Qealler – Heavily Obfuscated JAR-based Password Stealer Malware Delivered Through Invoice-related Files

A new highly obfuscated malware dubbed Qealler designed to steal sensitive information from the infected machine. The malware is written in java.

The initial attack starts with social engineering technique, attackers send the victim a malicious JAR file disguised as an invoice-related file, when the user double-clicks to open the file, then malware will get downloaded from a compromised site.

Zscaler initially observed the campaign on Jan 21, 2019, and the malware is active for more than 2 weeks.

The JAR files were heavily obfuscated using an open source command-line tool ProGuard that shrinks, optimizes and obfuscates Java code.

Upon execution of malware, a file will be downloaded and saved to %USERPROFILE% if the directory doesn’t exist it creates the directory and stores the file in the encrypted file in the same location.

%USERPROFILE%\a60fcc00\bda431f8\a90f3bcc\83e7cdf9 (/lib/7z)
%USERPROFILE%\a60fcc00\bda431f8\a90f3bcc\db2bf213 (/lib/qealler)

Along with the two downloaded files, a unique machine ID is generated in another file path. The 7z file contains a repackaged version of 7za[.]exe and additional DLL files.

The 7-zip executable is called by the main sample and the downloaded Qealler module is a password-protected file, that opens after applying the password.

QeallerQealler

Executed Qealler module contains Python 2.7.12, in case python framework not present in the user system it will install the module and also creates a directory named QaZaqne.

The extracted Remittance[.]jar executes a python file main[.]py, which steals the credentials on an infected Windows machine. The scraped information from the C&C server is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…

9 hours ago

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular…

9 hours ago

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus…

9 hours ago

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has…

9 hours ago

Hackers Use Pahalgam Attack-Themed Decoys to Target Indian Government Officials

The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent…

10 hours ago

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant…

10 hours ago