Daily Summary
Eleven new QuasarRAT samples were identified, a significant increase from a seven-day average of zero. The trend is marked as stable due to the lack of prior baseline, but this represents a clear resurgence of activity. The delivery mechanism shows a reliance on initial access scripts rather than pure executables.
New Samples Detected
The sample set is dominated by script-based initial payloads, with four .hta (HTML Application) files and three .bat files. Two .exe samples, one .dll, and a .zip archive comprise the remainder. This mix suggests a focus on using living-off-the-land techniques for initial deployment, with the final RAT payload likely delivered in a secondary stage.
Distribution Methods
The prevalence of .hta and .bat files strongly indicates distribution via phishing emails with malicious links or attachments. The .hta files likely execute embedded scripts to download the final payload. The single .zip file may contain a weaponized document. This aligns with common initial access campaigns that leverage user interaction.
Detection Rate
Current detection rates for these new samples are moderate. The script-based initial files show lower detection by traditional AV compared to the .exe variants, which are more widely flagged. This indicates a continued effort to evade initial perimeter defenses by using trusted, native file formats.
C2 Infrastructure
No new command-and-control servers were identified in conjunction with today’s samples. This suggests operators are likely reusing existing, resilient infrastructure or employing dynamic DNS services not yet flagged. The absence of new infrastructure complicates proactive blocking but points to established operational patterns.
7-Day Trend
After a week of no observed activity, today’s cluster of samples breaks the quiet period. This pattern is consistent with periodic, targeted campaign bursts rather than sustained, broad distribution.
Security Analysis
The current activity demonstrates a shift toward a lighter initial footprint. Unlike previous campaigns that often distributed the full RAT in a single executable, this wave uses non-executable scripts to fetch the payload. This two-stage process can bypass static analysis. A key defensive recommendation is to enhance email security to strip or block .hta attachments and monitor for child processes spawned from script hosts like mshta.exe or cmd.exe making unexpected network connections.