Quasar RAT
Also known as: QuasarRAT, CinaRAT, Yggdrasil, xRAT
Quasar RAT is an open-source .NET remote administration tool first released in 2014 as xRAT, renamed to Quasar in August 2015 by developer MaxXor. Licensed under MIT, the GitHub repository has been forked over 900 times. Its source availability and full feature set have made it one of the most commonly adopted RATs by both commodity operators and state-sponsored groups.
The C2 protocol uses raw TCP (default port 4782) with Protocol Buffers v3 serialization and AES-256 encryption in CBC mode. Keys are derived via PBKDF2 with a hardcoded salt embedded at build time. Later versions wrap traffic in TLS using a self-signed certificate with default subject "Quasar Server CA". The initial server-to-client packet is a fixed 68 bytes, which is the strongest network detection signature.
Capabilities include remote desktop, keylogging with window-title context, file management, webcam and screen capture, credential recovery from browsers, remote shell, registry editing, reverse proxy, and download-and-execute for secondary payloads. Persistence uses scheduled tasks and registry run keys.
Quasar has been picked up by a wide range of threat actors. APT10/Stone Panda used custom builds with in-memory .NET loading against EMEA targets. Patchwork/Dropping Elephant delivered it via RTF exploits to US policy think tanks. Blind Eagle/APT-C-36 runs a customized "BlotchyQuasar" variant targeting Colombian financial institutions with banking-specific keylogging. Gorgon Group, Kimsuky, and APT33 have also used it in espionage operations. The VERMIN campaign paired Quasar with custom malware to target Ukrainian government entities.
Delivery methods include spear-phishing with weaponized documents, DLL sideloading chains abusing trusted Windows binaries, image-based steganography hiding payloads in BMP/PNG pixel data, ISO images, and self-extracting archives with decoy documents.
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 14, 2026 | 49 |
| Apr 13, 2026 | 47 |
| Apr 12, 2026 | 68 |
| Apr 11, 2026 | 43 |
| Apr 10, 2026 | 76 |
| Apr 9, 2026 | 39 |
| Apr 8, 2026 | 72 |
Further Reading
US government analysis with Snort signatures, the 68-byte TCP payload detection signature, and HTTP-based detection rules.
Uptycs analysis of the 2023 dual DLL sideloading evasion using trusted Windows binaries (ctfmon.exe, calc.exe) with process hollowing.
Sekoia's hands-on config extraction using Python + dnlib. Covers AES-256/CBC/PBKDF2 internals, IL opcode analysis, and published extractor code.
Practical C2 hunting guide. Extracts config via dnSpy, pivots to 64 live servers via Shodan/Censys certificate queries on the default CN.
Zscaler analyzes Quasar's non-HTTP TCP protocol in depth -- AES packet structure, length-prefix framing, and entropy-based network detection.
BlackBerry's deep dive into APT10's custom Quasar loader -- 64-bit service DLL, CppHostCLR in-memory .NET loading, ConfuserEx obfuscation.
Volexity documents Patchwork delivering Quasar via CVE-2017-8570 RTF exploits to US policy organizations including CFR and CSIS.
Unit 42 documents the Ukraine-targeting campaign (2015-2018) pairing Quasar with the custom VERMIN RAT via SFX delivery with decoy documents.
Splunk reverse-engineers the steganography loader hiding Quasar in BMP/PNG pixel data (RGB channel extraction). Includes Snort rules.
Zscaler's analysis of Blind Eagle's customized Quasar variant with banking-specific credential harvesting for Colombian financial institutions.