The detection identifies potential Quasar RAT activity through known IOCs, indicating an adversary may be establishing persistence and command and control within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Quasar RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]23[.]189[.]196:14782 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 154[.]23[.]189[.]184:14782 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 62[.]60[.]226[.]185:6003 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 154[.]23[.]189[.]41:14782 | botnet_cc | 2026-06-11 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["154.23.189.184", "154.23.189.41", "62.60.226.185", "154.23.189.196"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.23.189.184", "154.23.189.41", "62.60.226.185", "154.23.189.196"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Installation
Description: A security team installs a legitimate system monitoring tool (e.g., SolarWinds Server & Application Monitor) that includes a file matching one of the Quasar RAT IOCs.
Filter/Exclusion: Exclude files signed by Microsoft or known security vendors, or filter by file paths containing “SolarWinds” or “monitoring”.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job (e.g., PowerShell script via Task Scheduler) runs to clean temporary files or update system components, and the script includes a file matching a Quasar IOC.
Filter/Exclusion: Exclude files with execution contexts tied to system maintenance tasks, or filter by process names like schtasks.exe or taskhost.exe.
Scenario: Admin Tool for Log Collection
Description: An administrator uses a legitimate log collection tool (e.g., Splunk Universal Forwarder) that includes a binary matching a Quasar IOC due to a version mismatch or misconfiguration.
Filter/Exclusion: Exclude files associated with known log collection tools, or filter by file hashes matching known good versions of the tool.
Scenario: Antivirus Quarantine File
Description: A file matching a Quasar IOC is quarantined by an endpoint protection solution (e.g., Kaspersky Endpoint Security) during a scan, leading to a false positive.
Filter/Exclusion: Exclude files flagged by antivirus engines, or use a filter based on the presence of known antivirus quarantine directories.
Scenario: DevOps Pipeline Artifact
Description: A CI/CD pipeline (e.g., Jenkins) downloads a build artifact that includes a file matching a Quasar IOC due to a misconfigured dependency or third-party library.
Filter/Exclusion: Exclude files from known