• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Uncategorized
  • Threat actors use Quantum Builder to deliver Agent Tesla malware

Threat actors use Quantum Builder to deliver Agent Tesla malware

Pierluigi Paganini September 28, 2022

The recently discovered malware builder Quantum Builder is being used by threat actors to deliver the Agent Tesla RAT.

A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT), Zscaler ThreatLabz researchers warn.

“Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut files. It has been linked to the Lazarus Group APT due to shared TTPs and source code overlaps, but we cannot confidently attribute this campaign to any specific threat actor.” reads the report published by Zscaler. “In this campaign, threat actor use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads which then deliver Agent Tesla on the targeted machines.”

The Quantum Builder (aka “Quantum Lnk Builder”) allows to create malicious shortcut files, it is sold on the dark web. The Quantum Builder also allows to generate malicious HTA, ISO, and PowerShell payloads that are used to drop the next-stage malware.

In the campaign observed by the experts, threat actors used the builder to generate malicious LNK, HTA, and PowerShell payloads which is used to deliver Agent Tesla on the targeted machines.

Experts noticed that this campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to past attacks.

The attack chain observed by ZScaler starts with a spear phishing email which consists of a LNK File bundled as a GZIP Archive. The messages are masqueraded as order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file concealed as a PDF document.

Quantum Builder message

Upon execution of the LNK File, the embedded PowerShell code spawns MSHTA which then executes an HTA File that is hosted on a remote server. 

The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression. The decrypted PowerShell script is the Downloader PS Script, which downloads and executes the Agent Tesla binary from a remote server. The malware is executed with administrative privileges by performing a UAC Bypass using the CMSTP. 

Quantum Builder

Below are the Key Features of this attack:

  • The threat actors are evolving their tactics by incorporating new infection chains for delivering Agent Tesla on target machines by leveraging the LNK and HTA payloads generated by a builder dubbed “Quantum Builder”
  • The Quantum Builder is a builder sold in the cybercrime marketplace and is capable of generating LNK, HTA, and ISO payloads consisting of sophisticated techniques to download and execute the final payload with a Multi-Staged attack Chain.
  • The In-memory PowerShell scripts decrypted by Quantum Builder-generated HTA file perform User Account Control (UAC) Bypass via CMSTP in order to execute the final payload (Agent Tesla) with Administrative rights. UAC Bypass is also used to perform Windows Defender exclusions on the endpoint system.
  • Utilizes Living Off the Land Binaries (LOLBins) to evade detections and camouflage the malicious activity.
  • Incorporates techniques like Decoys, UAC Prompts and In-memory PowerShell to execute the final payload. These Techniques are regularly updated by the Developers of the Quantum Builder. 

In a second variant of the infection sequence, the GZIP archive is replaced by a ZIP file, while also adopting further obfuscation strategies to camouflage the malicious activity.

Quantum Builder has witnessed a surge in usage in recent months, with threat actors using it to distribute a variety of malware, such as RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT.

“Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations.” concludes the report. “It incorporates sophisticated techniques to evade detections, and the techniques are updated regularly by the developers. “

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Agent Tesla)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Agent Tesla RAT Hacking malware Quantum Builder

you might also like

Pierluigi Paganini July 11, 2025
Athlete or Hacker? Russian basketball player accused in U.S. ransomware case
Read more
Pierluigi Paganini July 03, 2025
Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT