QakBot
QakBot, also known as Qbot, Pinkslipbot, and QuackBot, is a long-running modular banking trojan active since at least 2007 that evolved into a general-purpose malware delivery platform used by financially motivated actors. The content describes it as one of the most prevalent banking trojans of recent years.
Observed delivery and initial access methods include phishing and malicious attachments, with users gaining execution by opening malicious attachments. QakBot operators used HTML smuggling extensively throughout 2022 and 2023. Documented chains include malicious HTML attachments that trigger browser-based download of password-protected ZIP archives, followed by IMG/ISO disk images, mounted virtual drives, and execution of malicious LNK files that launch hidden scripts or DLLs. The content also notes use of disk-image containers such as ISO, IMG, and VHD/VHDX-style approaches to evade defenses, and references Black Basta using QakBot as an initial access loader in November 2022 via hijacked email threads and phishing emails. TA577, described here as a Russia-based threat group, has delivered Qbot in phishing campaigns since 2020.
Capabilities directly mentioned include HTTP and HTTPS command-and-control communications, remote creation of temporary services on target hosts, and identification of the username on a compromised system. In one analyzed infection chain, execution led to reconnaissance activity and suspicious outbound connections from an injected wermgr.exe process. The content also describes Qbot unpacking behavior involving stack strings, dynamic API resolution, VirtualAlloc/VirtualAllocEx usage, byte-wise deobfuscation loops, and a second stage containing additional payload in its resource section encrypted with RC4 and compressed with BLZPack.
QakBot has been used as a malware delivery mechanism for additional tooling and payloads. The content states Qbot was observed delivering Brute Ratel in 2022 and that QBot has been observed distributing Egregor ransomware in some campaigns. It is also referenced as loader infrastructure used by Black Basta. After Operation Duck Hunt dismantled QakBot in 2023, the content notes that other payloads such as DarkGate increased in prominence.
Infrastructure and hunting context in the content include tracking of QakBot C2 servers via Feodo Tracker and use of VirusTotal and ThreatFox as starting points for hunting QBot C2 infrastructure. The content also notes COM/WMI usage in an analyzed Qakbot DLL, specifically CoInitializeSecurity followed by instantiation of IWbemLocator and use of IWbemLocator::ConnectServer.
High-confidence indicators and artifacts mentioned include aliases Qbot/Pinkslipbot/QuackBot; HTML-smuggling sample name SCAN_DT6281.html; a chain of HTML -> password-protected ZIP -> .img disk image -> mounted drive -> LNK -> cmd execution; hidden directory name IncomingPay; LNK target executing C:\Windows\System32\cmd.exe /c IncomingPay\Issues.cmd; observed fixed DLL name stager_1.dll in one comparison context; use of HTTP/HTTPS for C2; and wermgr.exe as the parent process observed during post-execution reconnaissance in one lab analysis.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Black Basta infections began with Qakbot delivered by email and macro-based MS Office documents, ISO+LNK droppers and .docx documents exploiting the MSDTC remote code execution vulnerability, CVE-2022-30190.
These vulnerabilities are designated as CVE-2020-1472 (Zerologon) ... In the Qbot and Zerologon Lead To Full Domain Compromise report we saw ZeroLogon. | IcedID, Qbot, and Gootloader have all been observed making use of Scheduled Tasks ... Process injection was used both by initial access malware like Qbot ... In one of the earliest reports from the year, we observed Qbot continue to steal email inboxes from infected systems for use in later campaigns.
"The threat actor gained initial access to the organization via Qakbot infection..." | The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices.
Microsoft previously addressed an actively exploited zero-day flaw in DWM in May 2024 (CVE-2024-30051), which was described as a privilege escalation flaw that was abused by multiple threat actors, in connection with the distribution of QakBot and other malware families.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Threat Details and IOCs Malware: ... Qbot ...
Groups observed using it
20 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.
The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
The basic flow is as follows: An attacker sends a phishing email containing a .one file attachment.
MITRE ATT&CK Mapping | Initial Access | T1566.001 | Spearphishing attachment, the HTML file
Execution
7 techniques
Execution
In the Qakbot DLL shown below, CoInitializeSecurity is called before the sample references IID_IWbemLocator, and CoCreateInstance creates an instance of the WMI locator class... the method of interest is ConnectServer.
Qakbot obtains a persistent foothold in the victim environment by setting a scheduled task which references a malicious PowerShell stored in the registry, acting as a listener and loader.
The LNK file target property is interesting: C:\Windows\System32\cmd.exe /c IncomingPay\Issues.cmd
Qakbot obtains a persistent foothold in the victim environment by setting a scheduled task which references a malicious PowerShell stored in the registry... The powershell.exe process continues to communicate with different servers...
The second stage of Qbot is known to contain its further payload in its resource section, and also contain RC4 encryption and BLZPack decompression.
Persistence
2 techniques
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
Qakbot obtains a persistent foothold in the victim environment by setting a scheduled task which references a malicious PowerShell stored in the registry, acting as a listener and loader.
When an operator connects to the backdoor... a new explorer.exe process is created and a process hollowing is performed to hide malicious activity behind the legitimate process.
Stealth
13 techniques
Stealth
It uses password protected zip files to block sandboxing analysis.
In malware, we often see threat actors that tend to obfuscate or encrypt their code in order to slow down the analysis of security researchers... many authors tend to use open-source packers but also craft their own custom packers.
This technique is called Stack-Strings and will appear several times during the Qbot unpacking process.
MITRE ATT&CK Mapping | Defense Evasion | T1027.006 | HTML smuggling, payload assembled client-side
These instructions assign the HEX value “47 65 74 50 72 6f 63 41 64 64 72 65 73 73” to the ECX register... This technique is called Stack-Strings... Then, the GetProcAddress string being used by another function.
When an operator connects to the backdoor... a new explorer.exe process is created and a process hollowing is performed to hide malicious activity behind the legitimate process.
When an operator connects to the backdoor... a new explorer.exe process is created and a process hollowing is performed to hide malicious activity behind the legitimate process.
At first glance, it seems this loop has characteristics we expect from traditional decryption\encryption routines, such as shr (shift right), xor , and rol (rotate left) opcodes... The loop changes the first bytes of the obfuscated content to “M8Z”, which starts to resemble the classic “MZ” string.
When I hit the eighth sample, however, the fourth rule in the chain did not fire, because the .lnk file called RunDLL32.exe directly, instead of cmd.exe or wscript.exe.
It uses a disk image format called an .iso file to evade the Mark-of-the-Web protection.
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
IOCs tracked for this family
480 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as malware whose operators used HTML smuggling to deliver initial access payloads.
Banking trojan family whose C2 infrastructure is tracked by Abuse.ch Feodo Tracker.
Long-running modular banking trojan that evolved into a general-purpose malware delivery platform. The content says it performs credential theft, banking fraud, system reconnaissance, persistence, browser and credential harvesting, email collection, command execution, C2 communication, payload delivery, and movement inside enterprise environments. In the COM example, it uses CoInitializeSecurity, CoCreateInstance, and the WMI locator interface IWbemLocator::ConnectServer.
Using a disk image as a "malware container" has been used multiple times in the past[2] ... https://isc.sans.edu/diary/obama224+distribution+Qakbot+tries+vhd+virtual+hard+disk+images/29294
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.