QUICKHEAL is a backdoor associated in open sources with the Chinese espionage cluster Needleminer, also tracked as RedFoxtrot and Nomad Panda, which has been linked by Recorded Future to PLA Unit 69010. It has been observed in campaigns targeting the telecom sector, including a long-running intrusion set affecting multiple telecom operators in an Asian country, and infrastructure analysis suggests additional targeting themes related to India’s telecom and space sectors, with lower-confidence indications involving the Middle East and South Korea.
The described QUICKHEAL variant is a 32-bit DLL protected with VMProtect; the unpacked DLL is named RasTls.dll and exports GetOfficeDatatal. It is reported as nearly identical to variants documented in 2021, but with updated configuration and VMProtect obfuscation. The malware includes credential-theft functionality focused on Mozilla Firefox, using SQLite access and NSS libraries to query and decrypt stored credentials, including the string "select * from moz_logins." It likely also steals credentials from Microsoft Internet Explorer, with references to CryptUnprotectData, CredEnumerateA, and manipulation of the Internet Explorer GUID abe2869f-9b47-4cd9-a358-c22904dba7f7.
For command and control, QUICKHEAL contains hardcoded C2 information and a hardcoded HTTP user-agent. In the telecom campaign, it communicated with swiftandfast.net over TCP 443 and used a custom protocol designed to resemble SSL traffic while using its own encryption. The malware is proxy-aware and contains strings including "Proxy-Authenticate: NTLM," "Proxy-Authorization: NTLM," and "Proxy-Authenticate: Basic," and appears to retrieve victim internet settings via registry access.
QUICKHEAL employs multiple evasion and obfuscation techniques, including a custom API resolver, indirect LoadLibrary/GetProcAddress-style logic, position-independent code, and renaming cmd.exe to alg.exe to mimic the legitimate Windows Application Layer Gateway Service process name. Related infrastructure was reused across campaigns from roughly 2022 to 2024 and included domains and IPs hosted with providers such as Vultr and DigitalOcean.
A reported sample hash is SHA-1 9553567e231a172c69f0ef8800a927193b9cbd49.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT).
A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT).
12 distinct techniques documented for this family, organized by ATT&CK tactic.
the developers of the malware did not hold back in their efforts to obfuscate the malware’s control flow
the first thing I noticed is that this 32-bit DLL is protected using VMProtect.
the malware’s C2 address, the port it uses, and the user-agent it employs... formatting the HTTP request used to communicate with the C2
the user-agent can be found in a function whose purpose appears to be formatting the HTTP request used to communicate with the C2
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware associated with the PLA-linked RedFoxtrot / Needleminer intrusion set. The sample steals stored credentials from Mozilla Firefox by accessing SQLite and NSS components to decrypt saved passwords, and likely also targets Microsoft Internet Explorer credentials via CryptUnprotectData and CredEnumerateA. It communicates with a hardcoded HTTP C2, supports proxy-aware communications, and uses obfuscation including VMProtect packing, custom API resolution, and renaming cmd.exe to alg.exe.
A malware variant overlapping with FireEye-tracked QUICKHEAL samples from WATERFIGHT and SKYLINE campaigns; it includes code to parse and decrypt usernames and passwords from Mozilla profiles and functions as a backdoor.
China-linked espionage backdoor deployed as a 32-bit DLL (RasTls.dll) with an export GetOfficeDatatal; uses VMProtect obfuscation and communicates to a hardcoded C2 (swiftandfast.net) over TCP/443 using a custom protocol designed to resemble SSL but with its own encryption.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.