March 14, 2018

A look into Qrypter, Adwind’s major rival in the cross-platform MaaS market

Roland Dela Paz Security Researcher

When it comes to cross-platform backdoors, Adwind is arguably the most popular and documented remote access tool (RAT) out there. However in the last two years, an underground group calling themselves ‘QUA R&D’ have been busy developing and improving a similar Malware-as-a-Service (MaaS) platform to the point that they have now become a major competitor to Adwind. In fact, QUA R&D's RAT – sold under the name ‘Qrypter’ – is often mistaken by the security community as Adwind.


Qrypter is a Java-based RAT that uses TOR-based command and control (C2) servers. It was first made available in March 2016 and has gone by several names over the years including Qarallax, Quaverse, QRAT, and Qontroller.

In June 2016 the malware was used to target individuals applying for a US Visa in Switzerland, resulting in the family’s first coverage in the security industry.

Today, Qrypter continues to rise in prominence, typically being delivered via malicious email campaigns such as the one shown below.

While Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total. The graph below provides a breakdown of the recipient TLDs in these campaigns:


Upon execution, Qrypter drops and executes two VBS files in the %Temp% folder using random filenames. These scripts are used to collect details of any firewall and anti-virus products on the victim's PC:

Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")
Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")
For Each objItem in colItems
With objItem
WScript.Echo "{""FIREWALL"":""" & .displayName & """}"
End With Next
ASCII Strings:
Set oWMI = GetObject("winmgmts: impersonationLevel=impersonate
Set colItems = oWMI.ExecQuery("Select 
from AntiVirusProduct")
For Each objItem in colItems
With objItem
WScript.Echo "
End With

It then executes a .REG file which is also dropped in the %Temp% folder using a random filename. This lowers the system's overall security settings and prevents a long list of forensics- and security-related processes from executing. Furthermore, the same list of processes are subsequently terminated by the malware by running the Windows taskkill command.

It drops a copy of itself and create the following registry as an autostart mechanism:

{random strings} "%AppData%\Oracle\bin\javaw.exe" -jar \"%USERPROFILE%\{random strings}\{random strings}.txt

Finally, it connects to its TOR based command and control server, vvrhhhnaijyj6s2m[.]onion[.]top. As a plugin based backdoor, Qrypter is able to execute a range backdoor functionality including:

  • Remote desktop connection
  • Webcam access
  • File system manipulation
  • Installation of additional files
  • Task manager control

Business model

Similar to Adwind, Qrypter is rented monthly for the price of 80 USD, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Customers can also pay for three months or one year subscriptions for a discounted price. An older Bitcoin address that receives payment for Qrypter subscriptions was observed to have received a total of 1.69 BTC. This is roughly 16,500 USD at the time of writing (although given the volatility of Bitcoin, this is subject to rapid change).


It is worth noting that this only reveals earnings from one of the QUA-related cryptocurrency addresses and that the total across all wallets and currencies is likely to be much higher.

In order to provide support to their customers, QUA R&D runs a forum called ‘Black&White Guys’ for discussing anything related to the Qrypter MaaS. This forum currently lists 2,325 registered members:

The content of this forum reveals the nature of how QUA R&D operates and their efforts to keep their customers happy. For instance, the administrators regularly create threads to inform and reassure their customers that their crypting service, currently sold for 5 USD, is fully undetected (FUD) by anti-virus vendors. If customers are unsatisfied, credit returns are offered:

Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors.

While the forum is predominantly for Qrypter customers, it is also used to attract potential resellers for their product. Resellers are provided with discount codes – just as with legitimate businesses – which helps them to increase Qrypter's popularity in underground circles:

In a similar vein, older versions of the RAT version are offered to customers for free.

Interestingly, cracking competitor products appear to be another part of QUA R&D’s strategy – the post below shows an administrator announcing that they have cracked Unknown RAT. This is presumably to generate the other kind of FUD (i.e. ‘fear, uncertainty, and doubt’) about their competition.

Similar posts suggest that even in their early days the QUA R&D group considered JBifrost, an Adwind alias, to be their primary competitor and have taken similar measures to sway would-be customers.

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.


This post highlights the determination of QUA R&D to replace the infamous Adwind in the cross-platform MaaS business. With two years of operation and over 2K registered users in their forum, it appears that they are getting increasing traction in underground circles.

While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments.

Indicators of Compromise

Qrypter SHA-256


Qrypter C2s


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.