Not BruteRatel: MalwareBazaar's Misclassified Sample Is a Weaponized Korean Remote Support Tool With a 727-Export Trojanized GDI32.dll

TL;DR: A MalwareBazaar sample tagged as BruteRatel C4 is not BruteRatel. Static analysis and SFX archive extraction reveal it is a Delphi SFX installer that deploys NQVM/NetSupport Manager -- a legitimate Korean remote support tool -- weaponized for stealth remote access with full filesystem control, webcam capture, and input logging. The operator registered with a Korean Naver email (10V2J@NAVER[.]COM) embedded directly in the RAT configuration, routes all traffic through relay servers on South Korean ISP infrastructure (LG DACOM), and uses a trojanized GDI32.dll with 727 proxy exports for DLL sideloading. Every IOC extracted from this sample -- C2 domains, file hashes, operator credentials -- is absent from ThreatFox, VirusTotal intelligence, and public reporting. This is entirely original research.

---

The Misclassification Problem

MalwareBazaar classifies sample fb91de5a3ce80ac51fded1719dc72c6c71acadc65ada3262e7bc74dac41cd65a as BruteRatel C4 -- a well-known adversary simulation framework. That classification is wrong. What follows is the actual kill chain.

The sample is a 7.8 MB PE32 executable compiled with Borland Delphi, structured as a self-extracting archive containing 57 files. BruteRatel badgers are not Delphi SFX installers. They do not contain Korean-language resource strings. They do not ship with legitimately code-signed remote support software from Ulsan, South Korea.

Aspect	MalwareBazaar Classification	Actual Findings
Malware family	BruteRatel C4	NQVM/NetSupport Manager RAT
Sample type	EXE (BRc4 badger)	Delphi SFX installer (57 embedded files)
C2 infrastructure	Unknown	inqvm[.]com:80 (KR), nqvm[.]com:10042 (AWS Seoul)
Operator identity	Unknown	10V2J@NAVER[.]COM (Korean email)
Attribution	Unknown	South Korean actor (HIGH confidence)
ThreatFox/VT coverage	None	None -- entirely new IOCs
Code signing	Unknown	Legitimately signed by NTS (Ulsan, South Korea)
DLL sideloading	Unknown	Trojanized GDI32.dll with 727 proxy exports

The SFX Installer and Attack Chain

The dropper is a Delphi-compiled self-extracting archive with a fabricated PE timestamp (0x2a425e19, resolving to 1992-06-19 -- an obvious anti-forensics measure). Both ASLR and DEP are disabled. No PDB path, no Rich header. The 8-section layout (CODE, DATA, BSS, .idata, .tls, .rdata, .reloc, .rsrc) is consistent with standard Borland Delphi compilation.

Property	Value
SHA-256	fb91de5a3ce80ac51fded1719dc72c6c71acadc65ada3262e7bc74dac41cd65a
MD5	04f1eb0ebaf71f827da7b1c4656960ad
SHA-1	4e8466ed384dec05aa8f524eab12aa5b723ae919
Size	7,797,127 bytes (7.8 MB)
Compiler	Delphi (Borland)
Imphash	ad1a33bd97238a4adf5548ab2780abe1
Timestamp	0x2a425e19 (1992-06-19 -- FABRICATED)
ASLR/DEP	Disabled / Disabled

When executed, the SFX extracts 57 files to %ProgramFiles(x86)%\ and launches the full NQVM remote support deployment:

Delivery (Unknown vector)
    |
    v
Delphi SFX Installer (fb91de...5a)
    | Extracts to %ProgramFiles(x86)%\
    v
57 Files Deployed
    |-- NQVM_RTM.exe    (Main RAT, code-signed by NTS)
    |-- NQVM_Runner.exe (Privilege escalation, process launch)
    |-- nts001.tmp      (Trojanized GDI32.dll, 727 exports)
    |-- NQHOOK.dll      (Input hooking)
    |-- NQHOOKEX.dll    (Extended input hooking)
    |-- Configuration files (INI, LIC, BIN)
    v
C2 Connection via Relay
    |-- inqvm[.]com:80  (Primary relay, LG DACOM, Korea)
    |-- inqvm[.]net:80  (Backup relay, DEAD)
    v
Remote Access Capabilities
    |-- Full desktop control (port 8888)
    |-- File transfer (port 8889, drives C:-K: with write access)
    |-- Audio/video capture (port 8887, webcam + microphone)
    |-- Input logging (NQHOOK.dll / NQHOOKEX.dll)
    |-- Auto-upgrade (nqvm[.]com:10042)

The Trojanized GDI32.dll: 727 Proxy Exports

The most technically interesting component is nts001.tmp -- a trojanized Windows GDI32.dll used for DLL sideloading. This is not a partial stub. It reimplements all 727 exports of the legitimate GDI32.dll.

