Unkillable? Qakbot Infections Fly On Even After Its High-Profile Raid

A literal seven-nation (cyber) army wasnt enough to hold back the famous initial access broker (IAB) for long — its been chugging along, spreading ransomware, despite a massive takedown in August.

The Qakbot (aka Qbot) first-stage malware operation is still kicking, even after the Operation Duck Hunt raid by law enforcement eviscerated its infrastructure a few weeks ago. It was recently seen distributing the Ransom Knight ransomware and the Remcos backdoor remote access Trojan (RAT) via phishing emails.
Evidently,
a massive takedown of Qakbots botnet infrastructure
in August, involving law enforcement from seven different countries, wasnt enough to even
temporarily
kill the notorious initial access broker (IAB). According to a new report from Cisco Talos, a ransomware campaign that began before the raid is still ongoing, yet again proving how
difficult it is to take out a major threat actor
.
A lot of people thought that it would not take a lot of time before Qakbot was back, and weve shown that, says Guilherme Venere, threat researcher for Cisco Talos. They were never really inactive. They were still running campaigns at the same time that the requisite infrastructure was taken down.
On Aug. 29, law enforcement authorities from the US (the FBI), UK, France, Germany, Romania, Latvia, and the Netherlands teamed up against the operators behind Qakbot,
cutting it off at the knees.
Specifically, authorities identified and accessed 700,000 infected computers, redirecting them to FBI-controlled servers, where they automatically downloaded Qakbot uninstallers. Additionally,
authorities seized $8.6 million
of Qakbots illicitly obtained funds.
But in the face of all that, a Qakbot campaign that began earlier in August kept chugging along.
In fact, the group has been distributing phishing emails in English, Italian, and German, containing .ZIP archives with two primary components.
First, there are shell link (.LNK) files masquerading as financial documents. For example, Pay-Invoices-29-August.pdf.lnk and bank transfer request.lnk. These files download an executable from a remote IP address, containing the Ransom Knight ransomware. Ransom Knight is a newer version of the ransomware-as-a-service malware Cyclops, updated back in May.
Besides the ransomware, the .ZIPs also contain Excel Add-In (XLL) files hiding
the Remcos backdoor
, enabling persistent access to targeted machines even after the deployment of ransomware.
Its unclear yet how many organizations have been targeted in this campaign, and whether any have suffered damages as a result.
In recent years, US and international law enforcement has stepped up efforts to curb major cybercrime outfits, whether by taking down infrastructure, seizing crypto, fully arresting group members IRL, or any combination therein. The long-term results are mixed.
In certain cases, police have done serious, irreversible harm to these groups. For instance, where once it sat atop the world of ransomware, Hive is now a memory of the past, thanks to
the FBI and Department of Justice
.
But seemingly in more cases, authorities have had limited success. The Emotet botnet
survived a coordinated takedown effort
, as did
the Trickbot botnet
. Even the
Conti group recouped
after being shut down by authorities, at least to some degree.
Its difficult to take them down unless you arrest the original actors behind the group, Venere says. In this case, there was no arrest made of anyone behind the Qakbot infrastructure. So they are still there. They still have access to the source code for the malware. They can still develop new variants, and they have the infrastructure to distribute it.
All of the law enforcement effort isnt necessarily a waste, though. The FBI had a huge impact on the groups infrastructure, and their financial structure, and now they have to rebuild it. Sometimes, this kind of thing makes it not worth the time to rebuild infrastructure, he says.
So it might have an impact in the end, he concludes, because it will make it so expensive for them to rebuild this stuff.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Unkillable? Qakbot Infections Fly On Even After Its High-Profile Raid