Quasar RAT is a powerful, open-source Remote Access Trojan (RAT) coded in C#. While originally developed and marketed as a legitimate remote administration tool, its robust feature set, high stability, and public availability on GitHub have made it a staple in the arsenals of cybercriminals and Advanced Persistent Threat (APT) groups. It is utilized post-compromise to maintain deep, interactive control over victim machines, facilitate lateral movement, and exfiltrate sensitive data.
Infection Vector and Technical Capabilities
Quasar is typically deployed as a secondary payload. Threat actors distribute it via malicious email attachments (often weaponized Office documents), fake software installers, or drop it manually after successfully exploiting a vulnerable internet-facing service.
Once active, it provides the attacker with total system control:
Extensive Surveillance Capabilities: The RAT includes built-in modules for real-time keylogging, remote desktop (RDP) viewing, webcam and microphone capture, and password recovery from major web browsers and FTP clients.
File and System Management: Attackers have full file system access (upload, download, execute, delete), can interact with the command prompt and PowerShell, and can manipulate running processes and registry keys.
Evasion and Persistence: Quasar client builds are highly customizable. Attackers routinely use crypters/packers to obfuscate the binary. It establishes persistence via Scheduled Tasks or Registry `Run` keys, and communicates with the Command and Control (C2) server using TLS-encrypted TCP connections, making network detection difficult.
Threat Assessment
A Quasar detection is a critical incident indicating a total compromise of the affected endpoint. The attacker has interactive, human-driven access to the machine and can steal any data present, deploy ransomware, or pivot to attack other internal servers.
Incident Response and Remediation
Immediate Network Isolation: Sever the machine's network connection instantly to terminate the attacker's interactive session and halt any ongoing data exfiltration.
Hunt for Lateral Movement: Because Quasar is often used as a beachhead, incident responders must assume the attacker has attempted to move laterally. EDR and Active Directory logs must be scrutinized for compromised credentials and unauthorized access to other internal hosts.
Total Re-imaging and Credential Rotation: The machine cannot be trusted and must be wiped to bare metal. All credentials (user, service accounts) that were exposed to or logged into the compromised machine must be immediately reset.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1071.001T1056.001T1055
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.