Daily Summary
QuasarRAT activity surged on 2026-05-17 with 25 new samples, a 182% increase over the 7-day average of 9. This marks the highest single-day volume in the current monitoring window. Analysts should prioritize triage of these samples, as the spike suggests an active distribution campaign.
New Samples Detected
All 25 new samples were delivered as .exe files, with a single .js outlier. This is a significant shift from recent weeks where composite payloads (e.g., .iso containers or .lnk files) were more common. The exclusive use of .exe suggests either a simplified delivery chain or a targeted campaign favoring direct executable execution.
7-Day Trend
Today’s 25 samples represent a 182% deviation from the 7-day average of 9, well above the 25% threshold for flagging. The past three days averaged 6-8 samples, making today’s spike abrupt and not part of a gradual incline. This pattern is consistent with an episodic “blast” campaign rather than persistent low-level propagation.
IOC Highlights
All 25 samples have been logged as new IOCs with no overlap with historical QuasarRAT hashes. This is notable for a tool that often reuses compiled binaries; the lack of hash repurposing suggests either a fresh builder release or intentional obfuscation per-sample. Analysts should feed these IOCs into blocking rules immediately.
Security Analysis
The exclusive use of .exe files today, without the .vbs or .iso wrappers seen in recent QuasarRAT campaigns (e.g., the “Finance Invoice” drive in April 2026), indicates a shift in delivery tactics. This may reflect the threat actor’s attempt to bypass email attachment filters that now block script- and container-based payloads. Defensive teams should ensure email gateways are additionally scanning .exe files for signature-based and behavioral indicators of QuasarRAT, particularly in geographic regions not typically targeted by this family.