Qqpass

Category: infostealer · Aliases: None known · Sample count (EMBER 2018): 612 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

PWS:Win32/QQPass is a highly specialized Password Stealer (PWS) explicitly engineered to harvest credentials, chat logs, and virtual assets from Tencent QQ, one of the world's most popular instant messaging platforms.

What is QQPass?
For the victim, QQPass results in the immediate hijacking of their Tencent QQ account, often leading to the theft of virtual currency (Q Coins) and social engineering attacks against their contact list. For threat analysts, QQPass represents a highly targeted, region-specific credential stealer. While global in reach, it is predominantly utilized in Chinese cybercrime ecosystems to compromise high-value gaming and social accounts.

Infection Vectors & Threat Hunting
QQPass is widely distributed via malicious links within chat applications, peer-to-peer file sharing, and fake game mods or cheats. Upon execution, the malware actively hunts for running instances of the Tencent QQ client. It utilizes sophisticated keylogging, screen scraping, and memory reading techniques to capture the user's password as it is typed into the login prompt. Modern variants also attempt to steal the QQ session tokens stored on disk to bypass two-factor authentication.

Forensic Analysis & Impact
The primary impact is the loss of account control and potential financial theft. Incident responders should analyze the system for unauthorized DLLs injected into the QQ client process space. Threat hunters will often find dropped configuration files or encrypted log files (.dat) in the %AppData% directory containing the stolen keystrokes. Network logs will reveal outbound SMTP or HTTP POST traffic transmitting the stolen credentials back to the attacker's drop zone.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1056.001Input Capture: KeyloggingCollection
T1555Credentials from Password StoresCredential Access
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1048Exfiltration Over Alternative ProtocolExfiltration
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_QQPASS {
    meta:
        description = "Detects Qqpass (infostealer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "qqpass" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Qqpass Activity
id: 5fbf04644f45bb2be1afffe43f5fbb57
status: experimental
description: Detects generic indicators of the qqpass malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*qqpass*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint to prevent the active exfiltration of captured QQ credentials and session tokens.
  2. Assist the user in immediately recovering their Tencent QQ account from a known-clean device and forcing a password reset.
  3. Utilize EDR or memory forensics to locate and terminate the keylogging modules injected into the QQ client or <code>explorer.exe</code>.
  4. Perform a full system sweep to eradicate the dropped QQPass executables and delete any temporary log files containing stolen data.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not allow the user to type any passwords or access sensitive portals while the machine is infected, as the keylogger captures all input.
  2. Avoid ignoring the infection as 'just a chat stealer'; compromised accounts are heavily used to pivot and launch spearphishing attacks against corporate contacts.

References & External Analysis

Related Families (Category: infostealer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/qqpass.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.