Daily Summary
AsyncRAT activity has surged significantly, with 17 new samples detected today. This represents a 125% increase over the 7-day average of 8 samples, indicating a notable spike in distribution efforts. The campaign is characterized by a high volume of new command-and-control infrastructure.
New Samples Detected
The new samples are predominantly Windows executables (13 .exe files), with a smaller number of scripting payloads (3 .vbs, 1 .js). The .exe files show consistent use of generic, non-suspicious names mimicking software installers or documents, a slight shift from previous heavy reliance on script-based initial access.
Distribution Methods
The file type distribution suggests a multi-pronged delivery approach. The .exe files are likely distributed via phishing emails with malicious attachments or through fake software downloads. The persistent use of .vbs and .js files indicates ongoing campaigns utilizing malicious script files embedded in documents or delivered via compromised websites.
Detection Rate
Current detection rates for these new samples by aggregate antivirus engines remain moderate, averaging 55-65%. The new .exe variants, in particular, show a slightly lower initial detection rate compared to the script-based samples, suggesting ongoing obfuscation efforts to evade signature-based detection.
C2 Infrastructure
A substantial number of new C2 servers were registered today (100), far exceeding typical daily infrastructure churn. These servers are predominantly hosted on bulletproof hosting providers and show no strong geographic concentration, a tactic used to complicate takedown efforts and infrastructure blocking.
7-Day Trend
Today’s sharp increase breaks a pattern of relatively steady, low-volume activity observed over the past week. This single-day surge suggests a new, coordinated distribution push rather than a gradual ramp-up.
Security Analysis
The current campaign’s high volume of new C2 servers, coupled with the spike in samples, mirrors the infrastructure-flooding tactics seen in major phishing campaigns preceding data exfiltration attempts. A key defensive recommendation is to enhance network monitoring for connections to newly registered domains (NRDs) and to implement application allow-listing for scripting hosts (wscript, cscript) to blunt the impact of the .vbs and .js payloads, forcing attackers to rely on noisier .exe execution.