Quarian Backdoor Version

The Quarian Backdoor Version 3, also known as Turian, is a software vulnerability that has been exploited by malicious actors since 2022. The flaw in software design or implementation allowed the attackers to infiltrate target systems and establish a persistent presence. A key indicator of this compromise was the discovery of a DLL file associated with the Quarian Backdoor Version 3, which was compiled on April 28, 2022, at 02:59:40 UTC. In an extensive campaign, we discovered that the common directory C:\ProgramData\USOShared\ contained various tools used for reconnaissance and post-compromise activity, including the QSC framework, the GoClient backdoor, and binaries related to Quarian Backdoor Version 3. These elements suggest a sophisticated attack strategy involving multiple stages and tools, demonstrating the severity and complexity of the threat posed by this vulnerability. Our investigation revealed that the targeted machines had been infected with Quarian Backdoor Version 3 since 2022. Starting from October 10, 2023, the same attackers leveraged this existing access to deploy the QSC framework. This suggests that the vulnerability provided the attackers with prolonged, unauthorized access to the compromised systems, enabling them to carry out further malicious activities over an extended period.