Daily Summary
QuasarRAT sample volume hit 11 new samples, surpassing the 7-day average of 9 by 18%. This marks a notable surge, driven primarily by executable-based payloads, with a single .bat file indicating a possible shift or isolated test in delivery methods.
New Samples Detected
All 11 new samples are PE32 executables (.exe), except one batch (.bat) script. The .bat file suggests a “living off the land” approach for initial execution, potentially as a downloader or launcher for the main RAT. No new packaging or obfuscation patterns were observed; samples appear to be standard compiled QuasarRAT binaries without significant anti-analysis modifications.
Distribution Methods
The .exe files are likely delivered via phishing emails with weaponized attachments or hosted on compromised domains. The .bat file indicates an alternative delivery vector, such as a script dropped via exploit kit or social engineering. The lack of a dominant file type shift suggests continued reliance on email campaigns with minimal innovation.
Detection Rate
Current AV detection for these QuasarRAT variants remains moderate, with most static signatures still effective. However, the .bat script may evade file scanners if it uses inline PowerShell or deobfuscation techniques. New builds without heavy obfuscation might still slip past weaker endpoint protections.
C2 Infrastructure
No new C2 servers were logged today. This suggests the attackers are reusing existing infrastructure or that samples are connecting to hardcoded, previously known IPs or domains. A stable C2 footprint may indicate a controlled campaign rather than a mass outbreak.
7-Day Trend
Activity is trending upward 18% above the weekly average, signaling a possible campaign ramp-up. The spike warrants closer monitoring over the next 48 hours to confirm if this is an anomaly or the start of a sustained increase.
Security Analysis
The inclusion of a .bat file is unusual for QuasarRAT, which typically relies on .exe payloads. This could represent an attempt to bypass app-allowlisting policies that block executables. Defenders should audit script execution policies and monitor for suspicious .bat launches from user directories, as these scripts often download the main RAT binary or call out to C2. Recommended action: Enable PowerShell script block logging and block .bat file execution from non-whitelisted directories via AppLocker or similar controls.