Key characteristics:

• 727 exports, 0 forwarded -- every function points to a custom implementation, not a simple forwarder to the real GDI32
• PDB path: wgdi32.pdb -- the "w" prefix likely stands for "wrapped," confirming the proxy nature
• Imphash: d0064bcb735e35414a2b094954ef12c7
• Ntdll imports: NtSecureConnectPort, NtRegisterThreadTerminatePort, NtRequestWaitReplyPort -- IPC primitives for inter-process communication with the RAT
• Device reference: \\.\DISPLAY -- consistent with screen capture and remote desktop functionality

The sideloading mechanism is straightforward: nts001.tmp is placed in the same directory as NQVM_RTM.exe. When the RAT loads, Windows DLL search order resolves the local trojanized GDI32.dll before the system copy in System32, giving the attacker screen capture and display manipulation capabilities without modifying system DLLs.

File	SHA-256	Size	Purpose
nts001.tmp	ea3bd7fec193a8cfe1d5736301acadc476fb6aac5475a45776d0a638e9845445	311 KB	Trojanized GDI32.dll (727 exports)
NQVM_RTM.exe	d5a71c02718887238ccf2d64bd51c78fd2d1e3d07d30fc112dcfe47ebd1f38d6	3.67 MB	Main RAT binary (code-signed)
NQVM_Runner.exe	2836383c2ed7ee1afec63a59e89572f90e48a3ea4a7c44d297ef782b9e09eba4	303 KB	Privilege escalation launcher
NQHOOK.dll	ddf2f0e464c7edc7eadced02811888c53344ac2dffac9f1c63003a16e98bba75	80 KB	Input/keyboard hook
NQHOOKEX.dll	ad92b09781dbd1e2c427a2c6288aa2438baa3eeacb16ebad9f85fd75e96fe589	43 KB	Extended input hook

Legitimate Code Signing: Trusted by Default

The main RAT binary (NQVM_RTM.exe) carries a legitimate code signing certificate from NTS, the South Korean company that develops NQVM:

Subject: C=KR, ST=Ulsan, L=Buk-gu, O=NTS,
         OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=NTS
Issuer:  VeriSign Class 3 Code Signing 2010 CA
Valid:   From Mar 26, 2012

This is not a stolen or forged certificate. The binary is the genuine NQVM remote support software, unmodified, deployed with a malicious configuration. From Windows' perspective, it is legitimately signed software from a real South Korean company -- it passes Authenticode verification, SmartScreen, and most application whitelisting policies. The attacker did not need to steal a certificate because the software itself is legitimate. The weaponization is entirely in the configuration.

RAT Configuration: Full Stealth, Full Access

The extracted configuration files reveal the operator's intent -- maximum access with zero visibility to the victim.

Relay Server Configuration (NQNMSRV.INI):

USE RELAY SERVER = 1
RELAY SERVER NAME = inqvm[.]com;inqvm[.]net
PORT = 80
LOGIN USER NAME = 10V2J@NAVER[.]COM
LOGIN PASSWORD = 9de9ea1194bdd1d9580d39205ecd582f
HTTP = 0
AUTO = 1

Stealth Settings (Server Config):

SHOW CONNECT INFO = 0          # No connection notification to victim
FILE SERVICE SECURITY USER ACCEPT = 0  # No file access prompt

Access Configuration:

• Control port: 8888 (TCP) -- full desktop
• File manager port: 8889 -- all drives C: through K: with write access
• Audio/video port: 8887 -- webcam and microphone capture
• Data compression: level 6
• Connection limit: 10 simultaneous sessions

Persistence (NQVMINST.INI):

SERVER INSTALL = 1
SERVER AUTO START = 1    # Survives reboot
CLIENT INSTALL = 0       # Server-only (no GUI for victim)
OVERWRITE SETUP = 1
DISABLE AERO = 1
REMOVE WALLPAPER = 1

The configuration tells the whole story: silent installation, automatic startup, no user interface on the victim machine, all drives shared with write access, webcam enabled, audio capture enabled. This is a legitimate remote support tool configured as a full-featured surveillance platform.

Infrastructure: All Roads Lead to South Korea

Every piece of infrastructure resolves to South Korean providers.

