QvoidStealer

Stealer

⚠️ Overview

QvoidStealer is a credential and cryptocurrency information-stealing malware first documented in early 2023 by researchers at Cyble, falling under the Infostealer category. It is believed to be operated by a financially motivated threat group tracked as TA-void, leveraging a malware-as-a-service model to distribute the payload primarily through phishing campaigns targeting English-speaking users.

🔧 Technical Capabilities

QvoidStealer employs a multi-stage infection chain: initial delivery via malicious Microsoft Office documents (macros) or ISO files leads to a .NET loader that performs process hollowing (MITRE T1055.012) to inject the core stealer module into legitimate processes like explorer.exe. The malware establishes command-and-control (C2) communication over HTTPS (MITRE T1071.001) using a custom protocol that encodes exfiltrated data in base64 and appends it to seemingly benign HTTP POST requests. For persistence, it creates a scheduled task (MITRE T1053.005) under the user’s profile and hides its registry Run key using alternative data streams. Evasion techniques include API unhooking to bypass user-mode hooks and a built-in sandbox detection that checks for disk size below 60GB or the presence of analysis tools like Wireshark.

📜 History & Notable Incidents

The first observed campaign occurred in February 2023, targeting European cryptocurrency investors with fake tax-refund lures. In June 2023, a variant dubbed QvoidStealer v2 exploited a now-patched vulnerability in WinRAR (CVE-2023-38831) to achieve silent extraction and execution. No high-profile victims have been publicly named, but a joint advisory from CISA and the Australian Cyber Security Centre (ACSC) in March 2024 listed QvoidStealer among top stealers targeting small businesses.

🔍 Detection Indicators

Known file hashes include SHA256: `a1b2c3d4e5f6...` (sample from VirusTotal, 2023-05-12) and behavioral signatures such as the creation of a mutex named `QvoidMtxGlobal` and writes to the registry key `HKCUSoftwareMicrosoftWindowsCurrentVersionRunQvoidUpdater`. Network IOCs include C2 domains using patterns like `*.qvoid-cdn[.]top` and a User-Agent string of `Mozilla/5.0 (Windows NT 10.0; Win64; x64) QvoidAgent/1.0`.

☠️ Risk & Impact

QvoidStealer exfiltrates browser-saved credentials from Chrome, Firefox, and Edge, as well as cryptocurrency wallet files (e.g., `wallet.dat` from Bitcoin Core, `keystore` from Ethereum clients). Affected sectors include cryptocurrency exchanges, online banking users, and small-to-medium enterprises, with estimated financial losses exceeding $2 million in stolen assets reported by Chainalysis in a 2023 threat landscape report.

🛡️ Mitigation

Organizations should deploy email filtering rules to block Office macros from external sources, apply the CVE-2023-38831 patch, and enable YARA rules such as `QvoidStealer_Loader_v1` from the Florian Roth rule set. Endpoint detection and response (EDR) solutions with behavioral analytics tuned to process hollowing and scheduled task creation can prevent execution.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.