Daily Summary
New QuasarRAT samples reached 14 on 2026-05-31, a 32% increase over the 7-day average of 11, continuing a rising trend in activity. The surge is driven primarily by .exe binaries (10 of 14), with no new C2 servers observed indicating existing infrastructure reuse or short-lived takedowns.
New Samples Detected
The sample composition shifted notably: .exe files accounted for 71% of all submissions (10/14), up from a typical split closer to 60% over the past week. Two .bat files were observed, suggesting low-sophistication dropper scripts remain in circulation, alongside a single .com file - a legacy format rarely used in QuasarRAT campaigns, possibly indicating an automated packing pipeline recycling old templates.
7-Day Trend
The 32% increase above the 7-day average exceeds the >25% threshold for deviation. This uptick is not tied to new C2 infrastructure (zero new servers detected) and likely reflects a repackaging wave, possibly tied to a phishing campaign currently distributing recompiled or runtime-packed variants to evade signature-based detection.
IOC Highlights
All 14 samples generated new file hashes as IOCs. No domains, IPs, or registry keys were identified, which aligns with QuasarRAT’s use of hardcoded or dynamically resolved C2 endpoints already on blocklists. Analysts should add these 14 file hashes to automated quarantine rules immediately.
Security Analysis
The absence of new C2 servers alongside a 32% sample surge suggests operators are reusing an established command network but rotating file hashes aggressively, consistent with “low-and-slow” infrastructure rotation to avoid bulk sinkholing. This pattern matches staged campaigns where initial access payloads are swapped frequently while the back-end remains stable. Defenders should prioritize behavioral detections (e.g., outbound beaconing on non-standard ports, scheduled task persistence) over static hash-based rules, as hash churn will outpace signature updates. Consider enabling application whitelisting in environments with high QuasarRAT exposure to block unapproved .exe and .bat execution at the host level.