{ "id": "c90121dc-a211-44df-b94e-b94b8ccf2931", "created_at": "2026-04-06T01:30:29.160039Z", "updated_at": "2026-04-10T13:11:32.325872Z", "deleted_at": null, "sha1_hash": "3298300764762c4262cbf05a6ca67e346077a916", "title": "A PAINFUL QUICKHEAL – Securite360", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4257487, "plain_text": "A PAINFUL QUICKHEAL – Securite360\r\nBy Muffin\r\nArchived: 2026-04-06 00:12:15 UTC\r\nA QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting\r\nthe telecom sector, was recently uploaded to VirusTotal (VT). This malware is closely associated, according to\r\nopen sources, with a Chinese People’s Liberation Army (PLA)-linked intrusion set known as the Needleminer\r\ngroup, RedFoxtrot, or Nomad Panda\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 1 of 11\n\nSince I had never worked on QUICKHEAL before and PLA campaigns are rarely documented these days, I was\r\neager to take a closer look at this sample. Thanks to y0sh1mitsu, I was able to retrieve the sample and begin\r\nanalyzing it. The first thing I noticed is that this 32-bit DLL is protected using VMProtect.\r\nFigure 1: capture from VT\r\nVMProtect is a legitimate commercial tool used to prevent unauthorized reverse engineering of programs.\r\nEveryone knows that unpacking malware protected with VMProtect can be painful. Fortunately, I was able to\r\nunpack it using OA Labs’ Unpac.me. This was a lifesaver—I didn’t have to spend hours trying to bypass this\r\nprotection. Thank you, OA Labs, for your amazing work!\r\nOnce unpacked, it becomes possible to begin basic static analysis using PE Bear to gather several pieces of\r\ninformation about this DLL file, such as its name (RasTls.dll), the name of its export (GetOfficeDatatal), and its\r\ncompilation time (08.04.2022).\r\nFigure 2: PE bear screenshot relating to RasTls.dll\r\nCapabilities\r\nThe first noticeable observation about this sample is that the strings provide significant insight into its features and\r\ncapabilities.\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 2 of 11\n\nFigure 3: strings inside Quickheal\r\nIt is possible to infer from the string “select * from moz_logins”, the numerous references to Mozilla Firefox and\r\nSQLite databases, as well as the encryption functions, that the malware attempts to retrieve credentials stored in\r\nthe Firefox browser. All these findings were already documented in a landmark analysis by Recorded Future about\r\nRedFoxtrot, which they link to PLA Unit 69010.\r\nAs we will see below, the malware dynamically loads the functions required to interact with SQLite databases and\r\nNSS (Network Security Services) libraries to decrypt passwords or other sensitive information stored by\r\napplications such as Firefox.\r\nWhile it is quite clear that QUICKHEAL can steal Firefox credentials, it is also worth noting that several clues\r\nsuggest the malware is capable of stealing passwords stored in Microsoft Internet Explorer as well. Specifically,\r\nthe malware manipulates Internet Explorer’s GUID ( \"abe2869f-9b47-4cd9-a358-c22904dba7f7\" ).\r\nFigure 4: IE’s GUID manipulation\r\nIE passwords are encrypted using cryptographic functions after being salted with a text string generated from this\r\nGUID. This GUID can therefore be used to decrypt credentials stored in Internet Explorer, leveraging the\r\nCryptUnprotectData and CredEnumerateA APIs, both of which are also imported by the malware.\r\nCommunications\r\nHardcoded strings also reveal the malware’s C2 address, the port it uses, and the user-agent it employs.\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 3 of 11\n\nFigure 5: Hardcoded C2 name and port\r\nThe user-agent can be found in a function whose purpose appears to be formatting the HTTP request used to\r\ncommunicate with the C2:\r\nFigure 6: hardcoded user-agent\r\nIt is worth noting that the malware attempts to establish an HTTP connection via a proxy, as indicated by strings\r\nfound in the code: \"Proxy-Authenticate: NTLM\" , \"Proxy-Authorization: NTLM\" , and \"Proxy-Authenticate:\r\nBasic\" .