Saturday, May 31, 2025
HomeMalwareQBot Trojan Attacks Victims with Malicious Election Interference Attachments

QBot Trojan Attacks Victims with Malicious Election Interference Attachments

Published on

SIEM as a Service

Follow Us on Google News

QBot malware, also referred to as Qakbot and Pinkslipbot, is a banking Trojan active since 2008. Attackers are using the QBot malware with updated worm features to steal users’ keystrokes, deploy backdoors, and spread malware payloads on compromised devices.

Researchers stated that the newest version of QBot has detection and research-evasion techniques that hide the malware codes and shake scanners and anti-software tools.

As U.S. election night ended, uncertainty regarding the results began to sneak in, threat actors decided to leap in thereon too. In observation, a new spam campaign delivering malicious attachments that exploit doubts about the election process.

- Advertisement - Google News

The QBot banking Trojan operators return also with the U.S. election-themed phishing emails enticing victims with malicious election interference attachments.

Hijacked Email Threads Pushing False DocuSign Documents

The malicious emails come as thread replies, almost like what Emotet (Trojan that is primarily spread through spam emails) does to add legitimacy and make detection harder.

They contain zip attachments suitably named ElectionInterference_[8 to 9 digits](.)zip(as shown within the image below).

Phishing Email

While the election results are still being assessed and debated, victims are tempted to open up the document to examine alleged election interference.

The extracted file is an Excel spreadsheet (as shown below) disguised as a secure DocuSign file allegedly containing information associated with election interference. When the potential victims open bait documents, they are tricked to permit macros to ‘decrypt’ the document.

Malicious Attachment

This tried and verified trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded as shown within the image below.

Payload URL obfuscation

After the execution, the QBot Trojan will contact its command and control server and request instructions. Additionally to stealing and exfiltrating data from its victims, QBot also will start grabbing emails which will later be used as a part of subsequent malspam campaigns.

Qbot process flow

Aggressive Malware used in Targeted Campaigns

Besides phishing campaigns, attackers are also often using exploit kits to drop QBot payloads, with the bot subsequently infecting other devices on the victims’ network using network share exploits and highly aggressive brute-force attacks that focus on, Active Directory admin accounts.

QBot banking trojan was mostly utilized in targeted attacks against corporate entities that provide a better return on investment.

World events like the Covid pandemic or the US elections provide perfect material to craft effective schemes leading to high infection ratios.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Hackers Hosting Malware On Google Sites To Steal Data and Share It to the Remote Server

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Use AI-Generated Videos on TikTok to Spread Info-Stealing Malware

TrendMicro has uncovered a sophisticated campaign where threat actors are exploiting TikTok to distribute...

Novel Malware Evades Detection by Skipping PE Header in Windows

Researchers have identified a sophisticated new strain of malware that bypasses traditional detection mechanisms...

New Rust-Based InfoStealer Uses Fake CAPTCHA to Deliver EDDIESTEALER

A newly discovered Rust-based infostealer, dubbed EDDIESTEALER, has been uncovered by Elastic Security Labs,...