Qadars banking trojan, active since 2013, is thought to be used by professional Russian cybercriminals. From 2013-2014, it was used in attacks against French and Dutch banks and, from 2015-2016, it was used against Australian, Canadian, American, and Dutch banks. In September 2016, it was observed targeting 18 UK banks in a new infection campaign. Historically, Qadars infected end-points using exploit kits and via botnets using downloader-type malware. The trojan is typically able to infect users through social engineering, even gaining access to accounts that use two-factor authentication. Once the trojan infects an Android mobile device, it can monitor all user activity and hijack text messaging. In addition to targeting bank data, Qadars also targets Facebook users, online sports betting users, and e-commerce. The trojan has continually evolved as the developers have made bug fixes and improvements to the code. One way Qadars infects users is by using social engineering to convince the victim that there was a new Windows security update ready to be installed; however, if the victim continues with the update, it provides Qadar with the administrative rights to the machine.


  • December 2013: Qadars targets the Netherlands and five other countries. (WeLiveSecurity)
  • April 2014: Qadars trojan targets Facebook using webinjects. (Hackread)
  • September 2016: Qadars trojan Targets 18 UK Banks. (ZDNet)

Technical Details

  • IBM’s Security Intelligence provides technical details on the Qadars trojan, here.
Trojan VariantsNJCCICQadars