Daily Summary
Today’s detection of 7 new QuasarRAT samples represents a significant surge, 158% above the 7-day average of 3. This sharp rise indicates a potential new distribution campaign is underway. The absence of new C2 infrastructure suggests the use of established servers.
New Samples Detected
The sample set shows a notable shift in file types. While .exe files remain present (3 samples), there is an equal number of .hta (HTML Application) files (3 samples), accompanied by one .bat script. This mix indicates a multi-stage delivery approach, moving beyond simple executable drops.
Distribution Methods
The presence of .hta and .bat files strongly suggests malicious email campaigns are a primary vector. The .hta files likely serve as initial droppers, leveraging scripting to bypass traditional execution barriers, while the .bat script may facilitate post-infection commands or cleanup activities.
Detection Rate
Current vendor detection for these specific samples is moderate. The use of .hta files, which can execute obfuscated JavaScript/VBScript, provides a degree of evasion against static signatures. The new variants may see lower initial detection rates until behavioral heuristics catch up.
C2 Infrastructure
No new command-and-control servers were identified today. This implies ongoing operations are utilizing previously established infrastructure, possibly indicating a focused campaign by a known actor rather than a broad infrastructure expansion.
7-Day Trend
Activity has been relatively low and steady over the past week. Today’s spike breaks this pattern, marking the highest single-day sample count in the observed period and signaling a clear ramp-up in distribution efforts.
Security Analysis
The tactical shift to include .hta files alongside executables suggests an adaptation to target environments where macro-enabled documents are blocked. This leverages the Windows mshta.exe utility, a living-off-the-land binary, to execute script-based payloads. Defenders should enhance monitoring for mshta.exe spawning unusual child processes, particularly when launched from email clients or temporary directories, and consider blocking .hta file execution from internet-facing zones.