xRAT (QuasarRAT) Malware Being Distributed Through Webhard (Adult Games)
AhnLab SEcurity intelligence Center (ASEC) recently discovered that the xRAT (QuasarRAT) malware is being distributed through a webhard disguised as an adult game. In Korea, webhard services are one of the most commonly used platforms for distributing malware.
Typically, threat actors use malware that are easily accessible, such as njRAT and XwormRAT. They disguise the malware as legitimate programs (e.g. games) or adult content to distribute them. Numerous cases have been introduced in the AhnLab SEcurity intelligence Center (ASEC) blog post below.
- Remcos Rat Distributed via WebHard
- UDP Rat Malware Being Distributed via WebHards
- njRAT Being Distributed Through WebHards and Torrent
- njRAT Malware Distributed via Major Korean Webhard
- Korat Backdoor Being Distributed Through Adult File-Sharing Sites
- XWorm v5.6 Malware Being Distributed via WebHards
The download page of a webhard distributing malware-compressed files is disguised as an adult game, as shown in Figure 1. Aside from this post, the threat actor also uploaded other games as shown in Figure 2. It is likely that the same malware was distributed through these posts. However, the posts were already deleted at the time of the blog post, so this cannot be confirmed.
Figure 1. Distributed post
Figure 2. Other posts by the same threat actor
Upon opening the downloaded ZIP file, users can see the files shown in Figure 3 below. Users who downloaded the file naturally execute the “Game.exe” file to run the game. However, “Game.exe” is not a game program but a launcher that executes malware. The actual game launcher that runs the game is the “Data1.Pak” file that exists in the same path as “Game.exe”. The main file contents are shown in Table 1 below.
Figure 3. File structure
| File Name | Function |
|---|---|
| Game.exe | Launcher File That Executes Game and Malware |
| Data1.Pak | Launcher file that runs the game |
| Data2.Pak | Injector that injects shellcode |
| Data3.Pak | Text file containing shellcode |
Table 1. Main files and functions
When the “Game.exe” file is executed and the “Game Play !” button is clicked, the “Data1.pak” file is copied to the “Locales_module” folder under the name “Play.exe”.
Subsequently, the “Data2.pak” and “Data3.pak” files in the “Locales_module” path are copied to the “C:\Users\[User Account Name]\AppData\Local\Microsoft\Windows\Explorer” path with the names “GoogleUpdate.exe” and “WinUpdate.db”, respectively.
Then, “Play.exe” is executed to run the actual game, which also executes “GoogleUpdate.exe”.
When GoogleUpdate.exe is executed, it searches for “WinUpdate.db” located in the same path and performs string replacement and decryption through the AES algorithm to obtain the final shellcode. It then performs injection into explorer.exe. Additionally, it patches the EtwEventWrite() function of explorer.exe with 0xC3 (RET) to disable Event Tracing for Windows (ETW) event logging.
Figure 4. Part of the injection code
Figure 5. Event log disabled code
The code ultimately injected into “explorer.exe” is xRAT (QuasarRAT), which performs various malicious behaviors such as collecting system information, keylogging, and downloading and uploading files.
Figure 6. xRAT (QausarRAT) configuration
As seen above, malware is being actively distributed through Korean file-sharing websites and webhard services, so users must be cautious. Users must be extra careful when downloading executable files from file-sharing websites, and it is recommended to download programs such as utilities and games from their official websites.
[File Detection]
Data/Bin.Shellcode (2026.01.04.03)
Trojan/Win.Agent.C5834849 (2026.01.04.00)
Trojan/Win.Loader.C5834845 (2026.01.04.00)
Trojan/Win32.Subti.C1663822 (2016.11.15.00)
[Behavior Detection]
Malware/MDP.Behavior.M1839 (2018.01.11.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
