Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

RingQ

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Shadow-Earth-053

In one targeted environment, we detected a sample of RingQ, which is an open-source tool of Chinese origin available on GitHub that is designed to pack malicious binaries in order to evade detection by security solutions.

via trend micro researchtrendmicro.com
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence2

In one victim's environment, TrendAI detected RingQ, an open-source tool developed in China and available on GitHub that can be used to pack malicious binaries to evade detection by security solutions.

T1027.002Software PackingEvidence2

...as well as RingQ to pack malicious binaries and evade detection.

INDICATORS OF COMPROMISE

IOCs tracked for this family

13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
13 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
polyswarmNews
May 15, 2026
SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments

Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure Regions Targeted: South Asia, Southeast Asia, East Asia Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell

Read more
register securityNews
Apr 30, 2026
Chinese spy group caught lurking in Poland, Asia networks • The Register

An open-source packer used to obfuscate or pack malicious binaries to evade security detection.

Read more
trend micro researchNews
Apr 30, 2026
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | Trend Micro (US)

RingQ is an open-source packer used to wrap malicious binaries to evade security detection.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching13

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.