QakBot
QakBot, also known as QBot, QuakBot, and Pinkslipbot, is a modular banking trojan and information stealer first seen in 2007 that has evolved into a malware distributor and ransomware precursor. It is associated with financially motivated cybercriminal activity and has been linked in reporting to Russian operators. QakBot targets Microsoft Windows systems and has been used at scale, including infrastructure associated with the Avalanche fast-flux botnet ecosystem.
Observed initial access commonly involves phishing or hijacked email threads delivering malicious HTML attachments, password-protected ZIP archives, malicious URLs, and later ISO, IMG, or VHD disk images containing malicious LNK files. Reporting also notes a shift in some 2022 campaigns to malicious MSI packages delivered via phishing emails with password-protected ZIP attachments. QakBot execution chains abuse LOLBins including cmd.exe, wscript.exe, curl.exe, regsvr32.exe, and rundll32.exe; observed chains include LNK > CMD/CURL > PING > Regsvr32, LNK > CALC > Regsvr32 via DLL hijacking, and related regsvr32-based loader activity. QakBot has also used signed loaders to evade detection.
On execution, QakBot performs anti-analysis and defense evasion, including checking for antivirus products such as Kaspersky, Bitdefender, Sophos, Trend Micro, Windows Defender, and Avast; checking for C:\INTERNAL__empty to detect the Windows Defender sandbox; and modifying the Registry to add its binaries to the Windows Defender exclusion list. It performs process hollowing into legitimate Windows processes selected from a hardcoded list, with observed targets including wermgr.exe, explorer.exe, mobsync.exe, msra.exe, OneDriveSetup.exe, iexplore.exe, and dxdiag.exe. It enumerates processes using CreateToolhelp32Snapshot, Process32First, and Process32Next, and uses CreateProcessW, WriteProcessMemory, and NtResumeThread during injection.
Persistence has been observed via HKCU\Software\Microsoft\Windows\CurrentVersion\Run and, for higher-privileged users, scheduled tasks. QakBot stores configuration in the registry under HKCU\Software\Microsoft[RandomDir] and drops a copy of its DLL under %APPDATA%\Microsoft[RandomDir]. It may later remove persistence artifacts as an anti-forensics measure.
Capabilities described in the content include host and network discovery, lateral movement support, credential theft, browser data theft, email theft, web injection, payload delivery, proxying, and exfiltration. QakBot can execute WMI queries to gather information; run discovery commands such as net view, arp -a, ipconfig /all, net share, route print, netstat -nao, net localgroup, whoami /all, and nslookup queries for domain controller discovery; identify peripheral devices; and use PowerShell to download and execute payloads. It can collect usernames and passwords from Firefox and Chrome, abuse esentutl.exe to access Internet Explorer and Microsoft Edge web cache data, send stolen information including passwords, accounts, and emails to command-and-control nodes, and store stolen emails and other data in new folders prior to exfiltration. Its web inject module can inject JavaScript into online banking pages visited by victims. QakBot can Base64-encode system information sent to C2 and includes a module that can proxy C2 communications.
Command and control is described as HTTPS POST communications to hardcoded C2 servers, with host fingerprinting and discovery data sent upstream. QakBot infections frequently hand off to additional tooling and post-exploitation frameworks including Cobalt Strike, Brute Ratel, and fileless .NET Mimikatz, and multiple reports tie QakBot intrusions to subsequent ransomware deployment. Reported downstream ransomware associations in the content include Royal, Egregor, Black Basta, Conti, DoppelPaymer, Maze, ProLock, and REvil. CERT-FR reporting cited Qbot/QakBot as a common initial access vector for the Lockean affiliate group, often delivered via Emotet or TA551, while Sophos reported Qbot delivered by malicious emails in Egregor attacks. The content also notes that QakBot remains prevalent alongside Emotet and has been widely distributed in campaigns that lead to ransomware-as-a-service affiliate handoffs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
DEV-0464 also rapidly adopted the Microsoft Support Diagnostic Tool (MSDT) vulnerability (CVE-2022-30190) in their campaigns. | September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
These vulnerabilities are designated as CVE-2020-1472 (Zerologon) ... In the Qbot and Zerologon Lead To Full Domain Compromise report we saw ZeroLogon. | IcedID, Qbot, and Gootloader have all been observed making use of Scheduled Tasks ... Process injection was used both by initial access malware like Qbot ... In one of the earliest reports from the year, we observed Qbot continue to steal email inboxes from infected systems for use in later campaigns.
"The threat actor gained initial access to the organization via Qakbot infection..." | The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices.
