Security Experts:

Connect with us

Hi, what are you looking for?



Qrypter RAT Hits Hundreds of Organizations Worldwide

Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says.

Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says.

The malware, often mistaken for the Adwind cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called ‘QUA R&D’, which offers a Malware-as-a-Service (MaaS) platform.

Also known as Qarallax, Quaverse, QRAT, and QontrollerForcepoint explains that Qrypter is a Java-based RAT that leverages TOR-based command and control (C&C) servers. It was first detailed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.

The malware is typically delivered via malicious email campaigns that usually consist of only a few hundred messages each. However, Qrypter continues to rise in prominence, and three Qrypter-related campaigns observed in February 2018 affected 243 organizations in total, Forcepoint’s security researchers say.

When executed on a victim’s system, Qrypter drops and runs two VBS files in the %Temp% folder, each featuring a random filename. The two scripts are meant to gather information on the firewall and anti-virus products installed on the computers.

Qrypter is a plugin based backdoor that provides attackers with a broad range of capabilities: remote desktop connection, webcam access, file system manipulation, installation of additional files, and task manager control.

The RAT is available for rent for a price of $80, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Interested parties can purchase three months or one-year subscriptions for a discounted price, the security researchers discovered.

An older Bitcoin address associated with payments for Qrypter subscriptions was appears to have received a total of 1.69 BT
C (around $13,500 at the time of publishing). This, however, is only one of the addresses that the malware authors use, meaning that their earnings could be much higher.

The malware developers provide support to their customers via a forum called ‘Black&White Guys’, which currently has over 2,300 registered members.

Based on the content of the forum, the researchers were able to discover how QUA R&D operates. The group appears focused on keeping customers happy, and is regularly creating threads to inform and reassure users that their crypting service (available for $5) is fully undetected by anti-virus vendors.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Forcepoint notes.

In addition to interacting with customers, the forum is also used to attract potential resellers, which receive discount codes to help increase Qrypter’s popularity in underground circles. Furthermore, older RAT versions are offered for free to customers, and QUA R&D’s strategy also involves the cracking of competitor products, to create FUD (fear, uncertainty, and doubt) about competition.

“While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free,” Forcepoint concludes.

Related: Ongoing Adwind Phishing Campaign Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...