Network Infrastructure

IP	ASN/Provider	Country	Ports	Purpose	Status
112.216.147.68	LG DACOM (BORANET)	KR	80	C2 relay (inqvm[.]com)	LIVE
3.37.49.225	AWS ap-northeast-2 (Seoul)	KR	80, 443	Vendor web/updates (nqvm[.]com)	LIVE
218.147.39.240	KT Corp (KORNET)	KR	443, 1521, 5357, 5985, 7777, 8889	GitLab/Dev (gitlab.nqvm[.]com)	LIVE
112.220.65.101	LG DACOM	KR	Unknown	HRCS (hrcs.nqvm[.]com)	UNKNOWN

Domain Infrastructure

Domain	Registrar	Created	Purpose
inqvm[.]com	Doregi.com (KR)	2007-12-08	C2 relay server
inqvm[.]net	N/A	N/A	Backup relay (DEAD, unregistered)
nqvm[.]com	Doregi.com (KR)	2005-09-20	Vendor website and updates

Both domains are registered through Doregi.com, a Korean domain registrar operated by HANGANG Systems. The C2 relay domain inqvm[.]com has been registered since 2007 -- this is not throwaway infrastructure.

Certificate Transparency: Deeper Infrastructure

CT log enumeration on nqvm[.]com reveals additional subdomains indicating a full organizational footprint:

Subdomain	IP	Certificate	Purpose
gitlab.nqvm[.]com	218.147.39.240	Let's Encrypt R12	Source code repository
hrcs.nqvm[.]com	112.220.65.101	Let's Encrypt R12	HR/CRM system
lb.nqvm[.]com	Unknown	Let's Encrypt	Load balancer
samoo.nqvm[.]com	Unknown	Let's Encrypt	Unknown

The GitLab instance at 218.147.39.240 has port 8889 open -- the same port used by the NQVM file manager service. This server appears to serve double duty as both a development environment and an operational file transfer endpoint.

Hosting Hierarchy:

LG DACOM/LG U+ (AS3786) -- BORANET, South Korea
    |-- 112.216.147.68  (inqvm.com relay)
    |-- 112.220.65.101  (hrcs.nqvm.com)

KT Corporation (AS4766) -- KORNET, South Korea
    |-- 218.147.39.240  (gitlab.nqvm.com, port 8889 open)

Amazon Web Services (ap-northeast-2, Seoul)
    |-- 3.37.49.225     (www.nqvm.com)

Operator OPSEC Failure

The operator embedded their real Naver email address (10V2J@NAVER[.]COM) in the relay server configuration file that ships with every deployed instance of the RAT. Naver is South Korea's dominant web portal -- the Korean equivalent of Google. This is a significant OPSEC failure: every victim machine contains the operator's login credentials for the relay infrastructure.

The password hash (9de9ea1194bdd1d9580d39205ecd582f) is unsalted MD5, potentially crackable with modern GPU hardware. The same credentials appear in both the server configuration (NQNMSRV.INI) and user configuration (NQNMUSR.INI), indicating a single operator account.

Attribution Evidence

Evidence	Confidence	Details
Operator email	HIGH	10V2J@NAVER[.]COM -- Naver is Korea's largest web portal
Code signing certificate	HIGH	NTS, Ulsan, Buk-gu, South Korea
All infrastructure IPs	HIGH	Every IP resolves to South Korean providers
NQVM vendor	HIGH	NTS is a South Korean company based in Ulsan
Domain registrar	MEDIUM	Doregi.com -- Korean domain registrar
Resource language ID	MEDIUM	1042 = Korean (ko-KR)
NQLANG.INI default	MEDIUM	Korean listed first as language #0
Desktop path strings	MEDIUM	NQVM_DSVR contains Korean characters in directory path

Attribution assessment: South Korean threat actor, HIGH confidence. Motivation is unclear -- the tooling and configuration are consistent with either cybercrime (remote access for fraud) or corporate espionage (surveillance and data exfiltration). The sophistication level is intermediate: the operator is using a legitimate commercial tool rather than custom malware, but the DLL sideloading technique and stealth configuration show deliberate tradecraft.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	User Execution	T1204	SFX installer requires victim to run executable
Persistence	Boot or Logon Autostart Execution	T1547	SERVER AUTO START = 1 in NQVMINST.INI
Privilege Escalation	Access Token Manipulation	T1134	NQVM_Runner.exe imports AdjustTokenPrivileges, DuplicateTokenEx
Defense Evasion	DLL Side-Loading	T1574.002	Trojanized GDI32.dll (nts001.tmp) with 727 proxy exports
Defense Evasion	Masquerading	T1036.005	Installs to %ProgramFiles(x86)%, appears as legitimate software
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Legitimate NTS code signing certificate (VeriSign-issued)
Credential Access	Input Capture	T1056	NQHOOK.dll and NQHOOKEX.dll for keyboard/input hooking
Discovery	System Information Discovery	T1082	Full system access via remote desktop session
Collection	Screen Capture	T1113	Full desktop control via NQVM (port 8888)
Collection	Audio Capture	T1123	Audio capture enabled (port 8887)
Collection	Video Capture	T1125	Webcam capture enabled
Collection	Data from Local System	T1005	All drives C:-K: shared with write access
Command and Control	Remote Access Software	T1219	Abuse of legitimate NQVM/NetSupport Manager
Command and Control	Proxy: External Proxy	T1090.002	Traffic routed through relay server (inqvm[.]com:80)
Exfiltration	Exfiltration Over C2 Channel	T1041	File transfer via NetSupport file manager (port 8889)

Indicators of Compromise

Network Indicators

# C2 Relay Domains
inqvm[.]com
inqvm[.]net

# Vendor/Update Domains
nqvm[.]com
www[.]nqvm[.]com
gitlab[.]nqvm[.]com
hrcs[.]nqvm[.]com

# C2 IP Addresses
112.216.147.68   # C2 relay -- inqvm[.]com (LG DACOM, KR)
3.37.49.225      # Vendor web -- nqvm[.]com (AWS Seoul)
218.147.39.240   # GitLab -- gitlab.nqvm[.]com (KT Corp, KR)
112.220.65.101   # HRCS -- hrcs.nqvm[.]com (LG DACOM, KR)

# Ports
80     # C2 relay
8887   # Audio/video capture
8888   # Remote desktop control
8889   # File manager
10042  # Auto-upgrade channel
55031  # PFPORT custom
35101  # PFPORT custom
13005  # PFPORT custom

File Indicators

# SFX Dropper
SHA256: fb91de5a3ce80ac51fded1719dc72c6c71acadc65ada3262e7bc74dac41cd65a
MD5:    04f1eb0ebaf71f827da7b1c4656960ad
SHA1:   4e8466ed384dec05aa8f524eab12aa5b723ae919

# Main RAT Binary (NQVM_RTM.exe)
SHA256: d5a71c02718887238ccf2d64bd51c78fd2d1e3d07d30fc112dcfe47ebd1f38d6
MD5:    643e19b200c9c15466623ae156608fca

# RAT Runner (NQVM_Runner.exe)
SHA256: 2836383c2ed7ee1afec63a59e89572f90e48a3ea4a7c44d297ef782b9e09eba4
MD5:    d44e4c5a6a0e1f2002e702ac98636efb

# Trojanized GDI32.dll (nts001.tmp)
SHA256: ea3bd7fec193a8cfe1d5736301acadc476fb6aac5475a45776d0a638e9845445
MD5:    d6d3ad7bf1d6f6ce9547613ed5e170a2

# Input Hook DLLs
SHA256: ddf2f0e464c7edc7eadced02811888c53344ac2dffac9f1c63003a16e98bba75  (NQHOOK.dll)
SHA256: ad92b09781dbd1e2c427a2c6288aa2438baa3eeacb16ebad9f85fd75e96fe589  (NQHOOKEX.dll)

Behavioral Indicators

# Imphashes
ad1a33bd97238a4adf5548ab2780abe1  # SFX dropper
fd9fbe982734fd4ee29b8b9ff284db11  # NQVM_RTM.exe
138422b031539c86183a1ce775700759  # NQVM_Runner.exe
d0064bcb735e35414a2b094954ef12c7  # nts001.tmp (GDI32 proxy)

# Operator Credentials (embedded in config)
Email:        10V2J@NAVER[.]COM
Password MD5: 9de9ea1194bdd1d9580d39205ecd582f
Auth SHA256:  24f153a5ded473fb4635d14b53edb457b8bc45f99fb57144e913b706f0ecc3dd

# Version Info Strings
CompanyName:      NTS(www.nqvm.com)
ProductName:      NQVM
FileVersion:      2.2.0.8
OriginalFilename: NQVM_RTM.EXE

