{
	"id": "edf173e2-7c19-48b5-95a3-a2e525195219",
	"created_at": "2026-04-06T00:13:50.82085Z",
	"updated_at": "2026-04-10T03:20:53.692921Z",
	"deleted_at": null,
	"sha1_hash": "3a9c2b1bc23a5bfff99d4ecb72074185d3247003",
	"title": "RATs and Spam: The Node.JS QRAT | Trustwave",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62860,
	"plain_text": "RATs and Spam: The Node.JS QRAT | Trustwave\r\nBy Diana Lopera\r\nPublished: 2020-08-24 · Archived: 2026-04-02 12:11:55 UTC\r\nAugust 24, 2020 4 Minute Read\r\nThe Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete\r\ncontrol over a system. Introduced in 2015, QRAT was marketed as an undetectable Java RAT and is offered under\r\nthe software-as-a-service model. Just after its original debut, we blogged about QRATs being spammed. As shown\r\nin Figure 1, the functionality of the spammed QRATs can be extended through the plugins offered by Quaverse.\r\nWebsite_quaversedotcom\r\nFigure 1: The website of Quaverse, captured from the 2015 blog, offering plugins for QRATs\r\nRecently, we have encountered more spam campaigns that attempt to spread QRATs. The initial malware contains\r\na subscription account for QHub (user: @qhub-subscription[.]store[.]qua[.]one) , a service that offers a single\r\ninterface to control remote machines. Its domain qua.one contains the same logo as to Quaverse’s website we have\r\nseen way back in 2015.\r\nWebsite_quadotone\r\nFigure 2: The QHub service is offered as a Premium Service\r\nMalware Analysis\r\nFlow\r\nFigure 3: The spam campaign flow\r\nThe JAR Downloader\r\nThis spam campaign using QRAT malware has multi-stage downloaders. The first one is a JAR file that may\r\narrive as an email attachment or can be downloaded from a link contained in a spam message. All the JAR files we\r\nhave collected related to this campaign are obfuscated using the Allatori Obfuscator – the class names all have the\r\nsame name and length but have different case. \r\nEmail_sample\r\nFigure 4: The JAR attachment Spec#0034.jar is obfuscated with Allatori\r\nEmail_sample_link\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/\r\nPage 1 of 4\n\nFigure 5: The HTML downloader attached to the malspam has link to the first stage downloader hosted in a cloud\r\nservice platform\r\nThe first downloader has 2 major functions. These are setting up the Node.Js platform onto the system, and then\r\ndownloading and executing the second-stage downloader.\r\nMemdump_java\r\nFigure 6: The code snippet of java.exe’s memory dump when the attachment Spec#0034.jar from Figure 4 was\r\nexecuted\r\nFirstly, upon the execution of the JAR file, the process architecture of the system will be checked, and that\r\ninformation will be used in downloading the appropriate Node.js for the machine. The JAR files we observed\r\ndownloaded Node.Js version 13.13.0 from https://nodejs.org/dist/v13.13.0/node-v13.13.0-win- .zip   and extracted\r\nits content at %userprofile%/qnode-node-v13.13.0-win- .zip.   The JAR files were designed to run in Windows\r\nenvironments only.\r\nSecondly, the JAR file Spec#0034.jar downloaded wizard.js from its command and control servers (C\u0026Cs) then\r\nsaved it under the qnodejs folder located inside the Node.js installation path. Then, the JAR file\r\nexecuted wizard.js with the C\u0026Cs and the QHub service subscription user as arguments, as shown in Figure 6.\r\nThe Node.Js Downloader\r\nThe downloaded file wizard.js is the second stage downloader written in Node.Js. This script file is responsible for\r\nsetting the persistence of this threat, and the downloading and execution of the payload. Just like the JAR file, this\r\nsupports the Windows platform only. Without the arguments from the JAR file, this script will not work.\r\nWe were able to obtain the file wizard.js,\r\nfrom hxxps://environment[.]theworkpc[.]com/scripts/wizard[.]js, through the JAR file from Figure 5. The\r\nfile wizard.js is encrypted using Base64. Looking through its decrypted code, this script has its own defined\r\nmodules.\r\nWizard_b64\r\nFigure 7: The code snippet of the downloaded second stage downloader\r\nWizard_module\r\nFigure 8: The modules of wizard.js\r\nThe first main function of wizard.js is to set its persistence. The file qnode-\u003c8 hex\u003e.cmd will serve as the autorun\r\nfile and written in it are the same arguments that the JAR file downloader set on wizard.js (see Figure 6) appended\r\nwith a “--delegate” command.\r\nWizard_function\r\nFigure 9: The two main functions of wizard.js\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/\r\nPage 2 of 4\n\nThen, based on the platform and architecture of the system its running on, wizard.js will download the main\r\nmalware. Using the C\u0026Cs from the JAR file in Figure 4, we were able to download qnodejs-win32-ia32.js on 24-\r\nJuly-2020.\r\nBefore downloading, as shown in Figure 9, the script wizard.js verified the sha1 of the main malware qnodejs-win32-ia32.js through the file qnodejs-win32-ia32.sha256. Lastly, the main malware was executed using the same\r\narguments supplied to wizard.js in Figure 6 plus a “serve” command after the path of qnodejs-win32-ia32.js.\r\nQnodejs_processtree\r\nFigure 10: The Node.Js process which executes the payload qnodejs-win32-ia32.js\r\nThe Payload – Node.Js QRAT\r\nJust like the downloader wizard.js, the main payload qnode-win32-ia32.js is written in Node.Js, its code is\r\nencrypted with Base64, and it has its own written modules. It contains an encrypted Node.Js packages\r\nfolder node_modules hence its size is almost 12KB.\r\nThe Node.Js script uses the string “qnode-service” as the node command name and requires the arguments --\r\ncentral-base-url and --group when executed.\r\nQnodejs_help\r\nFigure 11: The help menu of the qnode-win32-ia32.js\r\nThe QRAT qnode-win32-ia32.js has the following functionalities:\r\nobtain system information\r\nperform file operations\r\nacquire credentials of certain applications\r\nSome of the information, like the machine’s UUID, tags, and labels generated by the malware, will be written in\r\nthe config file %userprofile%/ -config.json . Meanwhile, the malware will use the\r\nservice hxxps://wtfismyip[.]com to obtain network information.\r\nQnodejs_log\r\nFigure 12: The filename of the config and error logs were prepended with the hex representation of the QHub\r\nsubscription account shown in Figure 6\r\nQnodejs_networkinfo\r\nFigure 13: Code snippet of the data retrieved from the service hxxps://wtfismyip[.]com/json\r\nQnodejs_app\r\nFigure 14: The applications chrome, firefox, thunderbird, and outlook are supported in this QRAT’s password-recovery functionality\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/\r\nPage 3 of 4\n\nThis threat will communicate to its C\u0026Cs through the Websocket connection protocol and below is the list of\r\ncommands related to the 3 functions of the QRAT qnode-win32-ia32.js file mentioned above.\r\nQnode_command\r\nFigure 15: List of commands\r\nSummary\r\nRemote access trojans are one of the commodity malware nowadays. With services like QHub, RATs can be a\r\nmore attractive instrument to the threat actors as the machines infected by the RATs can be easily monitored in an\r\nalready available environment they offer. The QRAT and its downloader are currently supporting the windows\r\nplatform for now. Since they leveraged Node.Js which is a cross-platform, there is a possibility that this threat will\r\nbe enhanced to support other platforms in the future.\r\nIn terms of mitigation, we recommend blocking inbound emails with Java files outright at the email gateway. We\r\nhave also added protection for this threat to the Trustwave Secure Email Gateway for our customers.\r\nIOCs\r\nSpec#0034.jar (12139 bytes) SHA1: 36DA7F23828283B6EA323A46806811F8312DD468\r\nLegal_Proceeding_concerning_Overdue_invoices_pdf.jar (12,241 bytes) SHA1:\r\n42d843c74e304d91297e21e748f4b528df422316\r\nwizard.js (14433 bytes) SHA1: D6B1D3317C0D938C8AF21F1C22FD1B338A06B1C2\r\nqnodejs-win32-ia32.js (11916833 bytes) SHA1: 31F541074C73D02218584DF6C8292B80E6C1FF7D\r\nhxxps://legalproceedings[.]uc[.]r[.]appspot[.]com/Legal_Proceeding_concerning_Overdue_invoices_pdf[.]jar\r\nhxxps://rtdqhub[.]home-webserver[.]de/\r\nhxxps://rtdqhub[.]redirectme[.]net\r\nhxxps://environment[.]theworkpc[.]com\r\nhxxps://environment[.]spdns[.]org\r\nStay Informed\r\nSign up to receive the latest security news and trends straight to your inbox from LevelBlue.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/"
	],
	"report_names": [
		"rats-and-spam-the-nodejs-qrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791253,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a9c2b1bc23a5bfff99d4ecb72074185d3247003.pdf",
		"text": "https://archive.orkl.eu/3a9c2b1bc23a5bfff99d4ecb72074185d3247003.txt",
		"img": "https://archive.orkl.eu/3a9c2b1bc23a5bfff99d4ecb72074185d3247003.jpg"
	}
}