THE HUNTER’S LEDGER
Multi-Stage RAT · October 17, 2025

QuasarRAT + Xworm + PowerShell Loader

Contents

Campaign Identifier: QuasarRAT-Xworm-PowerShell-Campaign
Last Updated: October 17, 2025
Threat Level: MEDIUM

BLUF (Bottom Line Up Front)

A VBScript stager fetches a PowerShell script disguised as update.png, executes it in memory, and uses it to disable Microsoft Defender across the entire C:\ drive before deploying two commodity remote access trojans — QuasarRAT and XWorm — both communicating to 193[.]233[.]164[.]21 via dns4up[.]duckdns[.]org. Any victim where this chain ran has lost endpoint visibility and carries persistent, full-capability remote access. See the Technical Analysis section for the loader chain and RAT capabilities; see Detection & Response Guidance for immediate priorities.

Key Risk Factors

Risk Factor Score Business Impact
Security Control Disabling 9/10 Complete Microsoft Defender bypass enabling unrestricted malicious activity
Fileless Execution 8/10 Memory-based execution evades traditional file-based detection
Remote Access Trojans 8/10 Full system control with data theft, surveillance, and lateral movement capabilities
Persistence Mechanisms 7/10 Long-term unauthorized access via multiple RAT deployment paths

Technical Analysis

Overview

This campaign delivers QuasarRAT and XWorm to the same victim in a single chain: a VBScript stager launches PowerShell, which fetches update.png from 193[.]233[.]164[.]21, executes it in memory as a script block, disables Defender, then deploys both RAT binaries. The .png extension is deliberate misdirection — the payload is a PowerShell script, not an image.

Loader Chain

Analyst note: This section describes a multi-stage fileless loading technique. “Fileless” means the malicious script never touches disk as an executable — it runs entirely in memory, defeating security tools that scan files at rest. Each stage hands off to the next without writing a traditional binary.

  • The VBScript stager constructs a PowerShell command string and invokes it.
  • PowerShell uses .NET System.Net.Http.HttpClient to fetch update.png from the remote server.
  • Despite the .png extension, the file is a text-based PowerShell script.
  • The script reads into memory, compiles into a [ScriptBlock], and executes immediately via .Invoke().

Defense Evasion

Analyst note: Before deploying the RATs, the loader surgically removes Windows’ built-in antivirus coverage. The technique requires no exploits — it calls a legitimate Windows management API to tell Defender to ignore the entire system.

The PowerShell payload calls Add-MpPreference to add Defender exclusions for:

  • The entire C:\ drive
  • Processes: powershell.exe, wscript.exe, cmd.exe, cvtres.exe

These exclusions blind Defender to all subsequent activity on the host.

RAT Deployment

Analyst note: With Defender disabled, the loader drops two separate remote access trojans (RATs — malware that gives attackers full keyboard, file, and screen control of a victim machine). Running both provides redundancy: removing one does not restore security.

Once exclusions are in place, the loader deploys:

  • QuasarRAT: a .NET-based remote access trojan, approximately 2–3 MB, with configs typically embedded in binary resources.
  • XWorm: a lightweight (~70 KB) commodity RAT with obfuscated strings.

Both provide persistence, remote control, and data theft capabilities; both communicate to dns4up[.]duckdns[.]org.

Infrastructure Overview

Infrastructure Component Value Role in Attack Chain
Dynamic DNS Domain dns4up.duckdns[.]org Primary C2 domain for RAT communication
Hosting IP 193.233.164.21 Infrastructure hosting malicious payloads
Payload Disguise update.png PowerShell script disguised as image file

Attack Chain Components

Component Technology Purpose
Initial Loader VBScript Constructs PowerShell execution command
Delivery Mechanism PowerShell + .NET HttpClient Downloads and executes malicious script in memory
Defense Evasion PowerShell exclusions Disables Microsoft Defender completely
Primary RAT QuasarRAT (.NET) Full-featured remote access trojan (~2-3 MB)
Secondary RAT Xworm Lightweight commodity RAT (~70 KB)

Pivoting Strategy

Analysts can pivot on:

  • File names: update.png, update.ps1
  • Strings: Add-MpPreference, ExclusionPath, HttpClient.GetAsync
  • Domains/IPs: DuckDNS subdomains, 193.233.164.21
  • Malware traits: QuasarRAT embedded configs, XWorm obfuscation patterns

Attack Tactics & Procedures

MITRE ATT&CK Mapping

Confidence note: all rows below are HIGH confidence unless explicitly marked (MODERATE).

<table class=”professional-table”>

Tactic / Technique Name Evidence Execution / T1059.001 PowerShell Fileless script block executed in memory via .Invoke() Defense Evasion / T1562.001 Disable or Modify Tools Defender exclusions added via Add-MpPreference for entire C:\ drive and key processes Persistence / T1543.003 Windows Service RAT deployment establishes long-term access (MODERATE) Command and Control / T1071.001 Web Protocols HTTP/HTTPS communication to 193.233.164.21 via dns4up.duckdns.org Execution / T1059.005 Visual Basic VBScript stager constructs and launches the PowerShell download command

</table>

Threat Hunting Indicators

Indicator Type Value Hunting Method
File Names update.png, update.ps1 File system monitoring, EDR alerts
PowerShell Strings Add-MpPreference, ExclusionPath, HttpClient.GetAsync PowerShell logging, script block analysis
Network Indicators dns4up.duckdns.org, 193.233.164.21 DNS monitoring, network traffic analysis
Malware Signatures QuasarRAT configs, Xworm obfuscation Memory analysis, YARA rules

Detection & Response Guidance

Immediate Priorities

  1. Isolate potentially compromised systems from the network
  2. Restore Microsoft Defender functionality and remove all added exclusions
  3. Scan for QuasarRAT and XWorm binaries on affected hosts
  4. Audit PowerShell execution logs for suspicious script block activity
  5. Block outbound access to dns4up.duckdns.org and 193.233.164.21

Longer-Term Detection Posture

  • Enable PowerShell script block logging and module logging to surface in-memory execution
  • Monitor for Add-MpPreference calls that add drive-wide or process-level exclusions
  • Deploy behavioral detection rules that alert on VBScript spawning PowerShell with download activity
  • Hunt for HttpClient.GetAsync calls fetching files with image extensions from external hosts

Frequently Asked Questions

Q: Why is fileless execution particularly dangerous? It evades traditional file-based detection, leaves minimal forensic artifacts, and bypasses security controls that rely on file scanning.

Q: How does the PowerShell exclusion mechanism work? The script calls Add-MpPreference to add exclusions for the entire C:\ drive and specific processes, removing Defender coverage for all subsequent activity.

Q: What makes the .png disguise effective? Some network monitoring systems inspect image-extension files less aggressively than executable extensions, allowing the PowerShell script to pass initial filters.

License

© 2026 Joseph. All rights reserved. See LICENSE for terms.

Support Independent Threat Research

If this report was useful, consider supporting the work that goes into it.

Sponsor on GitHub Donate via PayPal Other ways to support →
Continue Reading
Post-Exploitation Toolkit · Jun 2026
Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host
AI-Augmented Threat Operations · Jun 2026
Multi-Actor AI-Agent Framework Abuse: 8 Operators Integrating AI CLIs into Offensive Workflows
High Priority IOCs
  • 193[.]233[.]164[.]21 Quasar + XWorm C2 server
  • dns4up[.]duckdns[.]org Dynamic DNS C2 domain
Full IOC Feed →
STIX 2.1 Bundle

Machine-readable threat intel for this report — import into OpenCTI, MISP, or any STIX-aware platform.

Download Bundle → Browse All STIX →