Sunday, May 4, 2025
HomeCyber Security NewsHackers Using Weaponized PDF Files to Deliver Qakbot Malware

Hackers Using Weaponized PDF Files to Deliver Qakbot Malware

Published on

SIEM as a Service

Follow Us on Google News

Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions. This sophisticated malware steals sensitive information such as:-

  • Login credentials
  • Financial data

While hackers exploit Qakbot to conduct:-

  • Financial fraud
  • Unauthorized transactions
  • Gain access to personal data
  • Gain access to financial information

Qakbot malware returns after the “Duck Hunt” bust. Not only that, even Microsoft has found small-scale phishing targeting the hospitality sector since Dec 11, 2023.

- Advertisement - Google News
Microsoft discovery of Qakbot resurface (Source - K7)
Microsoft discovery of Qakbot resurface (Source – K7)

Though all these phishing emails are low now, researchers at K7 Security Labs affirmed to expect an email volume surge due to Qakbot’s history.

Cybersecurity researchers at K7 Security Labs recently discovered that hackers use weaponized PDF files to deliver Quakbot malware.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

PDF Files to Deliver Qakbot Malware

In a recent phishing campaign, researchers identified threat actors actively delivering malicious MSI files via PDFs. Further, the analysis uncovers a patched IDM DLL housing Qakbot, which is found to be using a custom packer. 

Besides this, unpacking the Qakbot DLL involves breakpoints on:-

  • VirtualAlloc()
  • VirtualProtect()

Initially, experts obtained the dump without the MZ header, and later, they identified it as Qakbot’s second-stage loader by adding the header manually. This technique helps the threat actors avoid EDR detection by avoiding MZ header scans.

Execution Flow (Source - K7)
Execution Flow (Source – K7)

In the new Qakbot campaign, security researchers noted AES encryption for victim info storage, yet the final payload retains RC4 encryption. The dynamic analysis discreetly exposes an MSI-installed temp file invoking rundll32.exe. 

The threat actor leveraging the PDFs self-copies the DLL as AcrobatAC.dll and then executes the Qakbot via EditOwnerInfo. 

The malicious DLL suspends the wermgr.exe (Windows Error Manager) as part of the kill chain. Besides this, the experts also extracted the Qakbot payload by dumping the PE file from the suspended wermgr.exe, which reveals the use of process hollowing.

Qakbot pretends to be wermgr.exe and tries to establish a covert C2 connection, however, the C2 which is inactive during analysis stops the further malicious actions.

IoCs

IoCs (Source - K7)
IoCs (Source – K7)

Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems –

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...