VERY IMPORTANT

This report analyzes a QUICKHEAL malware sample associated with the Chinese PLA-linked Needleminer group. The 32-bit DLL, protected by VMProtect, targets the telecom sector and was compiled in April 2022. It can steal credentials from Firefox and Internet Explorer browsers. The malware communicates with a C2 server using HTTP and attempts to establish connections via proxy. It employs various obfuscation techniques, including renaming cmd.exe and using a custom API resolver. The attackers' infrastructure, spanning multiple years and campaigns, shows poor operational security but targets diverse sectors and countries, including India, South Korea, and potentially the Middle East.