{
	"id": "fa7f876d-3d9d-432c-9aa6-ea06a3290a45",
	"created_at": "2026-04-06T00:11:29.719733Z",
	"updated_at": "2026-04-10T13:11:31.332633Z",
	"deleted_at": null,
	"sha1_hash": "afc9cb7b9103cb17672350e3cd8173b76061bdc5",
	"title": "Nearly undetectable Qarallax RAT spreading via spam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 172649,
	"plain_text": "Nearly undetectable Qarallax RAT spreading via spam\r\nArchived: 2026-04-05 21:46:50 UTC\r\nHi everyone, here's Matteo Lodi, member of the Incident Response Team.\r\nThis time i want to talk about a new threat we detected randomly while analyzing the alerts generated by our\r\nplatform.\r\nEverything starts from the analysis of a little and alone level 2 ET signature called \"ET PRO POLICY DNS Query\r\nto .onion proxy Domain (onion . casa)\".\r\nAt the beginning, the only evidence we got from the traffic analysis are many DNS queries followed by 4 HTTPS\r\ncontacts to the following weird domain: vvrhhhnaijyj6s2m[.]onion[.]casa\r\nWe found that onion.casa is a proxy used to access to hidden services behind the renowned TOR network. In\r\ndetails, if we visit the site, we can find that the domain in question hosts a site which claim to sell a malware\r\nknown as Qarallax.\r\nQarallax is a RAT (remote access tool) and infostealer. This malware was born from an open-source software\r\nknown LaZagne. At this time, this artifact let an attacker to execute different kinds of operations inside the\r\ninfected machine:\r\nCatch mouse movements and clicks\r\nCatch keyboard inputs\r\nRecord the output of the webcam and of the screen\r\nFind and steal every kind of credential stored inside the machine\r\nhttp://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/\r\nPage 1 of 4\n\nThere's a group called Quaverse which claim to be the R\u0026D behind this threat, constantly working to evolve and\r\nupgrade the malware. Their objective is to sell the agent as a RaaS (RAT as a Service).\r\nThe file is a JAVA application that runs on operating systems with JAVA Runtime Environment (JRE) installed. It\r\nruns silently in the background without any indication to the user.\r\nAt this time, we had no evidence that the host that contacted the suspicious domain is infected, but we are strongly\r\nsuggested to investigate further to understand if this is a real threat.\r\nWe tried to look for some intelligence feeds from the internet, looking if someone else has found some useful\r\ninfos about the domain in question. At the beginning, we checked from Google, Twitter and Reverse but we didn't\r\nfound anything. Then, checking VirusTotal, we found that they list the following URL as a malicious one:\r\nhxxps://vvrhhhnaijyj6s2m[.]onion[.]casa/storage/cryptOutput/0.92915600%201512026521.jar\r\nWow, only 3 hits and no sample uploaded to VT. However, at that time, we got an idea about what the SSL\r\nconnections did: downloading a .jar file containing, with high probability, the malware.\r\nMeanwhile, we contacted the client and, luckily, the host infected was a virtual machine that got reverted to a\r\nclean state and the AV Agent detected and stopped the execution of the malware.\r\nAfterwards, the real questions were:\r\nhow did they get the malware?\r\nwas the attack targeted or opportunistic?\r\nThe day after, inside our spamtrap, we retrieved a sample called \"IMG6587JPG..jar\", identified as malicious\r\n(8.2/10 score) by our sandbox. The first thing where we put our attention was the traffic this sample generated\r\ntowards the suspicious domain.\r\nhttp://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/\r\nPage 2 of 4\n\nThat's it! Probably we found the malware our client got and, luckily, it came from a normal email spam tricking\r\nthe user to open a fake image containing the infostealer.\r\nFun fact was that only 4 AV engines detected it. After 4 hours, finally, some other antivirus products started to\r\nidentify that threat as malicious (15).\r\nWe said that to our client who could find the email that was the infection vector and send it to us. The Qarallax\r\nvariant was almost identical to the one we caught just some minutes before. The only thing that changed was the\r\nemail body (different language, from english to italian) and the name of the sample: PAGAMENTO.jar. Even in\r\nthis case, the first time we send the sample to VT, only few antivirus were able to identify it.\r\nUpdate\r\nWe detected some new similar samples. The malware capabilities are the same as before. The biggest difference is\r\nthe proxy used to contact the C\u0026C server: from onion[.]casa to onion[.]top. We want to underline that the threat is\r\nevolving day by day: every new sample we get to analyze is almost undetected by every kind of AV engine.\r\nhttp://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/\r\nPage 3 of 4\n\nConclusion\r\nWe found a new spam campaing delivering a RAT malware, nearly undetectable by IDS Signatures or AV engines.\r\nIOC\r\nDomains:\r\nvvrhhhnaijyj6s2m[.]onion[.]top\r\nvvrhhhnaijyj6s2m[.]onion[.]top\r\nRAT samples (MD5):\r\nf441dc0388afd3c4bca8a2110e1fa610\r\n682f0260cd0bb8716d32485eebfe1d31\r\ncb9da672613decdc800849a45f21c0b8\r\nd77cfa2b68c744f3ba62f2e49a598ffa\r\nd9adbb40a0ae557c5bf1d2dd2f85409d\r\n42ecb562506ec1734cc291c0092753c5\r\n702f6c5856591accb8cdd4bcfc46e114\r\nSource: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/\r\nhttp://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/"
	],
	"report_names": [
		"nearly-undetectable-qarallax-rat-spreading-via-spam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434289,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afc9cb7b9103cb17672350e3cd8173b76061bdc5.pdf",
		"text": "https://archive.orkl.eu/afc9cb7b9103cb17672350e3cd8173b76061bdc5.txt",
		"img": "https://archive.orkl.eu/afc9cb7b9103cb17672350e3cd8173b76061bdc5.jpg"
	}
}