Microsoft previously addressed an actively exploited zero-day flaw in DWM in May 2024 (CVE-2024-30051), which was described as a privilege escalation flaw that was abused by multiple threat actors, in connection with the distribution of QakBot and other malware families.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Threat Details and IOCs Malware: ... Qbot ...
Groups observed using it
18 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
In most of the attacks described in the report, the threat actor gained initial access to the victim network through Qbot/QakBot, a banking trojan that changed its role to distribute other malware, including ransomware strains ProLock, Egregor, and DoppelPaymer.
This malware was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the malware’s disruption in 2023.
In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment.
QakBot (Qbot/Quakbot) continues to operate well after the FBI's August 2023 "Operation Duck Hunt" takedown. Campaign tchk08, first observed February 2024, delivers QakBot via an MSI installer masquerading as Adobe Acrobat.
“The presence of actors like Cortes, with ties to Qakbot, demonstrates how ransomware crews frequently outsource expertise, rely on external access brokers or pull in operators with malware-specific experience as needed.”
In March 2023, CTU researchers observed an intrusion deploying Clop ransomware stemming from a Qakbot infection...
"...QakBot infections have led to the deployment of ransomware, including Egregor, Maze, DoppelPaymer, MedusaLocker and ProLock."
"The threat actor gained initial access to the organization via Qakbot infection..."
A threat actor designated by Proofpoint as TA570 routinely pushes Qakbot (Qbot) malware... TA570 Qakbot distribution included Word documents using the CVE-2022-30190 (Follina) exploit (ms-msdt).
Qbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily.
The eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups.
“It also had a strong association with the Qakbot botnet, prior to its takedown in August 2023.”
"In at least two of those instances, UNC2633 used the zero-day vulnerability to distribute QAKBOT on the victims' networks."
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesIn the Ryuk attacks we saw with SystemBC, initial compromise came from phishing messages that delivered the Buer Loader malware; other attacks in the same campaign used Bazar or Zloader. The Egregor attacks we saw used another loader dropped by malicious emails—Qbot.
Qakbot is delivered via email, often downloaded by malicious macros in an Office document.
Execution
7 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
For the first time, researchers saw Qbot delivered via malicious Windows Installer (MSI) packages, suggesting that at least one subset of operators may be experimenting with new ways to evade victims’ defenses. | In past campaigns, adversaries used weaponized Microsoft Office documents, which were embedded with malicious macros and delivered via phishing campaigns. Upon macro execution, victims downloaded and executed a Qbot payload, typically without knowing it.
Qakbot was leveraged to remotely create a temporary service on a target host which was configured to execute a Qakbot DLL using regsvr32.exe.
Persistence
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'
Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.' | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'
Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.' | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
6 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer. Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. TEARDROP created and read from a file with a fake JPG header.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Qakbot was leveraged to remotely create a temporary service on a target host which was configured to execute a Qakbot DLL using regsvr32.exe: regsvr32.exe -s \\SYSVOL\\.dll
QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells. Ramsay can also embed information within document footers.
Defense Impairment
1 techniqueThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Credential Access
3 techniquesThe content references collection of credential material from local systems, including "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies," "GALLIUM collected ... password hashes from the SAM hive in the Registry," and "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."
Operation MidnightEclipse stole saved cookies and login data from targeted systems; IceApple can collect files, passwords, and other data from a compromised host; RedLine Stealer collected chat logs and files associated with chat services.
PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines. QakBot can use esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge.
Discovery
4 techniquesAtomic Test #9 - DNS Server Discovery Using nslookup Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain controller of the targeted or compromised host. | T1016 - System Network Configuration Discovery Description from ATT&CK ... Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access ... Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Collection
4 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Qakbot’s initial actions include profiling the system and the network, and exfiltrating emails (.eml files) for later use as templates in its malware distribution campaigns.
The QakBot web inject module can inject Java Script into web banking pages visited by the victim.
Command and Control
4 techniquesQakbot was the primary method utilised by the threat actor to maintain their presence on the network. The threat actor was also observed using Cobalt Strike beacons during the compromise.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
Matanbuchus mainly downloads and executes different payloads like Qbot and Cobalt Strike beacons... It downloads the attacker’s payload from the given URL, saves it to the disk and executes it... the loader can download the attacker’s payload from any remote server like free hosting services.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Other
1 techniqueIOCs tracked for this family
465 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Qakbot Resurfaces in Fresh Wave of ClickFix Attacks
Banking trojan used to infect devices that were later used to deploy ProLock, Egregor, and DoppelPaymer ransomware payloads.
Named as a botnet that has faced law enforcement scrutiny since 2021.
A malware botnet whose infrastructure was disrupted in a multinational law enforcement operation in August 2023.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.