Daily Summary
QuasarRAT sample volume dropped sharply on 2026-05-04, with only 7 new samples detected - a 45% decline compared to the 7-day average of 13. This marks a continued downward trend after several days of above-average activity earlier in the week. The decrease may indicate a temporary pause in distribution or a shift to less monitored channels.
New Samples Detected
All 7 new samples are executable files, with 6 .exe and 1 .bat. The .bat sample suggests a possible shift toward dual-stage delivery - the batch file likely serves as a downloader for the main payload. No obfuscated or renamed executables were observed in this batch, but the bat script could be used to run encoded PowerShell commands. File naming patterns remain generic (e.g., “update.exe”, “setup.bat”), aligning with standard social engineering tactics.
Distribution Methods
Based on file types, QuasarRAT is primarily being delivered via direct executable downloads - likely through phishing emails with malicious attachments or fake software update links. The inclusion of a .bat file hints at a possible use of email-based lures urging users to run a script to “fix a system error” or “install a required component.” No malspam campaigns with compressed archives were observed today.
Detection Rate
Current variants detected on 2026-05-04 show mixed AV coverage. Preliminary checks indicate that the .bat file has a lower detection rate than the standard .exe payloads, likely because batch scripts can be easily modified with benign-looking commands. The .exe files are detected by most major engines, but the bat variant may bypass signature-based tools if it uses environment variables or string splitting to evade scanning.
C2 Infrastructure
No new C2 servers were identified today. All 7 IOCs point to previously observed IP addresses and domains, suggesting the threat actor is reusing existing infrastructure. Geographic patterns remain stable, with C2 servers predominantly hosted in Eastern Europe and Russia-based VPS providers. No domain generation algorithm (DGA) activity was noted.
7-Day Trend
After peaking on April 30 with 22 samples, QuasarRAT activity has steadily declined for four consecutive days. Today’s count is the lowest in the week, indicating a potential lull in distribution or a move to less tracked payload formats.
Security Analysis
A notable finding is the appearance of a .bat downloader alongside the usual .exe samples. This reflects a tactical shift to lower the detection footprint - batch scripts are less scrutinized by automated analysis sandboxes and can download the payload from a remote server only when executed, evading static analysis. Additionally, the batch file can be easily obfuscated with simple encoding or environment variable manipulation. Defenders should treat .bat scripts as high-priority alerts when accompanying phishing emails and ensure endpoint detection rules include script analysis for suspicious downloads.