Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Forcepoint Security Labs reveals latest analysis into remote access trojan (RAT), Qrypter

March 2018 by Forcepoint

Today Forcepoint’s Security Lab has released a new blog revealing new analysis examining the quantity and type of email that the command and control server is sending in order to spread this remote access trojans. The RAT, called Qrypter, is for sale on the underground economy, and if it gets through to an organisation it can take control of an endpoint and undertake any type of activity.

When it comes to cross-platform backdoors, Adwind is arguably the most popular and documented remote access tool (RAT) out there. However in the last two years, an underground group calling themselves ‘QUA R&D’ have been busy developing and improving a similar Malware-as-a-Service (MaaS) platform to the point that they have now become a major competitor to Adwind. In fact, QUA R&D’s RAT – sold under the name ‘Qrypter’ – is often mistaken by the security community as Adwind.


Qrypter is a Java-based RAT that uses TOR-based command and control (C2) servers. It was first made available in March 2016 and has gone by several names over the years including Qarallax, Quaverse, QRAT, and Qontroller.

In June 2016 the malware was used to target individuals applying for a US Visa in Switzerland, resulting in the family’s first coverage in the security industry.

Today, Qrypter continues to rise in prominence, typically being delivered via malicious email campaigns such as the one shown below.

While Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total. The graph below provides a breakdown of the recipient TLDs in these campaigns:


Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.


This post highlights the determination of QUA R&D to replace the infamous Adwind in the cross-platform MaaS business. With two years of operation and over 2K registered users in their forum, it appears that they are getting increasing traction in underground circles.

While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments.

See previous articles