Daily Summary
QuasarRAT activity shows a significant increase today, with 7 new samples identified against a 7-day average of 4, representing a 75% surge. This rise indicates a potential spike in distribution efforts or a new campaign initiation. No new command-and-control (C2) infrastructure was registered alongside this sample increase.
New Samples Detected
The new samples are predominantly executable files (5 .exe), accompanied by one batch script (.bat) and one archive (.zip). The presence of the .bat file is notable, as it may indicate a shift toward simpler, script-based deployment chains or an attempt to execute payloads via living-off-the-land binaries. The single .zip archive suggests ongoing use of compressed payloads to evade basic network or email filters.
Distribution Methods
Based on the file types, distribution likely continues via phishing emails with malicious attachments (.exe, .zip) or through compromised websites pushing downloads. The .bat file could be delivered as a secondary payload or as part of a multi-stage execution script, potentially launched via malicious documents or direct execution by an initial dropper.
Detection Rate
Current detection rates for these new samples by aggregate antivirus engines remain moderate. The consistent introduction of new samples, including the .bat variant, suggests ongoing attempts at obfuscation or minor code modifications to evade static signatures. Security teams should not rely solely on traditional AV for this family.
C2 Infrastructure
No new C2 servers were identified today. This suggests actors may be leveraging established, resilient infrastructure or are in a preparatory phase, distributing loaders before activating full C2 channels. The lack of new infrastructure complicates proactive blocking but indicates potential reuse of known IOCs.
7-Day Trend
Today’s sharp rise breaks a period of relatively steady, low-volume activity observed over the past week. This volatility is characteristic of QuasarRAT’s distribution, which often occurs in concentrated bursts rather than a constant stream.
Security Analysis
The introduction of a .bat script sample, while not dominant, is a tactical shift worth monitoring. It may represent a testing phase for a new delivery chain or an effort to simplify operations where PowerShell is restricted. Compared to recent campaigns focusing on .exe loaders, this move toward scripting could indicate adaptation to endpoint security controls. Recommendation: Enhance monitoring for child processes spawned by batch files, especially those initiating network connections or downloading additional payloads. Consider tightening application control policies to restrict execution of .bat files from temporary or user-writeable directories, a common tactic in such chains.