\r\nMy understanding is that the malware also tries to retrieve the user’s internet settings. To achieve this, it appears\r\nthat the malware passes the arguments of RegOpenKeyExW to a wrapper function using position-independent code.\r\nHowever, it is possible to infer the true purpose of this function from the arguments passed to it.\r\nFigure 7: The malware passes the expected arguments for RegOpenKeyExW to a wrapper function\r\nObfuscation\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 4 of 11\n\nWhat is particularly interesting is that the developers of the malware did not hold back in their efforts to obfuscate\r\nthe malware’s control flow, even though most strings are in plain text.\r\nFirstly, the malware renames cmd.exe to alg.exe , which is a legitimate Windows process (Application Layer\r\nGateway Service).\r\nFigure 8: renaming cmd.exe\r\nThis trick may be used to avoid raising suspicion when the malware executes a command.\r\nTo make an analyst’s job more difficult, I also believe the malware uses a custom API resolver, thereby avoiding\r\ndirect invocation of these APIs.\r\nFigure 9: custom API resolver\r\nFrom what I could gather, the malware also uses LoadLibrary in an obfuscated manner to load the libraries it\r\nneeds to decrypt Mozilla passwords. It first reconstructs the path to Mozilla Firefox and then uses registers to load\r\nthe required DLL. Presumably for obfuscation purposes, the malware uses registers rather than directly invoking\r\nthe API it wants to load. However, the API being used can be easily inferred from the context.\r\nFigure 9: using loadlibrary in an obfuscated way\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 5 of 11\n\nFigure 10 : MSDN documentation about loadlibrary\r\nThe malware then attempts to resolve the addresses of the exported functions from the previously loaded DLLs by\r\ncalling the esi register, which contains GetProcAddress or an equivalent function. To achieve this, it uses the\r\nfollowing code:\r\nfigure 11: DLLs’ export dynamic resolution\r\nThe addresses of the resolved functions are stored in local variables ( [ebp-...h] ) for subsequent use.\r\nHowever, it is worth noting that the arguments are pushed in reverse order. This aligns with the MSDN\r\ndocumentation, which states:\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 6 of 11\n\nFigure 12 : MSDN documentation relating to GetProcAddress\r\nhModule is a handle returned by LoadLibraryA , and lpProcName corresponds to the name of the function or\r\nvariable. While these two items are pushed onto the stack before the call, the function name is pushed first,\r\nfollowed by the handle. This suggests that the malware uses a custom version of GetProcAddress .\r\nInfrastructure mapping\r\nWhile reversing QUICKHEAL was challenging, pivoting on its infrastructure was much easier. Passive DNS\r\nrecords suggest that the same infrastructure has been in use for the past couple of years, likely across different\r\ncampaigns. For example, swiftandfast[.]net seems to have been used over two years.\r\nWhile I cannot completely rule out false positives in the list of domains I gathered, I made an effort to exclude\r\ndomains that fall outside the known timeframe of operation (i.e., 2022–2024). That being said, the attacker relied\r\non commercial services such as Vultr or DigitalOcean.\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 7 of 11\n\nFigure 14 : Overview of the attacker’s infrastructure\r\nSince attackers are likely to choose domain names designed to fly under the radar, the targeted countries and, at\r\ntimes, sectors can often be deduced from them. For example, several domain names use the .in top-level\r\ndomain, suggesting that India was one of the targets of this intrusion set. Moreover, several domains mimic the\r\nnames of institutions in specific sectors in India, such as the telecom or space industries. For example, some\r\ndomains use the acronym BSNL, which stands for Bharat Sanchar Nigam Limited, an Indian telecommunications\r\nfirm. Other domains mention ISRO, which is the Indian Space Research Organisation.