Quarian

Quarian is a little-known backdoor malware family, including a version 3 variant also referred to as Turian. Reporting in the provided content links Quarian to Chinese-speaking espionage activity and assesses with medium to high confidence that some Quarian/PlugX operations were conducted by the CloudComputating group, also known as BackdoorDiplomacy or Faking Dragon. Quarian was observed in attacks against Middle Eastern and African governments in 2020, and later in a long-running intrusion affecting an ISP in West Asia where victim machines had been infected with Quarian v3 since 2022. In that case, attackers used existing Quarian access to deploy the modular in-memory QSC framework beginning on October 10, 2023, and also deployed the GoClient Golang backdoor. Quarian has been delivered via DLL sideloading chains, including abuse of legitimate executables such as mobpopup.exe renamed to winsecunicity.exe to sideload pc2msupp.dll, and Sophos observed similar sideloading chains associated with suspected Quarian loader deployment. Another reported infection chain involved exploitation of Microsoft Exchange CVE-2020-0688 followed by a ChinaChopper web shell to deploy Quarian and PlugX. Quarian was also observed modifying Windows services such as swprv and rasauto so ServiceDll values pointed to QSC loader DLLs including swprr.dll and rasautosvc.dll. A reported Quarian sample located at C:\Windows\SysWOW64\appmgmt.dll had MD5 97b0a8e8d125e71d3d1dd8e241d70c5b and was configured to use proxy.oracleapps.org, infrastructure previously linked to BackdoorDiplomacy. The malware is associated in the content with government and telecom/ISP targeting in the Middle East, Africa, and West Asia, and with post-compromise activity including persistence, loader deployment, and enabling follow-on espionage tooling.