Daily Summary
QuasarRAT activity rose sharply on 2026-06-14 with 15 new samples detected, a 36% increase over the 7-day average of 11. This surge is driven entirely by new executable variants, with no changes in C2 infrastructure or geographic targeting to explain the uptick.
7-Day Trend
Today’s 15 samples represent a 36% deviation above the 7-day average of 11, qualifying as a notable surge. The file-type breakdown shows 11 .exe specimens dominating, while the remaining four use alternative extensions (.27172, .10672, .29524, .xlsm). This spread suggests either a testing phase by a single actor or multiple groups independently pushing QuasarRAT variants. The lack of new C2 servers (0) alongside the volume increase indicates existing infrastructure is being reused, which may imply the operators are confident their current setup remains undetected.
New Samples Detected
Of the 15 new samples, 73% (11) are standard .exe files, consistent with QuasarRAT’s typical delivery. The remaining four samples use non-standard extensions: .27172, .10672, .29524, and .xlsm. The three numeric extensions (likely renamed binaries or compressed archives using size-based naming) are unusual and may signal an attempt to evade extension-based detection rules in email gateways. The single .xlsm sample is more concerning, as it suggests a macro-based downloader - a tactic QuasarRAT operators have historically paired with phishing lures using financial or shipping-themed document names.
IOC Highlights
All 15 new IOCs are file hashes, reflecting today’s sample-driven activity. No new domains, IPs, or URLs were recorded. Analysts should ingest these hashes into detection rules immediately, prioritizing the .xlsm sample for sandbox analysis due to its higher potential for multi-stage delivery.
Security Analysis
The correlation between increased sample volume and zero new C2 infrastructure is a classic indicator of credential replay or infrastructure reuse, often seen when compromised VPS accounts are recycled. This pattern mirrors QuasarRAT campaigns from early 2025 that targeted logistics firms via Macro-4 variants. Defensive teams should prioritize behavioral detection rules for outbound connections on common QuasarRAT ports (typically 4782 or 8080) rather than relying solely on hash-based blocking, as the reused C2 hosts may have been cleaned since last use.