QNodeService – Node.js Trojan

QNodeService is a modular Node.js based information-stealing trojan delivered in a number of Covid-19 related campaigns.

QNodeService is distributed as a Java downloader disguised as a variety of documents pertaining to Covid-19 tax relief or business schemes. When opened, this downloader first installs the Node.js runtime before checking the system architecture and downloading the correct version of QNodeService. It will also download a second file that is used to maintain persistence.

Once installed, QNodeService will collect user and system information to send to a command and control server, at which point it awaits further commands. QNodeService is able to:

  • create and delete Run key entries
  • download and execute secondary payloads
  • edit, delete, or transfer files
  • extract user credentials from Chromium and Firefox web browsers



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: