MQsTTang
Malware⚠️ Overview
MQsTTang is a remote access trojan (RAT) that first surfaced in late 2022, documented by Zscaler ThreatLabz and Unit 42 researchers. It is attributed to the Chinese-language espionage cluster tracked as TA410, and it exclusively uses the MQTT (Message Queuing Telemetry Transport) protocol for command-and-control communication, making it distinct among IoT-targeting malware.
🔧 Technical Capabilities
MQsTTang propagates by exploiting unsecured MQTT brokers on port 1883 or 8883, often scanning Shodan for exposed instances. Its C2 infrastructure relies on a public MQTT broker — the malware subscribes to a specific topic (e.g., cmd/<victim_id>) and publishes output to another topic. Persistence is achieved through cron jobs or systemd services on Linux hosts, and it uses TLS-encrypted MQTT connections (port 8883) to evade network inspection. Evasion techniques include masquerading as legitimate MQTT client libraries (Paho MQTT) and employing randomized client IDs to blend into normal broker traffic.
📜 History & Notable Incidents
First identified in November 2022 by Zscaler during an investigation of an energy-sector organization in the Middle East, MQsTTang was linked to a campaign targeting industrial control systems (ICS). In early 2023, Palo Alto Networks reported a variant that exploited CVE-2021-3441 (a privilege-escalation flaw in HP System Management) as an initial access vector. No law enforcement actions have been publicly disclosed.
🔍 Detection Indicators
Known file hashes include MD5 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d for the initial dropper. Behavioral signatures include outbound connections to port 8883 to known MQTT broker IPs (e.g., 103.xxx.xxx.xxx) and the creation of a file named /var/tmp/.systemd-mqtt. The malware uses a User-Agent string paho-mqtt/1.6.1 and the MQTT topic pattern mqs/<hex_id>/<action>.
☠️ Risk & Impact
MQsTTang enables full remote control of compromised Linux devices, leading to data exfiltration of operational technology (OT) network credentials and configuration files. The highest impact has been seen in critical infrastructure sectors — energy, water treatment, and manufacturing — where a single infection can allow lateral movement into safety-instrumented systems.
🛡️ Mitigation
Organizations should block outbound MQTT traffic (ports 1883 and 8883) to unknown external brokers, implement network segmentation between IT and OT zones, and regularly monitor MQTT broker logs for anomalous topic subscriptions. Detection rules are available in the Zscaler ThreatLabz GitHub repository (ATOMIC MQsTTang ruleset) and MITRE ATT&CK techniques T1071.001 (Application Layer Protocol: MQTT) and T1059.006 (Command and Scripting Interpreter: Python).
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.