Qhost is a malicious Trojan specifically engineered to tamper with endpoint network routing and DNS configurations. It is designed to covertly hijack web traffic by altering the local Windows `HOSTS` file, redirecting users from legitimate websites (like banking portals, search engines, or antivirus update servers) to attacker-controlled phishing domains or malicious ad networks. By operating at the local file level, it bypasses network-level DNS sinkholes.
Infection Vector and Technical Capabilities
Qhost typically infiltrates systems silently, bundled as a secondary payload alongside "freeware" software, fake browser updates, or delivered via exploit kits that capitalize on unpatched browser vulnerabilities.
Once active, it manipulates local network settings:
HOSTS File Modification: The primary capability of Qhost is forcefully modifying the Windows `HOSTS` file (`C:\Windows\System32\drivers\etc\hosts`). It maps high-traffic, legitimate domains to rogue external IP addresses controlled by the attacker.
Traffic Interception: By controlling local DNS resolution, the attackers can perform Man-in-the-Middle (MitM) attacks, serving highly convincing fake login pages to capture credentials before the user ever reaches the real website.
Security Evasion: Qhost frequently targets security vendors, mapping the domains of major antivirus companies (like Symantec, McAfee, or Microsoft) to `127.0.0.1` (localhost), effectively preventing the infected machine from downloading critical security updates.
Threat Assessment
A Qhost infection represents a severe compromise of network integrity and data confidentiality. It exposes the user to immediate credential theft via phishing (as the browser URL appears correct) and severely degrades the machine's ability to defend itself by blocking AV updates.
Incident Response and Remediation
HOSTS File Restoration: The immediate technical fix is to inspect the Windows `HOSTS` file for unauthorized entries. Delete all rogue mappings and restore the file to its default, clean state.
File Permissions: After cleaning, restrict permissions on the `HOSTS` file, setting it to Read-Only to prevent standard users or low-privileged malware from modifying it again.
Antivirus and Service Sweep: Standard AV must be used to identify and remove the executable that initially altered the file. Simply "fixing" the HOSTS file without removing the malware will result in immediate re-infection upon reboot.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1562.002T1564.001T1112
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.