Introduction In 2021, we began to investigate an attack on the telecom industry in South Asia. During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory. The framework includes a Loader, a Core module, a Network module, a Command Shell module and a File Manager module. It is dropped either as a standalone executable or as a payload file along with a loader DLL. In this post, we describe each component of the framework as well as its recent activity including a deployment scenario, an additional backdoor, post-compromise activity and a link to the CloudComputating group. QSC framework components The Loader The Loader implant is a service DLL with the internal name loader.dll . It contains the string "E:projecttestqtbinmoduleloaderx64releaseloader.pdb" as its PDB path. The Loader is configured to either read code from <systemdir>driversmsnet or read 0x100 (256) bytes from n_600s.sys , located in the same directory as the module, to get the file path containing code. If it reads the file path from n_600s.sys , it deletes the file afterwards. The Loader then reads and decompresses code from the provided file path. It reflectively injects the decompressed code into memory and calls the exported method plugin_working . The code injected by the Loader is the Core module, which is described below. The Core and Network modules The Core module has an internal name, qscmdll.dll , and exports…Read More