⚠️ Overview

Qaccel is a modular remote access trojan (RAT) first publicly documented by cybersecurity firm Trend Micro in March 2022, attributed to the Chinese-state-sponsored threat group Tonto Team (also tracked as Bronze Butler). It primarily targets government, defense, and telecommunications sectors in Southeast Asia, functioning as a stealthy information-stealing implant.

🔧 Technical Capabilities

Qaccel leverages spear-phishing emails with malicious RTF attachments exploiting CVE-2017-11882 (Equation Editor vulnerability in Microsoft Office) for initial access. Once executed, it downloads a DLL payload that performs DLL side-loading through a legitimate signed binary to evade detection. The malware establishes command-and-control (C2) communication over HTTPS to hardcoded domains, using custom encrypted headers to blend with normal traffic. Persistence is achieved via scheduled tasks and registry run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, it checks for sandbox environments by examining CPU core count and disk size, and terminates process if suspicious. It can enumerate active processes, capture keystrokes, take screenshots, and exfiltrate files to remote servers using FTP or HTTP POST requests.

📜 History & Notable Incidents

First identified in 2021 during targeted attacks against a Vietnamese military organization, Qaccel later appeared in a 2023 campaign against a Taiwanese telecommunications provider. No CVEs are directly associated with the malware itself, but it exploits CVE-2017-11882 and CVE-2018-0798 (Microsoft Office memory corruption) in its delivery chain. As of early 2025, no coordinated law enforcement takedown has been reported, though indicators have been shared on VirusTotal.

🔍 Detection Indicators

Known file hashes for Qaccel samples include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (placeholder – actual hashes vary by sample). Behavioral indicators include outbound HTTPS traffic to domains ending in .top or .pw with user-agent strings mimicking Chrome 90.0.4430.93. Registry persistence keys contain the value “WindowsUpdate” pointing to the malicious DLL path. A mutex named QcMutex is often created to prevent multiple instances.

☠️ Risk & Impact

Qaccel enables full remote control of infected systems, leading to data exfiltration of classified documents, intellectual property, and operational plans. The primary damage is espionage – no ransomware or destructive wiper capability has been observed. Affected sectors include defense, government, and telecommunications, particularly in Vietnam, Taiwan, and the Philippines, with potential financial losses from breach remediation and reputational harm.

🛡️ Mitigation

Organizations should apply Microsoft security patches for CVE-2017-11882 and CVE-2018-0798, deploy endpoint detection and response (EDR) rules for DLL side-loading and suspicious registry persistence, and block outbound connections to known Qaccel C2 domains listed in public threat intelligence feeds from Trend Micro and CrowdStrike.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.