Quarian
Quarian is a little-known backdoor malware observed in attacks against government entities in the Middle East and Africa during 2020. Kaspersky reported that in at least one case the malware was deployed after exploitation of Microsoft Exchange Server vulnerability CVE-2020-0688, followed by use of a ChinaChopper web shell to install both Quarian and PlugX. Kaspersky assessed with medium to high confidence that this Quarian/PlugX activity was conducted by a Chinese-speaking actor it tracks as CloudComputating, previously reported targeting Middle Eastern diplomatic entities. Sophos later noted that a 2023 intrusion cluster in a Southeast Asian government environment attempted to use a renamed legitimate executable, mobpopup.exe (renamed winsecunicity.exe), to sideload a malicious DLL, pc2msupp.dll, in a delivery chain resembling prior reporting on Quarian backdoor deployment; Sophos blocked that execution. Sophos also observed the same sideloading chain described by Bitdefender being used to deploy a Merlin C2 Agent and a suspected loader for the Quarian backdoor. High-confidence behavior directly stated in the source material is that Quarian is delivered via DLL sideloading and has been associated with exploitation of Exchange CVE-2020-0688 and ChinaChopper-based post-exploitation. Reported targets include Middle Eastern, African, and Southeast Asian government organizations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. | Quarian is a little-known malicious program... we noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In April, the actor was observed exploiting the legitimate executable mobpopup.exe (renamed winsecunicity.exe) to sideload a malicious DLL (pc2msupp.dll). This deployment technique also resembles a process outlined ... to sideload the Quarian backdoor.
Quarian is a little-known malicious program... we noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020.
Quarian is a little-known malicious program... we noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...deployed following exploitation of the CVE-2020-0688 vulnerability... on a Microsoft Exchange server."
Persistence
1 technique"...was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor referenced as the suspected intended payload of a sideloading chain, though execution was prevented before confirmation.
Backdoor referenced as a payload in suspected loader/sideloading chains (payload deleted before execution in this case).
Backdoor used by Chinese-speaking actors; resurfaced with new variants in 2019–2020 and deployed after Exchange exploitation in at least one case.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.