Loader
Qakbot
First seen: 2007-01 • Status: active
Currently Active Threat
Qakbot is a veteran malware that's been around since 2007 and keeps evolving. It arrives via phishing emails, often hijacking real email conversations. Once it's in, it steals banking credentials and - more dangerously - opens the door for ransomware. The FBI took it down in 2023, but it came back.
Overview
Qakbot is a modular banking trojan that has evolved into a major initial access vector for ransomware groups. Despite an FBI-led takedown in 2023, the malware has since returned. Qakbot is frequently used to deliver Black Basta, Royal, and other ransomware.
Also Known As
QBot, Quakbot, Pinkslipbot
How It Spreads
- • Phishing emails with malicious attachments (Excel, Word, OneNote)
- • Email thread hijacking
- • Malicious links in emails
- • Exploitation of OneNote files (newer campaigns)
- • Malvertising campaigns
What It Does
- • Steals banking and email credentials
- • Provides initial access for ransomware
- • Spreads laterally through networks
- • Captures keystrokes
- • Exfiltrates sensitive data
- • Deploys additional payloads (Cobalt Strike, ransomware)
Is your business exposed?
Target Platforms
Windows 10, Windows 11
Detection Tips
- • Block OneNote files with embedded scripts via email
- • Monitor for suspicious DLL injection patterns
- • Detect process hollowing techniques
- • Alert on scheduled tasks created by unusual processes
- • Watch for Cobalt Strike beacon indicators
MITRE ATT&CK Techniques
T1566, T1059, T1055, T1204, T1078
If You're Infected
- 1.
Isolate infected systems - ransomware may be next
- 2.
Look for signs of lateral movement immediately
- 3.
Reset all credentials - banking and corporate
- 4.
Contact bank to monitor for fraudulent transactions
- 5.
Run comprehensive scan for Cobalt Strike and ransomware
- 6.
Review network for other compromised systems
Related Malware
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required