Daily Summary
Twelve new QuasarRAT samples were identified, representing a stable trend with a 9% increase over the seven-day average of eleven. No new command-and-control (C2) infrastructure was registered today.
New Samples Detected
The sample set shows a continued preference for script-based initial access, with .hta (4) and .bat (3) files comprising the majority. This is complemented by three .exe files and one each of .zip and .dll, indicating a multi-format delivery strategy that blends scripts with compiled binaries.
Distribution Methods
The file types point to ongoing phishing campaigns delivering malicious archives (.zip) or links to .hta files (HTML Applications), which execute scripts to fetch the final payload. The presence of .bat files suggests follow-on actions or deployment via other scripts, aligning with known malicious document campaigns that leverage scripting for execution.
Detection Rate
Current vendor detection for these samples remains moderately high, particularly for the .exe and .dll variants. However, the .hta and .bat files, which often contain obfuscated script code, show a slightly lower detection rate, indicating these formats may offer a brief window for evasion before signatures are updated.
C2 Infrastructure
No new C2 servers were identified, suggesting actors are likely consolidating operations on existing, potentially resilient infrastructure. This could indicate a period of payload deployment and staging rather than infrastructure expansion.
7-Day Trend
Activity over the past week has been consistent, with daily sample counts hovering between nine and thirteen. This steady state suggests a persistent, low-volume operation rather than a large-scale surge.
Security Analysis
A notable shift is the equal weighting of .hta and executable files, moving slightly away from a pure reliance on executables. This may reflect an adaptation to environments where script execution controls are lax but application whitelisting is in place. The .dll sample suggests possible use of side-loading or other living-off-the-land techniques for persistence. Recommendation: Enhance monitoring for the execution of cscript/wscript and mshta.exe processes, particularly those spawned from temporary directories or email clients, to catch the script-based delivery chain before the RAT payload is retrieved.