Detection Opportunities

YARA Rules

rule NQVM_Weaponized_SFX_Installer {
    meta:
        description = "Detects weaponized NQVM/NetSupport Manager SFX installer"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
    strings:
        $nqvm1 = "NQVM_RTM" ascii wide
        $nqvm2 = "NQVM_Runner" ascii wide
        $nqvm3 = "NQHOOK" ascii wide
        $nqvm4 = "nts001.tmp" ascii wide
        $cfg1 = "RELAY SERVER NAME" ascii
        $cfg2 = "NAVER.COM" ascii nocase
        $cfg3 = "NQNMSRV" ascii
        $delphi = "Borland" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize > 5MB and
        $delphi and
        2 of ($nqvm*) and
        1 of ($cfg*)
}

rule NQVM_Trojanized_GDI32_Proxy {
    meta:
        description = "Detects trojanized GDI32.dll proxy used by weaponized NQVM"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $pdb = "wgdi32.pdb" ascii
        $nt1 = "NtSecureConnectPort" ascii
        $nt2 = "NtRegisterThreadTerminatePort" ascii
        $nt3 = "NtRequestWaitReplyPort" ascii
        $display = "\\\\.\\DISPLAY" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        $pdb and
        2 of ($nt*) and
        $display
}

rule NQVM_RAT_Config_INI {
    meta:
        description = "Detects NQVM RAT configuration files with relay server settings"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        tlp = "TLP:CLEAR"
        severity = "MEDIUM"
    strings:
        $relay = "USE RELAY SERVER" ascii nocase
        $domain1 = "inqvm" ascii nocase
        $domain2 = "nqvm" ascii nocase
        $login = "LOGIN USER NAME" ascii nocase
        $naver = "NAVER.COM" ascii nocase
    condition:
        2 of ($relay, $login, $naver) and
        1 of ($domain*)
}

Snort/Suricata Rules

# NQVM C2 Relay -- inqvm.com traffic on port 80
alert tcp any any -> 112.216.147.68 80 \
  (msg:"NQVM-RAT C2 Relay Connection to inqvm.com"; \
  flow:established,to_server; sid:2026031001; rev:1;)

# NQVM Control Channel -- port 8888
alert tcp any any -> any 8888 \
  (msg:"NQVM-RAT Remote Desktop Control Channel"; \
  flow:established,to_server; \
  content:"NQVM"; \
  sid:2026031002; rev:1;)

# NQVM File Transfer -- port 8889
alert tcp any any -> any 8889 \
  (msg:"NQVM-RAT File Transfer Channel"; \
  flow:established,to_server; \
  sid:2026031003; rev:1;)

# NQVM Auto-Upgrade Channel
alert tcp any any -> 3.37.49.225 10042 \
  (msg:"NQVM-RAT Auto-Upgrade Connection to nqvm.com"; \
  flow:established,to_server; sid:2026031004; rev:1;)

# NQVM Custom Ports (PFPORT.INI)
alert tcp any any -> any [55031,35101,13005] \
  (msg:"NQVM-RAT PFPORT Custom Communication Channel"; \
  flow:established,to_server; sid:2026031005; rev:1;)

Hunting Queries

Endpoint (Sysmon / EDR):

# Process creation -- NQVM binaries
EventID=1 AND (Image CONTAINS "NQVM_RTM" OR Image CONTAINS "NQVM_Runner" OR Image CONTAINS "NQHOOK")

# DLL load -- trojanized GDI32 from non-system directory
EventID=7 AND ImageLoaded CONTAINS "nts001.tmp"

# DLL load -- GDI32 loaded from ProgramFiles instead of System32
EventID=7 AND ImageLoaded CONTAINS "gdi32" AND NOT ImageLoaded CONTAINS "System32"

# File creation -- NQVM config files
EventID=11 AND (TargetFilename CONTAINS "NQNMSRV.INI" OR TargetFilename CONTAINS "PFPORT.INI" OR TargetFilename CONTAINS "NQVMINST.INI")

Network (Zeek / Firewall Logs):

# DNS queries to C2 relay domains
dns.query.name IN ("inqvm.com", "inqvm.net", "nqvm.com")

# Connections to known C2 relay IP
dst_ip = "112.216.147.68" AND dst_port = 80

# Connections on NQVM service ports from internal hosts
dst_port IN (8887, 8888, 8889, 10042, 55031, 35101, 13005) AND src_ip IN internal_ranges

Imphash Hunting:

# Search for any binaries matching extracted imphashes
imphash IN (
    "ad1a33bd97238a4adf5548ab2780abe1",
    "fd9fbe982734fd4ee29b8b9ff284db11",
    "138422b031539c86183a1ce775700759",
    "d0064bcb735e35414a2b094954ef12c7"
)

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 57 files extracted from SFX archive. 4 live infrastructure IPs confirmed. All IOCs are net-new -- zero prior public reporting. Classification: TLP:CLEAR