The ThreatFox: Quasar RAT IOCs rule detects potential command and control communication associated with the Quasar RAT, a known remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for persistent access and data exfiltration.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gbp.cn.com | botnet_cc | 2026-03-18 | 100% |
| domain | obf.uk.com | botnet_cc | 2026-03-18 | 100% |
| domain | akashmehndiandtattooart.in.net | botnet_cc | 2026-03-18 | 100% |
| domain | fly88-zz.site | botnet_cc | 2026-03-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["gbp.cn.com", "obf.uk.com", "akashmehndiandtattooart.in.net", "fly88-zz.site"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Installation
Description: A security team installs a legitimate system monitoring tool (e.g., SolarWinds Server & Application Monitor) that includes a file matching a Quasar RAT IOC.
Filter/Exclusion: Check the file’s digital signature and hash against known trusted hashes of the monitoring tool. Exclude files signed by SolarWinds or with hashes in the tool’s legitimate hash set.
Scenario: Scheduled Administrative Task
Description: A scheduled task runs a PowerShell script (e.g., Task Scheduler job) that performs routine system maintenance and includes a file that matches a Quasar RAT IOC.
Filter/Exclusion: Exclude files executed by Task Scheduler with a known legitimate script name or path, such as C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with a specific command-line argument.
Scenario: Software Update Process
Description: A software update process (e.g., Microsoft Update or Windows Server Update Services) downloads a file that matches a Quasar RAT IOC due to a compromised update server.
Filter/Exclusion: Exclude files downloaded from Microsoft Update servers (e.g., https://download.microsoft.com) or files with a known legitimate update hash.
Scenario: Log Management Tool Configuration
Description: A log management tool (e.g., Splunk or ELK Stack) is configured to collect logs from a system, and the tool’s configuration file matches a Quasar RAT IOC.
Filter/Exclusion: Exclude files located in known log management directories (e.g., C:\Program Files\Splunk\) or files with a known legitimate configuration hash.
Scenario: Backup Job Execution
Description: A backup job (e.g., **Veeam Backup &