\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 8 of 11\n\nFigure 15: Infrastructure cluster using indian top level domains or themes.\r\nWhile 165.22.211[.]185 was resolved by indian related domain mostly in 2022 (starting from may), it is worth\r\nnoting that a QUICKHEAL sample was already communicating with this IP address in 2021.\r\nMoreover, in some cases, the attackers appear to have used news-themed domains such as\r\nwww.dailysaudinews[.]com or ju-news[.]kr. Since these domains were not resolving to the IP address associated\r\nwith swiftandfast[.]net at the same time, it is possible that the IP address was redistributed. However, newspapers\r\nand other news outlets are often accessed on professional workstations, making mimicking media websites an\r\neffective way to remain undetected. Additionally, these domains are either not hosting any content or are hosting\r\nwebsites that appear to have been generated using ChatGPT. These elements suggest that the Middle East and\r\nSouth Korea may have also been targeted, although with lower confidence.\r\nFigure 16: Infrastructure cluster related to South Korea\r\nThese different graphs illustrate that the attackers have poor operational security (OPSEC). Indeed, they seemed to\r\nhave reused the same infrastructure for extended periods and across campaigns targeting multiple countries and\r\nsectors. Additionally, the same IP addresses were resolved by multiple domains used by the attackers, enabling us\r\nto map their infrastructure with relative ease.\r\nThis lack of OPSEC stands in stark contrast to the obfuscation techniques employed by QUICKHEAL, such as\r\npacking with VMProtect and the use of position-independent code. Several reasons could explain this discrepancy.\r\nFor instance, different teams might be responsible for malware development and infrastructure management. To\r\nreduce costs, the attackers may have chosen to reuse the same infrastructure across multiple campaigns. Finally, it\r\ncannot be ruled out that this infrastructure is shared among several different intrusion sets with varying levels of\r\nOPSEC.\r\nIoCs\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 9 of 11\n\nIP addresses:\r\n65[.]20[.]90[.]139 (2024)\r\n206[.]189[.]140[.]214 (2024)\r\n141[.]164[.]40[.]183 (2024)\r\n165[.]22[.]211[.]185 (2022)\r\n172[.]105[.]48[.]166 (2022)\r\n68[.]183[.]82[.]31 (2022)\r\nDomains – High confidence\r\nswiftandfast[.]net\r\nisrosdsc[.]camdvr[.]org\r\nindiabsnl[.]in\r\nindian[.]mefound[.]com\r\nswiftandfast[.]net\r\nbbnmsportal[.]in\r\nindiabsnl[.]com\r\nindiaeducation[.]mefound[.]com\r\ndaypmsts[.]isronrsc[.]giize[.]com\r\nwww[.]bbsaili[.]camdvr[.]org\r\nbbsaili[.]camdvr[.]org\r\nsts[.]isronrsc[.]giize[.]com\r\nisronrsc[.]giize[.]com\r\nnitmz[.]in\r\nadmitcard[.]nitmz[.]in\r\nftp[.]isronrsc[.]giize[.]com\r\nwww[.]isronrsc[.]giize[.]com\r\n_bimi.isronrsc[.]giize[.]com\r\ndefault._bimi.isronrsc[.]giize[.]com\r\nIoCs Low confidence:\r\nwww[.]dailysaudinews[.]com\r\ndailysaudinews[.]com\r\nju-info[.]kr\r\nju-news[.]kr\r\njunews[.]co[.]kr\r\nju-tech[.]kr\r\nsmartkids[.]jupi[.]in\r\njupi[.]in\r\nmangalamservices[.]jupi[.]in\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 10 of 11\n\nSource: https://securite360.net/a-painful-quickheal\r\nhttps://securite360.net/a-painful-quickheal\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securite360.net/a-painful-quickheal" ], "report_names": [ "a-painful-quickheal" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c09dd7ba-3b6c-4a02-9ae6-949b0afc0b16", "created_at": "2023-01-06T13:46:38.907191Z", "updated_at": "2026-04-10T02:00:03.141637Z", "deleted_at": null, "main_name": "NOMAD PANDA", "aliases": [], "source_name": "MISPGALAXY:NOMAD PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439029, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3298300764762c4262cbf05a6ca67e346077a916.pdf", "text": "https://archive.orkl.eu/3298300764762c4262cbf05a6ca67e346077a916.txt", "img": "https://archive.orkl.eu/3298300764762c4262cbf05a6ca67e346077a916.jpg" } }