QuasarRAT - Daily Threat Report

Sunday, June 28, 2026

Daily Summary

Only 3 new QuasarRAT samples were detected today, a sharp 72% drop from the 7-day average of 11. This continues a declining trend, though the shift in file types from the dominant .exe to a .ps1 and .js suggests a tactical pivot rather than a mere drop in activity.

New Samples Detected

The diversification of file types is the most notable aspect of today’s detection. While one standard .exe sample was observed, the inclusion of a .ps1 (PowerShell) and a .js (JavaScript) variant indicates threat actors are experimenting with initial delivery vectors that can bypass traditional executable-based filters. These file types are often used in staged attacks, where the script downloads and executes the main RAT payload from a remote server.

7-Day Trend

The 72% reduction from the 7-day average marks the most significant single-day decline in QuasarRAT activity this reporting period. This could represent a natural lull following a previous campaign cycle, or it may indicate that operators are shifting to a different loader format that avoids our current sample collection methods.

Security Analysis

The shift toward script-based delivery (.ps1 and .js) is a common technique in initial access campaigns, often seen in tandem with phishing emails that contain links to hosted scripts rather than attachments. This tactic forces defenders to focus on script execution policy and user training rather than signature-based file detection. Actionable recommendation: Enable constrained language mode for PowerShell on endpoints and apply Group Policy to block JavaScript execution from unrecognized sources (e.g., via Windows Script Host settings or AppLocker).

Further Reading

Data Sources

MalwareBazaar (abuse.ch) ThreatFox (abuse.ch) URLhaus (abuse.ch)

More QuasarRAT Reports

Recent Malware Reports