QDoor
QDoor is a network tunneling backdoor/proxy malware publicly reported in 2024 and repeatedly associated in reporting with BlackSuit-linked intrusions. It has been described as a backdoor using Qt networking libraries, and in some reporting as Rust malware functioning as a C2 proxy. Its observed role is to provide covert tunneling and proxy capability, including facilitating RDP lateral movement and persistence after initial compromise.
Across multiple incident reports, QDoor was deployed after social-engineering-led initial access, especially email bombing and fake IT/help-desk calls that convinced victims to grant access through Microsoft Quick Assist. In several 2025 intrusions, attackers launched a QEMU-hosted Windows 7 virtual machine on the victim host; QDoor was pre-installed in that VM, giving the operators an isolated foothold that initially evaded host-based endpoint detection and enabled reconnaissance, persistence, and lateral movement. Reporting also describes QDoor being dropped directly as files such as soc.dll, vol.exe, svchost.exe, svhost.exe, and SOCKS.EXE.
Observed behavior includes outbound communication to hardcoded command-and-control infrastructure, most notably 88.119.167.239 over TCP 443 (also rendered in some reporting as 88[.]119[.]167[.]239 or 88.118.167[.]239). Dynamic analysis of related samples showed SOCKS.EXE attempting to connect to that IP, and one report noted QDoor traffic was unencrypted, used the header C4 C3 C2 C1, sent basic host registration data, and supported heartbeat and tunnel commands. QDoor has been used to proxy RDP traffic through compromised systems and to facilitate lateral movement.
QDoor has been observed in intrusions involving BlackSuit and in later activity tied to 3AM ransomware delivery. Sophos documented attackers using QDoor before an attempted 3AM ransomware deployment, and other reporting linked QDoor artifacts to BlackSuit tooling overlap in SafePay incidents. It has also been referenced in broader Black Basta/BlackSuit-style social engineering campaigns and in QEMU-based intrusion tradecraft. Targeting in the cited reporting spans enterprise environments, including incidents affecting finance/insurance and construction, as well as general corporate Windows networks and servers.
High-confidence indicators directly mentioned in the content include the C2 IP 88.119.167.239 over port 443; related filenames soc.dll, SOCKS.EXE, vol.exe, svchost.exe, and svhost.exe; and the SHA256 hashes 921df888aaabcd828a3723f4c9f5fe8b8379c6b7067d16b2ea10152300417eae (soc.dll), 6c1d36df94ebe367823e73ba33cfb4f40756a5e8ee1e30e8f0ae55d47e220a6a (embedded RunPE DLL), and e79608cf1d6b51324c14bef8883054c1238ed5f080222cc464810e6e14adc346 (injected PE identified as QDoor-related payload).
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...the intrusions are also characterized by the use of a tunneling backdoor called QDoor, a malware previously attributed to BlackSuit..."
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
the threat actor used that account and the Windows Management Instrumentation Command-line utility (WMIC) to execute PowerShell on one of the organization’s servers.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
T1027.002 – Obfuscated Files or Information: Software Packing. The soc.dll file used by the Threat Actor was packed with UPX/modified UPX, an open-source packer, to conceal the content of the file.
The RunPE portion of the executable creates a new process C:\Windows\system32\WerFault.exe in a suspended state. It injects this process with the content of the embedded executable using standard process hollowing techniques.
Sophos analysts are investigating the active abuse of QEMU ... by threat actors seeking to hide malicious activity within virtualized environments. Attackers are drawn to QEMU ... because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself.
Discovery
1 technique
Discovery
Sophos analysts are investigating the active abuse of QEMU ... by threat actors seeking to hide malicious activity within virtualized environments. Attackers are drawn to QEMU ... because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself.
Command and Control
5 techniques
Command and Control
These network settings gave the VM full access to the internet, allowing for command and control (C2) communications.
T1071.001 – Application Layer Protocol: Web Protocols. The 88.119.167[.]239 IP address was identified as a hardcoded command and control beacon within soc.dll, communicating over port 443 (HTTPS).
ConnectWise, discussing how the BlackSuit ransomware group was leveraging a network tunneling backdoor it dubbed “QDoor.”
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor deployed by attackers abusing QEMU, used as part of an intrusion chain that ultimately led to ransomware deployment.
QDoor is a backdoor used for persistence by threat actors, including those associated with the BlackSuit group. It enables remote access and control of compromised systems.
Network tunneling backdoor pre-installed in a QEMU-hosted Windows 7 VM to establish covert foothold and command-and-control while evading endpoint visibility.
Network tunneling backdoor associated in the article with SOCKS.EXE; used to establish covert connectivity and consistent with behavior previously described by ConnectWise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.