Daily Summary
QuasarRAT activity is declining, with 8 new samples recorded today, 39% below the 7-day average of 13. This marks a notable drop from recent levels, suggesting either a campaign pause or shift to alternative delivery methods.
New Samples Detected
The sample set is dominated by .exe files (5 of 8), with .msi (2) and .bat (1) rounding out the distribution. Notably, no packed or obfuscated executables were identified, indicating the operator may be relying on low-effort, direct delivery rather than complex evasion techniques. The absence of .vbs or .js scripts suggests a departure from common dropper patterns seen in previous QuasarRAT campaigns.
Distribution Methods
Delivery appears to be via direct executable downloads, likely through phishing attachments or hosted files. The presence of .msi files hints at potential use of software bundle installers or update impersonation campaigns. The single .bat file indicates possible manual execution in environments lacking PowerShell restrictions, though this is a minority approach.
Detection Rate
Detection rates for current QuasarRAT variants remain moderate, with most AV engines flagging the static .exe samples. However, the .msi samples may achieve lower detection rates due to trusting installer packages in many enterprise environments. The lack of obfuscation in today’s samples reduces evasion risk, but SOC teams should verify coverage for MSI-based delivery.
C2 Infrastructure
No new C2 servers were discovered today, and 0 new server IPs or domains were added to the tracker. This suggests the operator may be reusing existing infrastructure or operating from a smaller, stable pool of servers. No geographic patterns are evident due to the absence of new servers.
7-Day Trend
Activity is clearly cooling down: after averaging 13 samples per day over the past week, today’s count of 8 extends a steady decline observed since April 30. Operators may be rotating campaigns or testing alternative RATs.
Security Analysis
The shift toward .msi files is a notable behavioral change for QuasarRAT, traditionally delivered via .exe or script-based droppers. This may represent an attempt to bypass user account control prompts and antivirus scans by masquerading as legitimate installer processes. Defenders should enable MSI execution auditing (Event ID 1033) and monitor for QuasarRAT-specific registry persistence keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run during MSI installation events.