S0262: QuasarRAT
Analyst context for executives and security teams
QuasarRAT matters because it is a publicly available Windows remote access tool, not a one-off malware family. Its open-source availability lowers the barrier for different actors to reuse or modify it, so defenders should treat it as a coverage problem around RAT behaviors: persistence, discovery, command execution, credential and data collection, file transfer, remote access, and command-and-control.
Executive priority
Prioritize validation of Windows endpoint, identity, and network visibility rather than relying on a single signature for QuasarRAT. The ATT&CK relationships show use by multiple named groups and a broad set of techniques, making this relevant to incident readiness, audit evidence for endpoint controls, and resilience against remote-control intrusions that can support espionage or follow-on compromise.
Technical view
The object is a Windows tool with no official ATT&CK detection text. SOC and IR teams should validate behavioral coverage for the related techniques: command shell execution, scheduled task creation, registry Run key/startup persistence, registry modification, UAC bypass indicators, RDP logons, system/user/network/application-window discovery, local data and credential-file access, keylogging or video-capture indicators where telemetry exists, ingress tool transfer, proxy behavior, and non-application-layer C2 patterns. Because QuasarRAT is open source, detections should not depend only on static names or hashes.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Scheduled task creation and modification events
- Windows Registry modification telemetry, especially Run keys and startup locations
- Authentication and logon telemetry for RDP sessions
- Endpoint file creation, download, and tool-transfer evidence
Detection direction
- Map existing detections to the related ATT&CK techniques instead of treating QuasarRAT as a single indicator-based alert.
- Tune for suspicious combinations: persistence plus command shell execution, discovery followed by file transfer, or RDP activity paired with new tools or registry changes.
- Review false positives for administrative tools that legitimately create scheduled tasks, modify Run keys, use RDP, or transfer files.
- Confirm whether endpoint telemetry can observe collection behaviors such as keylogging, camera access, and credential-file searching; many environments have blind spots here.
- Use relationship context as threat-intelligence enrichment only; the supplied data supports that multiple groups have used the tool, not that any specific actor is present in a local incident.
Mitigation priorities
- Harden Windows endpoints against unauthorized persistence through scheduled tasks, startup folders, and registry Run keys.
- Restrict and monitor RDP exposure and require strong account controls for remote access.
- Apply least privilege and reduce local administrator rights to limit UAC bypass and persistence opportunities.
- Control outbound traffic and investigate unusual proxy or non-standard protocol communications.
- Reduce credential exposure in files through secrets hygiene, configuration review, and access control.
Analyst notes and limits
ATT&CK identifies QuasarRAT as an open-source C# remote access tool publicly available on GitHub since at least 2014. The supplied relationships connect it to multiple groups and many techniques, but the object itself has no specified tactics and no official detection guidance.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert current exploitation, customer exposure, specific indicators, malware variants, or guaranteed detection. Local telemetry, baselines, and incident evidence are required to determine coverage and relevance.
QuasarRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | QuasarRAT has a module for performing remote desktop access.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018 |
| Enterprise | T1056.001 | Keylogging Sub-technique | QuasarRAT has a built-in keylogger.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | QuasarRAT can obtain passwords from common web browsers.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018CitationKaspersky BlindEagle AUG 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | If the QuasarRAT client process does not have administrator privileges it will add a registry key to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.CitationGitHub QuasarRATCitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though QuasarRAT can only be run on Windows systems.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1082 | System Information Discovery | QuasarRAT can gather system information from the victim’s machine including the OS type.CitationGitHub QuasarRAT |
| Enterprise | T1105 | Ingress Tool Transfer | QuasarRAT can download files to the victim’s machine and execute them.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018 |
| Enterprise | T1614 | System Location Discovery | QuasarRAT can determine the country a victim host is located in.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1112 | Modify Registry | QuasarRAT has a command to edit the Registry on the victim’s machine.CitationGitHub QuasarRATCitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | QuasarRAT has the ability to set file attributes to "hidden" to hide files from the compromised user's view in Windows File Explorer.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1033 | System Owner/User Discovery | QuasarRAT can enumerate the username and account type.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1005 | Data from Local System | QuasarRAT can retrieve files from compromised client machines.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1095 | Non-Application Layer Protocol | QuasarRAT can use TCP for C2 communication.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string `Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0`.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1555 | Credentials from Password Stores | QuasarRAT can obtain passwords from common FTP clients.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | QuasarRAT can obtain passwords from FTP clients.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | QuasarRAT can launch a remote shell to execute commands on the victim’s machine.CitationGitHub QuasarRATCitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1090 | Proxy | QuasarRAT can communicate over a reverse proxy using SOCKS5.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018 |
| Enterprise | T1571 | Non-Standard Port | QuasarRAT can use port 4782 on the compromised host for TCP callbacks.CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1553.002 | Code Signing Sub-technique | A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.CitationVolexity Patchwork June 2018 |
| Enterprise | T1010 | Application Window Discovery | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.CitationVolexity Patchwork June 2018CitationCISA AR18-352A Quasar RAT December 2018 |
| Enterprise | T1125 | Video Capture | QuasarRAT can perform webcam viewing.CitationGitHub QuasarRATCitationVolexity Patchwork June 2018 |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
G0140: LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
G0078: Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0135: BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | a58e9da18a8c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub QuasarRAT
MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
Open source URL -
[2]
Volexity Patchwork June 2018
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
Open source URL -
[3]
QuasarRAT
(Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018) (Citation: TrendMicro Patchwork Dec 2017)
-
[4]
Securelist APT10 March 2021
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
Open source URL -
[5]
TrendMicro Patchwork Dec 2017
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Open source URL -
[6]
mitre-attack S0262Open source URL
-
[7]
xRAT
(Citation: TrendMicro Patchwork Dec 2017)(Citation: Securelist APT10 March 2021)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.