Fresh Qakbot Sightings Confirm Recent Takedown Was a Temporary Setback

Microsoft and several others have reported seeing the noxious malware surfacing again in a campaign targeting the hospitality industry.

Qakbot malware is back less than four months after US and international law enforcement authorities dismantled its distribution infrastructure in a widely hailed operation dubbed
Duck Hunt
.
In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. But given the tenacity that Qakbot operators have shown in the past, it likely wont be long before the volume picks up again.
Microsofts threat intelligence group has estimated the new campaign began Dec. 11, based on a timestamp in the payload used in the recent attacks. Targets have received emails with a PDF attachment from a user purporting to be an employee at the IRS, the company said in
multiple posts on X
, the platform formerly known as Twitter. The PDF contained a URL that downloads a digitally signed Windows Installer (.msi), Microsoft posted. Executing the MSI led to Qakbot being invoked using export hvsi execution of an embedded DLL. The researchers described the Qakbot version that the threat actor is distributing in the new campaign as a previously unseen version.
Zscaler observed the malware surfacing as well. In a post on X, the company
identified the new version
as 64-bit, using AES for network encryption and sending POST requests to a specific path on compromised systems.
Proofpoint confirmed similar sightings
a day later while also noting that the PDFs in the current campaign have been distributed since at least Nov. 28.
Qakbot is particularly noxious malware that has been around since at least 2007. Its authors originally used the malware as a banking Trojan but in recent years pivoted to a malware-as-a-service model. Threat actors typically have distributed the malware via phishing emails, and infected systems usually become part of a bigger botnet. At the
time of the takedown
in August, law enforcement identified as many as 700,000 Qakbot-infected systems worldwide, some 200,000 of which were located in the US.
Qakbot-affiliated actors have increasingly used it as a vehicle to drop other malware, most notably Cobalt Strike,
Brute Ratel,
and a slew of ransomware. In many instances, initial access brokers have used Qakbot to gain access to a target network and later sold that access to other threat actors. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal, and PwndLocker, the
US Cybersecurity and Infrastructure Security Agency
noted in a statement announcing the law enforcement takedown earlier this year.
The recent sightings of Qakbot malware appear to confirm what some vendors have reported in recent months: Law enforcements takedown had less of an impact on Quakbot actors than generally perceived.
In October, for instance, threat hunters at
Cisco Talos
reported that Qakbot-affiliated actors were continuing to distribute the Remcos backdoor and Ransom Knight ransomware in the weeks and months following the FBIs seizure of Qakbot infrastructure. Talos security researcher Guilherme Venere saw that as a sign that Augusts law enforcement operation may have taken out only Qakbots command-and-control servers and not its spam-delivery mechanisms.
Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward, Venere said at the time. We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.
Security firm Lumu said it counted a total of 1,581 attempted attacks on its customers in September that were attributable to Qakbot. In subsequent months, the activity has remained at more or less the same level, according to the company. Most attacks have targeted organizations in finance, manufacturing, education, and government sectors.
The threat groups continued distribution of the malware indicates that it managed to evade significant consequences, Lumu CEO Ricardo Villadiego says. The groups ability to continue operating primarily hinges on the economic feasibility, technical capabilities, and ease of establishing new infrastructure, he notes. Since the ransomware model remains profitable and legal efforts havent specifically targeted the individuals and the underlying structure of these criminal operations, it becomes challenging to completely neutralize any malware network like this.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fresh Qakbot Sightings Confirm Recent Takedown Was a Temporary Setback