The ThreatFox: Quasar RAT IOCs rule detects potential remote access trojan activity associated with Quasar RAT, which allows adversaries to execute commands and exfiltrate data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for long-term system control and data theft.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | subsieuvip9.com | botnet_cc | 2026-05-11 | 75% |
| domain | x88-km88k.com | botnet_cc | 2026-05-11 | 75% |
| domain | x88.diy | botnet_cc | 2026-05-11 | 75% |
| domain | lankbos.nl | botnet_cc | 2026-05-11 | 75% |
| domain | 2mdj56rl.sa.com | botnet_cc | 2026-05-11 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["subsieuvip9.com", "x88-km88k.com", "x88.diy", "lankbos.nl", "2mdj56rl.sa.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A system administrator uses PowerShell to run a scheduled job for system updates or patch management, which may include command-line execution similar to Quasar RAT.
Filter/Exclusion: Exclude PowerShell scripts that match known system maintenance scripts (e.g., Update-AppxPackage, Install-WindowsUpdate) or use a file hash filter for trusted maintenance scripts.
Scenario: Admin using Cobalt Strike for red team exercises
Description: A red team or security team member uses Cobalt Strike to simulate a Quasar RAT-like attack during a penetration test.
Filter/Exclusion: Exclude processes initiated by known red team tools (e.g., cobaltstrike.exe) or use a user-based filter for internal security teams.
Scenario: Legitimate use of PsExec for remote administration
Description: An IT administrator uses PsExec to remotely execute commands on multiple machines for troubleshooting or configuration changes.
Filter/Exclusion: Exclude processes initiated by PsExec (psexec.exe) or use a command-line argument filter for legitimate administrative tasks.
Scenario: Automated backup script using PowerShell
Description: A backup script runs PowerShell commands to copy data to a remote server, which may resemble command execution patterns seen in Quasar RAT.
Filter/Exclusion: Exclude PowerShell scripts that match known backup tools (e.g., Backup-Item, Copy-Item) or use a file path filter for backup directories.
Scenario: User running a legitimate remote access tool (e.g., TeamViewer)
Description: A user runs TeamViewer or similar remote access software for legitimate remote support, which may trigger similar IOCs as Quasar RAT.
Filter/Exclusion: Exclude processes associated with known remote access tools (e.g., TeamViewer.exe) or use