PWS:Win32/QQPass is a highly specialized Password Stealer (PWS) explicitly engineered to harvest credentials, chat logs, and virtual assets from Tencent QQ, one of the world's most popular instant messaging platforms.
What is QQPass?
For the victim, QQPass results in the immediate hijacking of their Tencent QQ account, often leading to the theft of virtual currency (Q Coins) and social engineering attacks against their contact list. For threat analysts, QQPass represents a highly targeted, region-specific credential stealer. While global in reach, it is predominantly utilized in Chinese cybercrime ecosystems to compromise high-value gaming and social accounts.
Infection Vectors & Threat Hunting
QQPass is widely distributed via malicious links within chat applications, peer-to-peer file sharing, and fake game mods or cheats. Upon execution, the malware actively hunts for running instances of the Tencent QQ client. It utilizes sophisticated keylogging, screen scraping, and memory reading techniques to capture the user's password as it is typed into the login prompt. Modern variants also attempt to steal the QQ session tokens stored on disk to bypass two-factor authentication.
Forensic Analysis & Impact
The primary impact is the loss of account control and potential financial theft. Incident responders should analyze the system for unauthorized DLLs injected into the QQ client process space. Threat hunters will often find dropped configuration files or encrypted log files (.dat) in the %AppData% directory containing the stolen keystrokes. Network logs will reveal outbound SMTP or HTTP POST traffic transmitting the stolen credentials back to the attacker's drop zone.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1056.001 | Input Capture: Keylogging | Collection |
T1555 | Credentials from Password Stores | Credential Access |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_QQPASS {
meta:
description = "Detects Qqpass (infostealer)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "qqpass" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Qqpass Activity
id: 5fbf04644f45bb2be1afffe43f5fbb57
status: experimental
description: Detects generic indicators of the qqpass malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*qqpass*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/qqpass.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.