qt5network.dll

There are executables that allow qt5network.dll to be DLL hijacked.

DLL Hijacking type

DLL Sideloading

DLL Vendor

Last updated

Unknown

Expected Locations

The file qt5network.dll is normally found in the following paths:

%PROGRAMFILES%\LSoft Technologies\Active@ Data Studio
%PROGRAMFILES%\LSoft Technologies\Active@ File Recovery
%PROGRAMFILES%\LSoft Technologies\Active@ Disk Editor
%PROGRAMFILES%\LSoft Technologies\Active@ Password Changer
%PROGRAMFILES%\LSoft Technologies\Active@ ISO Manager
%PROGRAMFILES%\LSoft Technologies\Active@ UNERASER
%PROGRAMFILES%\LSoft Technologies\Active@ KillDisk 25
%PROGRAMFILES%\LSoft Technologies\Active@ UNDELETE
%PROGRAMFILES%\LSoft Technologies\Active@ Disk Monitor
%PROGRAMFILES%\LSoft Technologies\Active@ Partition Manager

Resources

Acknowledgements

Thanks to Micah Babinski and Jai Minton of Huntress (@CyberRaiju).

Vulnerable Executables

DLL Sideloading (1 EXE)

By copying (and optionally renaming) any of the following vulnerable applications to a user-writeable folder, alongside a malicious qt5network.dll, arbitrary code can be executed through it.

%PROGRAMFILES%\LSoft Technologies\Active@ Password Changer\PasswordChanger.exe

Detection

Below a sample Sigma rule that will find processes that loaded qt5network.dll located in a folder that is not one of the expected locations (see above).

title: Possible DLL Hijacking of qt5network.dll
id: 9190191b-7904-48a3-3158-5b9ff8134247
status: experimental
description: Detects possible DLL hijacking of qt5network.dll by looking for suspicious image loads, loading this DLL from unexpected locations.
references:
    - https://hijacklibs.net/entries/3rd_party/qt/qt5network.html
author: "Jai Minton"
date: 2025-05-09
tags:
    - attack.defense_evasion
    - attack.T1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded: '*\qt5network.dll'
    filter:
        ImageLoaded:
            - 'c:\program files\LSoft Technologies\Active@ Data Studio\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Data Studio\\*'
            - 'c:\program files\LSoft Technologies\Active@ File Recovery\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ File Recovery\\*'
            - 'c:\program files\LSoft Technologies\Active@ Disk Editor\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Disk Editor\\*'
            - 'c:\program files\LSoft Technologies\Active@ Password Changer\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Password Changer\\*'
            - 'c:\program files\LSoft Technologies\Active@ ISO Manager\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ ISO Manager\\*'
            - 'c:\program files\LSoft Technologies\Active@ UNERASER\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ UNERASER\\*'
            - 'c:\program files\LSoft Technologies\Active@ KillDisk 25\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ KillDisk 25\\*'
            - 'c:\program files\LSoft Technologies\Active@ UNDELETE\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ UNDELETE\\*'
            - 'c:\program files\LSoft Technologies\Active@ Disk Monitor\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Disk Monitor\\*'
            - 'c:\program files\LSoft Technologies\Active@ Partition Manager\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Partition Manager\\*'

    condition: selection and not filter
falsepositives:
    - False positives are likely. This rule is more suitable for hunting than for generating detections.

title: Possible preparation for qt5network.dll DLL Hijacking
id: 9190192b-7904-48a3-3158-5b9ff8134247
status: experimental
description: Detects possible DLL hijacking of qt5network.dll by looking for suspicious file writes of this DLL, to unexpected locations.
references:
    - https://hijacklibs.net/entries/3rd_party/qt/qt5network.html
author: "Jai Minton"
date: 2025-05-09
tags:
    - attack.defense_evasion
    - attack.T1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFileName: '*\qt5network.dll'
    filter:
        TargetFileName:
            - 'c:\program files\LSoft Technologies\Active@ Data Studio\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Data Studio\\*'
            - 'c:\program files\LSoft Technologies\Active@ File Recovery\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ File Recovery\\*'
            - 'c:\program files\LSoft Technologies\Active@ Disk Editor\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Disk Editor\\*'
            - 'c:\program files\LSoft Technologies\Active@ Password Changer\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Password Changer\\*'
            - 'c:\program files\LSoft Technologies\Active@ ISO Manager\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ ISO Manager\\*'
            - 'c:\program files\LSoft Technologies\Active@ UNERASER\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ UNERASER\\*'
            - 'c:\program files\LSoft Technologies\Active@ KillDisk 25\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ KillDisk 25\\*'
            - 'c:\program files\LSoft Technologies\Active@ UNDELETE\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ UNDELETE\\*'
            - 'c:\program files\LSoft Technologies\Active@ Disk Monitor\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Disk Monitor\\*'
            - 'c:\program files\LSoft Technologies\Active@ Partition Manager\\*'
            - 'c:\program files (x86)\LSoft Technologies\Active@ Partition Manager\\*'

    condition: selection and not filter
falsepositives:
    - False positives are likely. This rule is more suitable for hunting than for generating detections.

title: Possibly malicious versions of qt5network.dll
id: 9190193b-7904-48a3-3158-5b9ff8134247
status: experimental
description: Detects possible DLL hijacking of qt5network.dll by looking for versions not meeting the known signature data.
references:
    - https://hijacklibs.net/entries/3rd_party/qt/qt5network.html
author: "Jai Minton"
date: 2025-05-09
tags:
    - attack.defense_evasion
    - attack.T1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded: '*\qt5network.dll'
    filter:
        ImageLoaded:
            - Signed: 'true'
            - SignatureStatus: 'signed'
            - Signature|contains:
                - 'CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US'

    condition: selection and not filter
falsepositives:
    - False positives are likely. This rule is more suitable for hunting than for generating detections.

Note that this rule is also included in the Detection Content Feeds that comprise all DLL Hijacking entries part of HijackLibs.

FAQs

Why should I care about this?

DLL Hijacking enables the execution of malicious code through a signed and/or trusted executable. Defensive measures such as AV and EDR solutions may not pick up on this activity out of the box, and allow-list applications such as AppLocker may not block the execution of the untrusted code. There are numerous examples of threat actors that have been observed to leaverage DLL Hijacking to achieve their objectives. As such, this project wants to encourage you to monitor for unusual activity involving qt5network.dll.

How do I abuse this vulnerability?

As a red teamer, you will have to compile your own version of qt5network.dll. There are various guides on how this can be achieved.

How could the vendor have prevented this vulnerability?

Most DLL Hijacking vulnerabilities are introduced by the 'lazy' loading of DLL files, which relies on Windows' default DLL search order. Explicitly specifying where a required DLL is located is easy and often already helps a lot. This doesn't have to hurt portability if Windows API calls are used to obtain paths, e.g. GetSystemDirectory to get the path of the System32 folder. Even better is to check the signature of required DLLs prior to loading them; most platforms, frameworks and/or runtimes offer means to verify DLL signatures with minimal performance impact.

This DLL Hijack doesn't seem to work (anymore), why is it still included?

Luckily, vendors regularly patch vulnerable applications in order to prevent DLL Hijacking from taking place. Nevertheless, older versions will remain vulnerable; for that reason, the entry won't be deleted from this project. To help others, you may want to open a pull request updating the 'precondition' tag on this entry to make the community aware of the reduced scope.

Homepage | API | Contributors