top of page

Discover QwixxRAT: A Stealthy Remote Access Trojan Advertised for Sale

In the ever-evolving world of cybersecurity, a highly threatening and sophisticated remote access Trojan (RAT), known as QwixxRAT, has made its entrance. Notably, the creators of this perilous tool are brazenly advertising it on popular communication platforms – Telegram and Discord.

Uptycs, the cybersecurity firm that uncovered QwixxRAT, has reported that once the RAT finds its way into a Windows system, it activates a data-mining operation characterized by discretion and efficiency. Data collected from the infected device is directly channeled back to the hacker via a Telegram bot. This approach offers the threat actors unauthorized yet easy access to a trove of the victim’s personal and confidential information.

QwixxRAT stands out in the sea of cyber threats due to its tremendous data harvesting capabilities. It has been designed with an impressive amount of attention to detail, which enables it to effortlessly accrue data from different sources, such as browser history, bookmarks, cookies, documents fitting specific file extensions, and even software like Steam and Telegram. It can likewise acquire data regarding credit card information and keystrokes, and capture screenshots at opportune times.Offered at affordable rates of 150 rubles for weekly access and 500 rubles for unlimited access, it even includes a limited free version, enhancing its popularity among cybercriminals.

QwixxRAT serves as an example of the increasing sophistication of modern malware. It has been programmed in C#, a widely used, powerful and flexible programming language, and demonstrates an array of effective anti-discovery techniques. These include delaying its execution process through a sleep function and conducting checks to establish whether it is operating within a sandbox or virtualized environment. Additional observational functionality allows QwixxRAT to remain dormant when certain processes, such as "taskmgr," "process hacker," "netstat," among others, are identified, resuming activities only once those processes have ended.

Furthermore, QwixxRAT comes equipped with a clipper, designed to clandestinely retrieve sensitive information copied to the device's clipboard. Intriguingly, this clipper especially targets cryptocurrency wallet data, providing cybercriminals with an additional source of illicit income.

Communication and control (C2) is achieved through a Telegram bot, which can remotely command additional, more invasive data extraction operations such as webcam and audio recordings, and create opportunities for misusing system power, including remote shutdown and restart commands.

The emergence of QwixxRAT comes on the heels of the discovery of two other RAT variants: RevolutionRAT and Venom Control RAT, identified by Cyberint. These malicious tools, also advertised on Telegram channels, showcase data exfiltration and enhanced C2 capabilities that are alarmingly advanced. As more cyber threats sprout up with growing sophistication and stealth, continuous vigilance and cybersecurity enhancement are critical to maintain adequate protection.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page