The detection identifies potential Quasar RAT activity through suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that leverage Quasar RAT for remote access and data exfiltration.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 68 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | thijsbroekhuizen.nl | botnet_cc | 2026-05-12 | 75% |
| domain | warframe-builder.com | botnet_cc | 2026-05-12 | 75% |
| domain | www.googletagmanager.com | botnet_cc | 2026-05-12 | 75% |
| domain | v3.colatv88xb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | v3.unpkg.com | botnet_cc | 2026-05-12 | 75% |
| domain | v3.xoilackvb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | v2.unpkg.com | botnet_cc | 2026-05-12 | 75% |
| domain | v2.xoilackvb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | v3.adminxoilac1.site | botnet_cc | 2026-05-12 | 75% |
| domain | v3.chatboxvs.com | botnet_cc | 2026-05-12 | 75% |
| domain | v2.adminxoilac1.site | botnet_cc | 2026-05-12 | 75% |
| domain | v2.chatboxvs.com | botnet_cc | 2026-05-12 | 75% |
| domain | v2.colatv88xb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | tracker.colatv88xb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | static.cloudflareinsights.com | botnet_cc | 2026-05-12 | 75% |
| domain | quantri.unpkg.com | botnet_cc | 2026-05-12 | 75% |
| domain | quantri.xoilackvb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | s.w.org | botnet_cc | 2026-05-12 | 75% |
| domain | quantri.chatboxvs.com | botnet_cc | 2026-05-12 | 75% |
| domain | quantri.colatv88xb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | phishing.unpkg.com | botnet_cc | 2026-05-12 | 75% |
| domain | phishing.xoilackvb.cc | botnet_cc | 2026-05-12 | 75% |
| domain | quantri.adminxoilac1.site | botnet_cc | 2026-05-12 | 75% |
| domain | phishing.adminxoilac1.site | botnet_cc | 2026-05-12 | 75% |
| domain | phishing.chatboxvs.com | botnet_cc | 2026-05-12 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["thijsbroekhuizen.nl", "warframe-builder.com", "www.googletagmanager.com", "v3.colatv88xb.cc", "v3.unpkg.com", "v3.xoilackvb.cc", "v2.unpkg.com", "v2.xoilackvb.cc", "v3.adminxoilac1.site", "v3.chatboxvs.com", "v2.adminxoilac1.site", "v2.chatboxvs.com", "v2.colatv88xb.cc", "tracker.colatv88xb.cc", "static.cloudflareinsights.com", "quantri.unpkg.com", "quantri.xoilackvb.cc", "s.w.org", "quantri.chatboxvs.com", "quantri.colatv88xb.cc", "phishing.unpkg.com", "phishing.xoilackvb.cc", "quantri.adminxoilac1.site", "phishing.adminxoilac1.site", "phishing.chatboxvs.com", "phishing.colatv88xb.cc", "malware.unpkg.com", "malware.xoilackvb.cc", "malware.chatboxvs.com", "malware.colatv88xb.cc", "live.colatv88xb.cc", "live5.msrktz.app", "malware.adminxoilac1.site", "img.colatv88xd.cc", "img.thesports.com", "gatex.colatv88xb.cc", "gatex.unpkg.com", "gatex.xoilackvb.cc", "gatex.adminxoilac1.site", "gatex.chatboxvs.com", "fonts.googleapis.com", "fonts.gstatic.com", "donghua.jmsec.app", "ddos.unpkg.com", "ddos.xoilackvb.cc", "data.xoilackvb.cc", "ddos.adminxoilac1.site", "ddos.chatboxvs.com", "ddos.colatv88xb.cc", "data.chatboxvs.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task runs a script that downloads a file matching Quasar RAT IOCs as part of a routine system update or patching process.
Filter/Exclusion: Exclude files signed by trusted vendors (e.g., Microsoft, VMware) or files downloaded from internal update servers.
Scenario: Admin Task Involving PowerShell Scripting
Description: An administrator uses PowerShell to execute a script that includes base64-encoded content, which matches the IOC pattern of Quasar RAT.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges or scripts that are part of known administrative tools (e.g., PowerShell.exe, Task Scheduler).
Scenario: Legitimate File Transfer via FTP or SFTP
Description: A file transfer process (e.g., via FTP or SFTP) moves a file that contains Quasar RAT IOCs, such as a configuration file or log file.
Filter/Exclusion: Exclude files transferred between internal servers or files with known file extensions (e.g., .log, .cfg, .txt) that are common in enterprise environments.
Scenario: Use of a Legitimate Security Tool with Similar Behavior
Description: A security tool like Cobalt Strike or Metasploit is used in a red team exercise and generates IOCs that match the Quasar RAT detection rule.
Filter/Exclusion: Exclude processes or files associated with known security testing tools (e.g., cobaltstrike.exe, msfconsole.exe) or those running in a controlled lab environment.
Scenario: Malicious File with Similar Hash but Not Quasar RAT
Description: A malicious file with a hash that matches a known Quasar RAT hash but is actually from a different malware family (e.g., **Em