QwixxRAT Trojan

A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms.

"Once installed on the victim's Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker's Telegram bot, providing them with unauthorized access to the victim's sensitive information," Uptycs said in a new report published today.

The cybersecurity company, which discovered the malware earlier this month, said it's "meticulously designed" to harvest web browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, files matching certain extensions, and data from apps like Steam and Telegram.

The tool is offered for 150 rubles for weekly access and 500 rubles for a lifetime license. It also comes in a limited free version.


A C#-based binary, QwixxRAT comes with various anti-analysis features to remain covert and evade detection. This includes a sleep function to introduce a delay in the execution process as well as run checks to determine whether it's operating within a sandbox or virtual environment.

Other functions allow it to monitor for a specific list of processes (e.g., "taskmgr," "processhacker," "netstat," "netmon," "tcpview," and "wireshark"), and if detected, halts its own activity until the process is terminated.

QwixxRAT Trojan

Also incorporated in QwixxRAT is a clipper that stealthily accesses sensitive information copied to the device's clipboard with an aim to conduct illicit fund transfers from cryptocurrency wallets.

Command-and-control (C2) is facilitated by means of a Telegram bot, through which commands are sent to carry out additional data collection such as audio and webcam recordings and even remotely shutdown or restart the infected host.


The disclosure comes weeks after Cyberint disclosed details of two other RAT strains dubbed RevolutionRAT and Venom Control RAT that's also advertised on various Telegram channels with data exfiltration and C2 connectivity features.

It also follows the discovery of an ongoing campaign that employs compromised sites as launchpads to present a fake Chrome web browser update to entice victims to install a remote administration software tool called NetSupport Manager RAT by means of a malicious JavaScript code.

The use of a deceptive browser update lure is synonymous with SocGholish (aka FakeUpdates), but definitive evidence connecting the two sets of activities remains elusive.

"The abuse of readily available RATs continues as these are powerful tools capable of fulfilling the adversaries’ needs to carry out their attacks and achieve their objectives," Trellix said. "While these RATs may not be constantly updated, the tools and techniques to deliver these payloads to potential victims will continue to evolve."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.