Quasar

Category: trojan · Aliases: RAT.Quasar, Backdoor.MSIL.Quasar, Win32/QuasarRAT · Sample count (EMBER 2018): 148 · Enrichment: curated_sourced · Updated: 2026-07-02T07:47:42Z

Overview

Executive Summary

Quasar RAT is a powerful, open-source Remote Access Trojan (RAT) coded in C#. While originally developed and marketed as a legitimate remote administration tool, its robust feature set, high stability, and public availability on GitHub have made it a staple in the arsenals of cybercriminals and Advanced Persistent Threat (APT) groups. It is utilized post-compromise to maintain deep, interactive control over victim machines, facilitate lateral movement, and exfiltrate sensitive data.

Infection Vector and Technical Capabilities

Quasar is typically deployed as a secondary payload. Threat actors distribute it via malicious email attachments (often weaponized Office documents), fake software installers, or drop it manually after successfully exploiting a vulnerable internet-facing service. Once active, it provides the attacker with total system control:

Threat Assessment

A Quasar detection is a critical incident indicating a total compromise of the affected endpoint. The attacker has interactive, human-driven access to the machine and can steal any data present, deploy ransomware, or pivot to attack other internal servers.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1071.001 T1056.001 T1055

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_QUASAR {
    meta:
        description = "Detects Quasar (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "quasar" ascii wide nocase
        $s2 = "rat.quasar" ascii wide nocase
        $s3 = "backdoor.msil.quasar" ascii wide nocase
        $s4 = "win32/quasarrat" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Quasar Activity
id: e68a63fcb491fb3c2cf10eeb06d536e2
status: experimental
description: Detects generic indicators of the quasar malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*quasar*"
            - "*rat.quasar*"
            - "*backdoor.msil.quasar*"
            - "*win32/quasarrat*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Is QuasarRAT malware?

QuasarRAT is an open-source remote-administration tool (publicly on GitHub since at least 2014) that is frequently abused as a remote access trojan.

What language is QuasarRAT written in?

It is developed in C#.

What can QuasarRAT do when abused?

Provide remote control, keylogging, credential theft, and file access on a compromised system.

What is xRAT?

xRAT is an alias associated with the QuasarRAT project.

How does abused QuasarRAT reach victims?

Typically through phishing and malicious downloads, as with other RATs.

Why is an open-source tool a security concern?

Because the code is freely available, many actors can compile and customize their own builds, making variants common and varied.

Where is the authoritative reference?

MITRE ATT&CK's QuasarRAT entry (S0262), linked on this page.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/quasar.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.