{
	"id": "e15538b6-67b4-4dc8-9e64-ecc4031d2692",
	"created_at": "2026-04-06T00:17:45.660965Z",
	"updated_at": "2026-04-10T13:12:44.343791Z",
	"deleted_at": null,
	"sha1_hash": "fec721d1cd12ced163ced97f25f6aee82dad6c14",
	"title": "New Qualys Research Report: Evolution of Quasar RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33463,
	"plain_text": "New Qualys Research Report: Evolution of Quasar RAT\r\nBy Viren Chaudhari\r\nPublished: 2022-07-29 · Archived: 2026-04-05 20:09:01 UTC\r\nThe Qualys Threat Research Team continues to inform enterprise cybersecurity teams of emerging threats that\r\ncould impact their business. These threat intelligence reports summarize individual threat exploits and provide\r\npractical recommendations for protecting against them.\r\nIn this free research report, we analyze Quasar RAT which has been widely leveraged by multiple threat actor\r\ngroups targeting both government and private organizations in Southeast Asia and other geographies.\r\nQuasar RAT (aka: CinaRAT, Yggdrasil) is an open-source remote access trojan (RAT) that has been widely\r\nadopted by bad actors due to its powerful techniques. Quasar RAT has been behind multiple attack campaigns by\r\nadvanced persistent threat (APT) groups and most recently, a Chinese threat group APT10 was observed using it\r\nfor targeted attacks.\r\nThe intelligence in this report can be used by SOC analysts, threat hunting teams, cyberthreat intelligence\r\nanalysts, and digital forensics teams.\r\nThis complementary paper examines the evolution of the Quasar RAT payload, unpacks its configuration, details a\r\ntechnical analysis of the malware payload, and finally presents possible detection parameters using Qualys Multi-Vector EDR.\r\nDownload your copy of the report now to learn about our key research findings: \r\nQuasar RAT is a full featured remote administration tool that has been open source since at least 2014\r\nThe .NET executable has its communication encrypted through HTTPS which uses a TLS1.2 protocol\r\nQuasar RAT features provide techniques related to persistence, injection, and defense mechanisms\r\nThe RAT has been actively leveraged by various APT groups such as APT10 to achieve its malicious\r\nobjectives\r\nGet your copy of this new Qualys Threat Research Report now. No registration required.\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat"
	],
	"report_names": [
		"new-qualys-research-report-evolution-of-quasar-rat"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434665,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fec721d1cd12ced163ced97f25f6aee82dad6c14.pdf",
		"text": "https://archive.orkl.eu/fec721d1cd12ced163ced97f25f6aee82dad6c14.txt",
		"img": "https://archive.orkl.eu/fec721d1cd12ced163ced97f25f6aee82dad6c14.jpg"
	}
}