Fake Trump’s Scandal Video Used to Deliver QNode Malware

The cybersecurity researchers at Trustwave have identified a new Mailspam campaign while reviewing a spam trap. However, this campaign shares a remote access Trojan (RAT) by indicating files that contain a sex scandal video of the former U.S. President Donald Trump.

According to the report, the security experts have investigated further and determined that its attachment is a modification of the QRAT downloader. Additionally, the experts also asserted that the emails, which convey with the subject line “GOOD LOAN OFFER!!,” come associated with a Java archive (JAR) file named “TRUMP_SEX_SCANDAL_VIDEO.jar.” 

When this video gets downloaded, it starts to installs Qua or Quaverse RAT (QRAT) onto the infiltrated system. The security experts affirmed that this technique is one of the most advanced threat actors’ attempts to affect Windows computers by using this tried-and-trusted method.


The emails have a subject like “GOOD LOAN OFFER!!” initially seems like an unusual investment scam. Moreover, the most interesting fact is that these are attached to the email as an archive, containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar.”

The hackers are trying to ride the frenzy brought about by the recently ended Presidential elections since the filename they applied on the attachment is completely irrelevant to the email’s theme.

Qrat Downloader Variant

The JAR file “TRUMP_SEX_SCANDAL_VIDEO.jar” has been dubbed as “QNODE DOWNLOADER,” It also has the same determination to the Node.Js QRAT downloaders that we have talked about previously. And there are some other similarities with the older variants, and here we have mentioned them below:-

  • The JAR file is obscured by using Allatori Obfuscator;
  • The installer of Node.Js is reclaimed from the official website nodejs.org; and,
  • This downloader still supports Windows programs only.

Characteristics and activities of QRAT

There are some characteristics and activities of QRAT, and here we have mentioned them below:-

  • Code is encrypted with base64.
  • Modules are obscured.
  • Secures network data from the service hxxps://wtfismyip[.]com
  • Password-recovery functionality maintains the same applications Chrome, Firefox, Thunderbird, and Outlook.
  • The name of the attachment was based on a prominent figure.
  • The code of the downloader gets split-up into different buffers inside the JAR to evade detection.
  • It changes the names of the files that it creates and downloads; Even it also put them into different locations to evade the existing remedies.

The spamming out of ill-disposed JAR files often lead to RATs, which is quite common nowadays, one of the experts of cybersecurity firms affirmed. But, the security experts are trying their best to bypass these malicious email scandals, and everyone should be aware of these unwanted scams.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.