Wednesday, April 24, 2024

Is QakBot Malware Officially Dead?

Only a few malware families can claim to have persisted for nearly twenty years, and QakBot (also referred to as QBot) stands among them as one of the most enduring. Since its first appearance in 2008, it has been deployed in numerous attacks, causing significant financial losses of hundreds of millions of dollars.

However, it appears that the recent actions taken by the FBI in cracking down on QakBot’s operations may have dealt a fatal blow to the malware’s activities. Despite this, the past has shown us that malware can sometimes recover from such setbacks.

What is QakBot?

QakBot is a malware family with a modular design that allows it to operate both as a Remote Access Trojan (RAT) and a loader. Historically, attacks involving this malicious software have primarily targeted businesses in the United States and focused on stealing banking information and other financial credentials.

The malicious software leverages man-in-the-browser functionality, which enables it to execute web injections, manipulating the banking website content that victims view while browsing from an infected device. 

QakBot also exhibits worm-like behavior, allowing it to propagate through shared drives and network systems, further complicating its eradication efforts.

Considering the malware’s primary emphasis on the corporate sector, its most prevalent means of infiltrating systems has been through a malicious document distributed as part of phishing campaigns. For instance, the typical execution path of such a maldoc can be traced using ANY.RUN’s analysis of a QBot sample.

The process tree created by the QBot sample

The attack begins with a victim downloading the maldoc, which, upon launch, initiates a series of processes by leveraging macros. From there, QBot uses cmd.exe to start a chain of commands and executions, creating folders and temporary files. The trojan then utilizes Powershell to download the payload, which often has a simple name of six digits or letters and a .png extension, despite being an executable file. 

Once QBot begins its main execution, it attempts to evade detection by overwriting itself with legitimate Windows processes like calc.exe (calculator), injecting explorer.exe, and adding itself to autorun to gain persistence.

Start with a free account

See the execution path of any malicious file or link with ANY.RUN. !

Interact with the VM for up to 20 mins, collect IOCs and configurations, and enjoy unlimited analysis for free.

The FBI’s Disruption of QBot’s Operations

In August 2023, the FBI announced that in collaboration with other law enforcement agencies, it had successfully taken down the QBot network, resulting in the elimination of the malware from over 700,000 infected computers.

The operation involved accessing Qakbot’s command-and-control infrastructure and redirecting its traffic to the FBI’s servers. These servers then instructed infected computers to download an uninstaller file, effectively removing the malware from the machines.

The agency recovered millions of dollars in cryptocurrency and credentials of more than 6 million victims, including email addresses and passwords. Additionally, the FBI seized 52 servers, which will permanently dismantle the botnet.

Will this put an end to QBot?

Still, the question remains: Will the recent successful operation be the final nail in QBot’s coffin? Unfortunately, it is unlikely, as plenty of similar precedents have existed.

For instance, in 2021, international law enforcement agencies, including the FBI, took down Emotet, one of the largest botnets in history, responsible for infecting over a million computers globally. Interestingly, the tactic employed by the agencies was similar to the one used against QBot: Access to the botnet’s infrastructure was gained, and the malware was uninstalled from all the infected machines using special software. However, 10 months after the crackdown, Emotet was back to its entire operation.

Such precedents demonstrate that QakBot still has the potential to return more robust than before, especially given that no arrests of the actual group of developers behind the malware have been made. All of this suggests that QBot is likely to regain its lost position as one of the most persistent threats.


Although QakBot may have been temporarily removed from the global threat landscape, it is crucial to remain cautious and prepared for its return in the future. To be equipped to rise to any cybersecurity challenge, use ANY.RUN. 

It is a regularly updated malware sandbox with an excellent track record of exposing the malicious activities of the newest threats and the latest versions of the existing ones. 

Coupled with its unmatched interactivity and a wide selection of VM configuration settings, ANY.RUN will be your best partner in conducting in-depth analysis of the most advanced malware samples in the comfort of an intuitive web interface.

You can use ANY.RUN sandbox for free without limit to get nearly instant reports on any file or link, gain an in-depth look at their activities, and discover the latest samples in the service’s database. 


Latest articles

Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools

AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create...

Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely

The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code...

CoralRaider Hacker Evade Antivirus Detections Using Malicious LNK File

This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany,...

Spyroid RAT Attacking Android Users to Steal Confidential Data

A new type of Remote Access Trojan (RAT) named Spyroid has been identified.This...

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...
Cyber Writes
Cyber Writes
Work done by a Team Of Security Experts from Cyber Writes ( - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles