{
	"id": "3e30395e-5a03-4af3-80f7-bffa0e567748",
	"created_at": "2026-04-06T00:15:30.472399Z",
	"updated_at": "2026-04-10T03:23:51.89373Z",
	"deleted_at": null,
	"sha1_hash": "a81d0d5643ce47517fea682809889431b6f01af5",
	"title": "Quasar RAT Being Distributed by Private HTS Program - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2761026,
	"plain_text": "Quasar RAT Being Distributed by Private HTS Program - ASEC\r\nBy ATCP\r\nPublished: 2023-02-08 · Archived: 2026-04-05 16:09:37 UTC\r\nThe ASEC analysis team has recently discovered the distribution of Quasar RAT through the private Home\r\nTrading System (HTS). No information could be found when looking up the HTS called HPlus that was used in\r\nthe attack. Furthermore, the company’s name could not be found in even the clause of the installation process, so\r\nit is assumed that the victims did not install their HTS from an institutional financial company, but instead, they\r\ngot HPlus HTS through an unsanctioned source or a disguised financial investment company. The malware,\r\nQuasar, that was installed by the private HTS is a RAT malware that allows threat actors to gain control over\r\ninfected systems to either steal information or perform malicious behaviors.\r\n1. Private HTS (Home Trading System)\r\nHome Trading System (HTS) refers to a system that allows investors to trade stocks using their home or office\r\nPCs instead of paying a visit to stock trading firms or making phone calls. [1] Contrary to before, most individuals\r\ninstall an HTS on their mobile phones or PCs to trade financial products online like stocks, funds, and futures.\r\nIn most cases, users install the HTS provided by institutional financial companies and make financial transactions\r\nthrough these companies. However, there have been a number of cases recently where illegal financial investment\r\ncompanies disguising themselves as lawful ones have been leading users into installing a private HTS before\r\nstealing their investments.\r\nMost unsanctioned financial investment companies deceive users with Internet or SMS ads before leading them to\r\njoin group chats like on KakaoTalk. Generally, they are known to advertise the ability to trade overseas futures\r\nwith only a small deposit, offer fee exemptions, and give loans. [2] The admin of these group chats lead the users\r\nthat have been gathered in this manner to install their private HTS and deposit their investments.\r\nThe fraud groups that use private HTS intercept the investments of users in various ways. For example, they\r\ndeceive users into believing that they are making a profit before vanishing without a trace when the investors\r\nrequest a withdrawal. [3] There are also cases where investors are led to make deposits, but have their entire\r\ndeposits taken from them as “service fees”. [4] The private HTS used in these cases of fraud are made virtually\r\nindistinguishable from the HTS provided by stock firms in order to have users believe that normal transactions are\r\nbeing made. [5]\r\n2. Cases of Quasar RAT Distribution\r\n2.1. Malware Disguised as Private HTS\r\nThe ASEC analysis team has recently found that Quasar RAT is being distributed through private HTS. It is\r\ndifficult to confirm how a private HTS was installed since users are being led to install them through exclusive\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 1 of 10\n\ngroup chats; however, the team was able to get their hands on a recent installer through an ASD (AhnLab Smart\r\nDefense) log.\r\nAfter checking the paths where the malware was installed, paths that included the keywords “Private” and “VIP”\r\nwere uncovered. It can be inferred that these were distributed by the aforementioned illegal financial investment\r\ncompanies. Through the keyword ‘Futures’, it can be assumed that users were gathered through the ad that\r\nclaimed you could trade overseas futures with only a small deposit.\r\n\\privatevip_setup [hts]\\hplus\\\r\n\\HPlus(Futures)\\hplus\\\r\n\\Futures and Stocks\\hts manager\\hplus\\\r\nThe first installation program is an NSIS installer with the file name “HPlusSetup.exe”. For reference, it is\r\nassumed that the private HTS named HPlus has been in existence since at least 2016. This is because some of the\r\nfiles generated after installation had already been collected by the ASD infrastructure in 2016. The following files\r\ncan be found in the installation path after the installation is finished. The file “config.ini” is the malicious file that\r\nhas the update server address.\r\nFigure 1. Installation path\r\n“Asset.exe” is the first program that’s executed after the installation. The shortcut created on the desktop also\r\nserves the purpose of running the “Asset.exe” file. “Asset.exe”, which is both the launcher and update program,\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 2 of 10\n\nreads the “config.ini” file in the same path to obtain the update server address and check if the current version is\r\nthe latest. It will download the update file and install it if the version is outdated.\r\nIt is assumed that the threat actor sets the FTP server address where the malware is uploaded as the contents of the\r\n“config.ini” file before distributing the installation file. By doing so, the compressed update file containing the\r\nmalware is downloaded and Quasar RAT is installed in the user environment.\r\nFigure 2. Malware installation flow\r\nIn addition, it has not been confirmed whether the private HTS, HPlus, has always been installing malware strains\r\nor not. The only confirmed facts are that HPlus was in use from 2016 to about 2017 and is recently being\r\ndistributed again as a malware strain that installs Quasar RAT.\r\n2.2. Update Process\r\n“Asset.exe” is both the private HTS launcher and update program that makes sure the program is up to date. In\r\norder to achieve this, it has to first search for the update server address when launched. This address exists within\r\nthe “config.ini” file which is in the same path. The following numbers can be found by checking the “config.ini”\r\nfile. A certain section of these numbers is the C\u0026C server’s IP address. Therefore, the numbers hard-coded at\r\ncertain locations become the C\u0026C address. For example, the 446th, 409th and 408th numbers are “1”, “0”, and\r\n“3” respectively.\r\nFigure 3. Config.ini file containing the C\u0026C address\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 3 of 10\n\nFigure 4. C\u0026C address generated from the numbers at specific positions\r\nAdditionally, the port number of the C\u0026C server is hard-coded into the “Asset.exe” file. Assuming that this file\r\nwas collected around 2016, the team believes that the threat actor set the port number to the one in the existing\r\n“Asset.exe” file to keep using this file. Aside from this, the respective locations of the C\u0026C server address and the\r\nFTP server’s account credentials are also hard-coded into “Asset.exe”. This means that the threat actor used the\r\nsame port number and account credential as before to distribute the malware.\r\nFigure 5. Hard-coded FTP account information\r\n“Asset.exe” downloads the “NewVer.ver” file from the update server and compares it with the “LocalVer.ver” file\r\nin the same path to check if the file is outdated. If the file is outdated, it downloads the latest version set in the\r\n“NewVer.ver” as a compressed file and installs it to the same path.\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 4 of 10\n\nFigure 6. Downloading the update file from the FTP server\r\nThe “StockProForHplus2.exe” file inside the downloaded compressed file is a malware made by adding a\r\nlauncher feature to the existing HTS program, “StockProForHplus.exe”. Additionally, while the currently revealed\r\nsource code cannot be found, the threat actor most likely possesses the source code in question considering that a\r\nfeature included by the threat actor exists in the version of “StockProForHplus2.exe” that’s currently being\r\ndistributed. Moreover, the collected “StockProForHplus.exe” files having various PDB information in them makes\r\nit evident that the source code for HPlus is currently being sold or shared.\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 5 of 10\n\nFigure 7. Downloaded compressed file\r\nAside from HTS features, the “StockProForHplus2.exe” file within “HPlus_client_2.0.6.zip” contains a feature to\r\nlaunch “HPlusSocketManager20221208.exe” which is the Quasar RAT. Furthermore, there are also files that\r\ncontain a command to add an exception path to Windows Defender.\r\nFigure 8. Command inserted into the HTS program StockProForHplus.exe\r\n“StockProForHplus2.exe” is the launcher that executes Quasar RAT, but it is fundamentally an HPlus HTS.\r\nAlthough no registration or login was done during the analysis process, it is a program that has existed since\r\nbefore, so it is assumed that it will operate like a normal HTS even after logging in to trick users.\r\nFigure 9. Executed HPlus HTS\r\nAccording to the above terms and conditions displayed after clicking the registration button, the following\r\nservices are provided.\r\n– Information sharing service of derivative products in and outside Korea\r\n– Specialist discovery and analytic strategies of derivative products in and outside Korea\r\n– Forums, interest groups, chat service\r\n– Mailing service\r\n– Financial market-related information sharing service\r\n– Others\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 6 of 10\n\n2.3. Quasar RAT\r\n“HPlusSocketManager20221208.exe” launches “vbc.exe” and injects Quasar RAT. This makes it so that Quasar\r\nRAT runs on the memory of “vbc.exe” which is a normal process.\r\nFigure 10. Obfuscated Quasar RAT\r\nFigure 11. Quasar RAT\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 7 of 10\n\nQuasar RAT is an open-source RAT malware developed with .NET. Like most other RAT malware, it provides\r\nsystem tasks like process, file, and registry, and features such as remote command execution and the ability to\r\ndownload and upload files. In addition, Quasar RAT provides keylogging and account information collection\r\nfeatures to allow the theft of information from user environments, and enable real-time control over infected\r\nsystems through remote desktop. Therefore, users who have installed HPlus HTS can have various personal data\r\nincluding their account credentials stolen from them by the threat actor at anytime.\r\nFigure 12. Features provided by Quasar RAT\r\nC\u0026C : 103.136.199[.]131:4449\r\nVersion : v1.4.0\r\nTAG : “hplus”\r\n3. Conclusion\r\nIn the past, scam groups had used their private HTS to steal the investments of their victims, but they have now\r\nrecently been used to install malware into the PCs of their victims. Due to this, although the damages used to end\r\nafter only taking the investments of their victims, threat actors are now able to take control of their victims’ PCs\r\nand do additional harm by also installing Quasar RAT and stealing personal data.\r\nAccording to the Financial Supervisory Service, “institutional financial companies do not distribute private HTS\r\nthrough means such as messengers.” [6] Users must make sure to only install the HTS provided by institutional\r\nfinancial companies through their official websites. If a private HTS is installed through illegal investment\r\ncompanies that are aiming to make a profit, then not only could you lose your investments, but you could also\r\nhave your system infected by a malware and have the personal data saved on your system stolen.\r\nUsers should apply the latest patch to their installed software to prevent vulnerability exploitations in advance.\r\nAlso, V3 should be updated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Dropper/Win.Agent.C5369588 (2023.01.30.01)\r\n– Trojan/Win.Agent.C5367163 (2023.01.27.00)\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 8 of 10\n\n– Trojan/Win.Launcher.C5369589 (2023.01.30.01)\r\n– Trojan/Win.CrypterX-gen.C5334365 (2022.12.15.03)\r\n– Trojan/Win.Generic.C5334977 (2022.12.16.01)\r\n– Trojan/Win.GZ.C5336652 (2022.12.19.01)\r\n– Trojan/Win.HacktoolX-gen.C5361479 (2023.01.19.02)\r\n– Trojan/Win.Injection.C5360107 (2023.01.17.02)\r\n– Trojan/Win.Injection.C5366537 (2023.01.26.01)\r\n– Backdoor/Win.QuasarRAT.C5369591 (2023.01.30.01)\r\n– Backdoor/Win.QuasarRAT.C5369592 (2023.01.30.01)\r\n– Backdoor/Win.QuasarRAT.C5369593 (2023.01.30.01)\r\nBehavior Detection\r\n– Injection/MDP.Hollowing.M4180\r\nIOC\r\nMD5\r\n– 56961c573c78681b98c8336679202ead : Installer (HPlusSetup.exe)\r\n– a041b5708e8a0bf36b83312cbf3c94c9 : Launcher (StockProForHplus.exe)\r\n– b50c4b4958caba46760fccb02946966b : Launcher (StockProForHplus.exe)\r\n– c2a10f5d57bb88611708312cca599e12 : Launcher (StockProForHplus.exe)\r\n– ca50da047871d8986c4bb4044a251755 : Launcher (StockProForHplus.exe)\r\n– d3f295841d4b8df890554978a4a90346 : Launcher (StockProForHplus.exe)\r\n– f7e86dce64f7248aed7ef70d127f5eaf : Launcher (StockProForHplus.exe)\r\n– fb08fa91bf71e923027e9fe88e2bbec6 : Launcher (StockProForHplus.exe)\r\n– 2e0ec9bd44f169e86a957e0fec7d950d : Launcher (StockProForHplus.exe)\r\n– 4db2078c0a7b72046fa6e68a62862508 : Launcher (StockProForHplus.exe)\r\n– 6f5237ef99b4864a16f32c972fb86cdf : Launcher (StockProForHplus.exe)\r\n– 60eafec4ec4ec23ba602068e5a6364b8 : Launcher (StockProForHplus.exe)\r\n– 2258e46dc24f2c4be97aa051a05ebffd : Launcher (StockProForHplus.exe)\r\n– 5267184953c662d0fa6a4db83fe4b775 : Launcher (StockProForHplus.exe)\r\n– 4028da04ce0c9593c19bcc8b9c1cd14b : Launcher (StockProForHplus2.exe)\r\n– a7c6f450bc567d2a0abffe2704a698d2 : Launcher (StockProForHplus2.exe)\r\n– 2143f826dab2f82ec88d2de75f3ef96f : Quasar RAT (hplussocketmanager.exe)\r\n– 58401b5cd964ab334ee883853520bf79 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 9174679e2f655034aa0b41774c7f54e0 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– c5fcd3857921ac1b95afe73e7ec8ca66 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– eb921e3d6e81a020fffd84da91bf29cf : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– f9c47fb25a5dc5a3857fbb109b122d69 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– f3335c9c4c485cf98fee7f9c03033c15 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 0cb69119c327ef66b1595cda3b2ce99a : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 0d6028c16b0bef0eaded10540a108fff : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 4e1e6bd1655b941d78e7a6785017a260 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 37b8b575c93a5e8dd2643a5d9913df02 : Quasar RAT (HPlusSocketManager20221208.exe)\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 9 of 10\n\n– 82e7624ba7b3213ccaa837d83b93307a : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 508ec48d546b6c88092e8e9b05a672d2 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 33307a589a405cd782d738aa592f87fc : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– a9ab7e58e79a1c586677df06dde3708f : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 3c84e468fbab273bc1d7d9bc439ddab0 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 1b7da03bee74107fee53b27cacc52f96 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 8cf9cc6a5b1b8594c9b87793754ef026 : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– a5750ff65c58a3fe7031cbd36ddab0ba : Quasar RAT (HPlusSocketManager20221208.exe)\r\n– 128b5f28a737838e162cfc972a8797ee : Quasar RAT (HPlusSocketManager20221208.exe)\r\nDownload URLs\r\n– 103.136.199[.]131:24879 – FTP\r\nC\u0026C\r\n– 103.136.199[.]131:4782 – Quasar RAT\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC\r\nand detailed analysis information.\r\nSource: https://asec.ahnlab.com/en/47283/\r\nhttps://asec.ahnlab.com/en/47283/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/47283/"
	],
	"report_names": [
		"47283"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434530,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a81d0d5643ce47517fea682809889431b6f01af5.pdf",
		"text": "https://archive.orkl.eu/a81d0d5643ce47517fea682809889431b6f01af5.txt",
		"img": "https://archive.orkl.eu/a81d0d5643ce47517fea682809889431b6f01af5.jpg"
	}
}