Daily Summary
QuasarRAT activity remains stable with 14 new samples collected today, slightly exceeding the 7-day average of 12 by 15%. This marginal uptick does not represent a significant surge but indicates sustained operational tempo by threat actors distributing this remote access trojan.
New Samples Detected
Executables dominate today’s collection at 6 samples, followed by 3 batch scripts (.bat), 3 PowerShell scripts (.ps1), and 2 Windows Installer packages (.msi). The distribution across multiple script and installer formats suggests actors are diversifying delivery to bypass application control policies that block .exe files. The presence of .ps1 and .bat files indicates continued reliance on script-based initial execution phases, likely leveraging LOLBins to evade detection.
Distribution Methods
Today’s file type mix points to phishing campaigns and software bundling as primary vectors. The 3 .ps1 samples align with recent patterns of email attachments containing PowerShell one-liners that download the RAT payload in memory. The 2 .msi files may represent disguised installer packages distributed via fake download sites or torrent platforms. No new exploit kits or drive-by download activity was observed.
Detection Rate
Current QuasarRAT variants maintain moderate detection rates across major AV engines, with signature-based tools catching most .exe samples but showing reduced efficacy against script-based variants. The .ps1 and .bat files likely employ obfuscation or reflection techniques that delay static analysis, resulting in lower initial detection at time of delivery.
C2 Infrastructure
No new C2 servers were detected today, indicating threat actors are reusing existing infrastructure rather than cycling domains. This lack of churn may suggest operators are comfortable with current C2 reliability or have limited resources for rotation. No geographic clustering was observed in C2 IPs.
7-Day Trend
Activity over the past week has been steady with daily sample counts fluctuating between 9 and 17, averaging 12. Today’s count of 14 falls within this range, confirming no escalation or decline in QuasarRAT distribution.
Security Analysis
A notable behavior shift is the increased use of .msi files for delivery, which may exploit Windows Installer’s trusted status to bypass user account control prompts. Historically, QuasarRAT relied heavily on .exe or .vbs payloads. This pivot suggests operators are testing stealthier delivery methods that blend into legitimate software installations. Actionable recommendation: Enable AppLocker or WDAC rules to block unsigned MSI installation from non-enterprise sources, and monitor Event ID 1033 (MSI install) for unusual installer activity originating from user download folders or email attachments.