← Back to SOC feed Coverage →

ThreatFox: Quasar RAT IOCs

ioc-hunt HIGH ThreatFox
DnsEvents
backdooriocthreatfoxwin-quasar_rat
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 4 IOCs associated with Quasar RAT

IOC Summary

Malware Family: Quasar RAT Total IOCs: 4 IOC Types: domain

TypeValueThreat TypeFirst SeenConfidence
domaingbp.cn.combotnet_cc2026-03-18100%
domainobf.uk.combotnet_cc2026-03-18100%
domainakashmehndiandtattooart.in.netbotnet_cc2026-03-18100%
domainfly88-zz.sitebotnet_cc2026-03-18100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["gbp.cn.com", "obf.uk.com", "akashmehndiandtattooart.in.net", "fly88-zz.site"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/win.quasar_rat/