Qhost

Category: trojan_generic · Aliases: Trojan.Qhost, DNSChanger.Qhost, Win32/Qhost · Sample count (EMBER 2018): 1,722 · Enrichment: documented_reference_only · Updated: 2026-07-02T07:49:34Z

Overview

Executive Summary

Qhost is a malicious Trojan specifically engineered to tamper with endpoint network routing and DNS configurations. It is designed to covertly hijack web traffic by altering the local Windows `HOSTS` file, redirecting users from legitimate websites (like banking portals, search engines, or antivirus update servers) to attacker-controlled phishing domains or malicious ad networks. By operating at the local file level, it bypasses network-level DNS sinkholes.

Infection Vector and Technical Capabilities

Qhost typically infiltrates systems silently, bundled as a secondary payload alongside "freeware" software, fake browser updates, or delivered via exploit kits that capitalize on unpatched browser vulnerabilities. Once active, it manipulates local network settings:

Threat Assessment

A Qhost infection represents a severe compromise of network integrity and data confidentiality. It exposes the user to immediate credential theft via phishing (as the browser URL appears correct) and severely degrades the machine's ability to defend itself by blocking AV updates.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1562.002 T1564.001 T1112

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_QHOST {
    meta:
        description = "Detects Qhost (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "qhost" ascii wide nocase
        $s2 = "trojan.qhost" ascii wide nocase
        $s3 = "dnschanger.qhost" ascii wide nocase
        $s4 = "win32/qhost" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Qhost Activity
id: 25bcfa586cd9ff43f0aa0cb39b1382b6
status: experimental
description: Detects generic indicators of the qhost malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*qhost*"
            - "*trojan.qhost*"
            - "*dnschanger.qhost*"
            - "*win32/qhost*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about qhost?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/qhost.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.