Overview
QuasarRAT, originally released as xRAT before being renamed in 2015, is an open-source remote administration tool written in C# and hosted on GitHub. First appearing in mid-2014, it is one of the longest-running open-source RATs still in active use. The project was created by “MaxXor” as a legitimate remote administration tool and has accumulated thousands of GitHub stars, reflecting both genuine interest and abuse potential. QuasarRAT’s clean architecture, lightweight footprint, and stability have made it attractive to a wide range of threat actors, from financially motivated criminals to nation-state groups including APT10, APT33, Patchwork, and Dropping Elephant. Its longevity in the threat landscape is a testament to its reliability and the difficulty of distinguishing it from legitimate remote management software based on behavior alone.
Capabilities
QuasarRAT delivers a well-rounded remote access feature set optimized for efficiency. Core capabilities include remote desktop streaming with mouse and keyboard control, file manager supporting upload, download, and remote execution, task manager for process enumeration and termination, registry editor, remote shell command execution, and TCP connection monitoring. The RAT features system information gathering, startup manager for persistence control, and a remote webcam viewer. Its networking layer uses AES-128 encrypted communication over TCP, with support for reverse proxy connections to traverse NAT and firewalls. QuasarRAT also includes a keylogger module, password recovery from browsers and FTP clients, and website visitor functionality for driving traffic or credential phishing. The server component provides a clean multi-client dashboard for managing numerous compromised hosts simultaneously.
Distribution Methods
QuasarRAT distribution varies widely depending on the threat actor. Nation-state groups typically deliver it through targeted spear-phishing with weaponized documents containing macro code or exploits. Financially motivated actors distribute it through broader phishing campaigns, malicious email attachments in ZIP or RAR archives, and trojanized software bundles. Common delivery chains involve multi-stage downloaders where an initial VBS or PowerShell script retrieves the QuasarRAT payload from cloud storage or compromised web servers. Some campaigns have used DLL side-loading with legitimate signed executables to load QuasarRAT into memory. The RAT has also been observed in watering hole attacks and as a second-stage payload dropped by other malware families including Emotet and other loaders.
Notable Campaigns
QuasarRAT’s history is intertwined with significant cyber espionage operations. Chinese APT group APT10 (Stone Panda) used QuasarRAT extensively in Operation Cloud Hopper, targeting managed service providers to gain access to downstream client networks. Iranian threat group APT33 (Elfin) deployed QuasarRAT against aerospace and energy organizations in the Middle East and United States. The Indian-nexus Patchwork APT used customized QuasarRAT builds in campaigns against South Asian diplomatic and military targets. Beyond APT usage, QuasarRAT appeared in criminal campaigns targeting Latin American financial institutions throughout 2023-2024. In 2025, updated forks with enhanced evasion capabilities continued to surface in both targeted attacks and commodity crimeware operations, demonstrating the malware’s enduring appeal across threat actor categories.
Detection & Mitigation
Detecting QuasarRAT involves monitoring for its network signatures, including the characteristic packet structure of its AES-encrypted TCP protocol. Endpoint indicators include the creation of its default mutex pattern (customizable but often left at defaults by less sophisticated operators), installation to common paths like %AppData% or %ProgramData%, and scheduled task or registry autorun persistence. YARA rules targeting QuasarRAT’s .NET assembly metadata, embedded resource patterns, and configuration decryption routines are widely published by security vendors. Behavioral detection should focus on identifying remote desktop-like activity from non-standard processes, anomalous outbound connections on uncommon ports, and credential store access by unexpected executables. Mitigation recommendations include maintaining application allowlisting, monitoring for unauthorized remote management tools, deploying network intrusion detection with QuasarRAT signatures, and auditing scheduled tasks and autorun entries for suspicious .NET executables.