VERY IMPORTANT

While reviewing spam traps, a particular campaign piqued Trustwave's interest primarily because the attachment to the email did not coincide with the theme of the email body. The email, with the Subject "GOOD LOAN OFFER!!", at first glance, looks like the usual investment scam. No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive (JAR) file called "TRUMP_SEX_SCANDAL_VIDEO.jar". The file is the QNODE DOWNLOADER, which is one of QRat's downloaders.