The detection identifies potential Quasar RAT activity through known IOCs, indicating an adversary may be establishing persistence and command and control within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Quasar RAT before significant data exfiltration or lateral movement occurs.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 118[.]107[.]9[.]190:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 192[.]109[.]139[.]139:80 | botnet_cc | 2026-06-16 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["192.109.139.139", "118.107.9.190"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.109.139.139", "118.107.9.190"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using wget to download a package from a trusted internal repository
Filter/Exclusion: Exclude traffic from internal IP ranges or domains whitelisted in the enterprise’s software update infrastructure.
Scenario: Scheduled job using crontab to fetch configuration files from a secure internal server
Filter/Exclusion: Exclude connections to internal DNS or HTTP servers that are known to host configuration files and are used by legitimate automation tools.
Scenario: Admin task using curl to retrieve a script from a trusted external API for system monitoring
Filter/Exclusion: Exclude requests to known trusted external APIs used by enterprise monitoring tools (e.g., Datadog, New Relic).
Scenario: Deployment of a legitimate tool like Ansible that uses scp to transfer files between hosts
Filter/Exclusion: Exclude file transfers between hosts within the same internal network segment or between hosts managed by Ansible.
Scenario: Use of PowerShell by a system administrator to download and install a legitimate patch from Microsoft’s update server
Filter/Exclusion: Exclude PowerShell scripts that connect to known Microsoft update servers or are signed by Microsoft’s trusted certificate authority.