Daily Summary
AsyncRAT activity remains stable, with 6 new samples detected today, matching the 7-day average exactly. The primary development is a significant expansion of C2 infrastructure, with 100 new servers identified, suggesting potential preparation for new campaigns.
New Samples Detected
The sample set is diverse, with no single dominant file type. The three .exe files are likely direct payloads, while the presence of a .bin (potentially a loader), a .js, and a .ps1 file indicates attackers are using script-based delivery to bypass initial execution barriers. This mix suggests a multi-stage delivery approach is currently favored.
Distribution Methods
The file types point to continued use of phishing emails with malicious scripts (.js, .ps1) and weaponized documents that drop the .exe or .bin payloads. The .js file may also indicate malvertising or compromised website campaigns. There is no evidence of a shift towards sophisticated exploit kits at this time.
Detection Rate
Vendor detection for the .exe payloads remains high (>90%), but the script-based variants (.js, .ps1) show a 15-20% lower detection rate on aggregate scanners. This evasion gap underscores the threat of these initial access scripts, which often download the final, better-detected RAT payload.
C2 Infrastructure
The surge to 100 new C2 servers is notable, representing a tenfold increase from typical daily averages. These servers are geographically dispersed, primarily using bulletproof hosting providers, with no clear country concentration. This rapid deployment likely aims to increase resilience against takedowns.
7-Day Trend
Activity has been consistently moderate throughout the week, hovering around 6 samples daily. The steady volume coupled with today’s infrastructure build-up suggests operational consistency rather than a cooling-off period.
Security Analysis
The current activity mirrors the “load-and-go” pattern of commodity malware campaigns, but the infrastructure surge is atypical for such steady sample volume. This may indicate a single, large-scale campaign is being staged. The defensive priority should be on blocking initial script execution: implement policies to restrict PowerShell scripting and consider blocking .js files from executing directly from user download locations.