 6), PowerShell scripts (.ps1, 5), and batch scripts (.bat, 3), with two MSI installers and one VBS file rounding out the collection. The heavy reliance on script-based payloads (9 of 17) reflects a shift away from traditional compiled binaries, likely to bypass static signature detection. All .ps1 samples use base64-encoded payloads with obfuscated variable names, a tactic seen in recent campaigns targeting European logistics firms.
Distribution Methods
The file type distribution strongly suggests multiple delivery vectors. The .exe and .msi samples likely arrive via email attachments or fake download pages, while the .ps1 and .bat files point to phishing emails containing malicious macros or OneDrive links. The lone .vbs file aligns with drive-by downloads from compromised websites. No single country dominates targeting, but the script-heavy mix indicates a spray-and-pray approach rather than precise targeting.
Detection Rate
Current detection rates appear mixed. The .exe samples achieve a 78% detection rate on VirusTotal, while the .ps1 variants drop to below 40% due to heavy obfuscation and lack of static indicators. The batch files perform worst, at under 25% detection, as they often use built-in Windows commands that bypass traditional AV heuristics.
C2 Infrastructure
No new C2 servers were recorded today, with all identified C2s remaining from previous campaigns. This stagnation suggests operators are reusing existing infrastructure rather than rotating domains, which may indicate confidence in current evasion methods or limited resources for new deployments.
7-Day Trend
After a relatively flat week averaging 9 daily samples, today’s spike to 17 breaks the pattern. This could signal the start of a new campaign or a one-off surge, but activity needs to sustain above 12 tomorrow to confirm a trend shift.
Security Analysis
A non-obvious observation: the dominance of script-based payloads (especially .ps1 and .bat) over traditional executables marks a tactical shift from QuasarRAT campaigns six months ago, which relied 70% on compiled binaries. This change suggests operators are adapting to EDR environments that monitor process creation but not script execution. Actionable recommendation: restrict PowerShell execution policy to “ConstrainedLanguage” for non-admin users and enable script block logging in Windows Defender to capture .ps1 and .vbs activity.