Qrypter MaaS [Malware-as-a-Service] Remote Access Trojan

A new Java-based remote access trojan (RAT), known as Qrypter, has been observed. Developed by the ‘QUA R&D’ criminal group, it is offered on a Malware-as-a-Service (MaaS) basis to compete with the Adwind RAT.

Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total.

Qrypter is typically delivered via malicious email campaigns, each consisting of several hundred messages. When installed, it will download and execute two randomly-named .vbs files in the %Temp% folder to gather information on the firewall and antivirus products present on the device. Registry entries are created to terminate and disable a number of security-related processes, lower overall security settings and initiate Qrypter at start up.

Command And Control Servers

vvrhhhnaijyj6s2m[.]onion[.]top
buzw55o32jgyznev[.]onion[.]top

Affected platforms 

Microsoft Windows – All versions




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: