QakBot

Malware updated a month ago (2024-09-18T14:17:54.217Z)
Download STIX
Preview STIX
Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups including IcedID, Emotet, and Qakbot itself, has been associated with other harmful programs such as IcedID, BazarLoader, CobaltStrike, Conti, Gozi, Pikabot, Royal Ransomware, SVCReady, Matanbuchus, and Quantum Ransomware. Some of these malware families are constructed by ITG23, like Trickbot and BazarLoader, while others originate from different sources. The threat of Qakbot continues to evolve and adapt over time. It has been observed being used in conjunction with Windows zero-day vulnerabilities, providing threat actors with a powerful tool for exploitation. In addition to its standalone capabilities, Qakbot is also frequently deployed alongside other malware types, allowing threat actors to exploit the access provided by initial breaches to further their malicious objectives. Moreover, Qakbot is not limited to a single industry or sector; recent reports indicate that it has targeted the hospitality industry, among others. Despite significant efforts to neutralize Qakbot, the malware remains active and operational. High-profile raids in August failed to permanently disable the threat, and Qakbot's activities continue unabated. The Cybersecurity & Infrastructure Security Agency (CISA) has listed several IP addresses and email addresses linked to Qakbot as potential Indicators of Compromise (IOCs). These IOCs date back to 2020, indicating a long-standing and persistent threat. As such, organizations across all sectors should remain vigilant and adopt robust cybersecurity measures to protect against this enduring menace.
Description last updated: 2024-09-18T14:16:11.479Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Qbot is a possible alias for QakBot. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi
15
Black Basta is a possible alias for QakBot. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vul
12
IcedID is a possible alias for QakBot. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) is
9
Emotet is a possible alias for QakBot. Emotet is a particularly dangerous and insidious type of malware that has reemerged as a significant threat. This malicious software, which infects systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or even hold data for ransom. Emotet-infe
9
Pinkslipbot is a possible alias for QakBot. Pinkslipbot, also known as Qakbot, QBot or QuackBot, is a modular information-stealing malware that has been active since 2008. Initially emerging in 2007 as a banking trojan, it targeted financial institutions to steal sensitive data. Over the years, however, its functionality evolved and diversifi
9
Blackbasta is a possible alias for QakBot. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation
4
REvil is a possible alias for QakBot. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attac
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Trojan
Botnet
Phishing
Windows
Exploit
Cybercrime
Spam
Payload
Backdoor
Cobalt Strike
Loader
Lateral Move...
Fbi
Vulnerability
Ransom
Microsoft
Credentials
Remcos
Bot
CISA
Infostealer
Antivirus
Reconnaissance
Rmm
Malware Loader
Zero Day
Macros
t1055.012
Proxy
RCE (Remote ...
Encryption
Banking
netscaler
Russia
RaaS
Fraud
Bitcoin
Source
Worm
Tool
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Pikabot Malware is associated with QakBot. PikaBot is a malicious software (malware) known for providing initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft. It's part of an array of malware families such as IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others, which have beenUnspecified
9
The malware Qakbot (Qbot is associated with QakBot. Unspecified
6
The Darkgate Malware is associated with QakBot. DarkGate is a multifunctional malware known for its capabilities in information and credential stealing, cryptocurrency theft, and ransomware delivery. A recent campaign has seen it exploit a zero-day vulnerability in Microsoft Windows, allowing it to infiltrate systems undetected. DarkGate can be dUnspecified
6
The TrickBot Malware is associated with QakBot. TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steaUnspecified
6
The Brute Ratel Malware is associated with QakBot. Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can sUnspecified
5
The Conti Malware is associated with QakBot. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware opUnspecified
5
The Redline Malware is associated with QakBot. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, RedLine can steal personal information, disrupt operations, or deliver further Unspecified
4
The Bumblebee Malware is associated with QakBot. Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The samUnspecified
4
The Royal Ransomware Malware is associated with QakBot. The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious Unspecified
3
The MegaCortex Malware is associated with QakBot. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
3
The Netsupport Malware is associated with QakBot. NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The mUnspecified
3
The Lockbit Malware is associated with QakBot. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operatUnspecified
3
The Dridex Malware is associated with QakBot. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
3
The Netsupport Manager Malware is associated with QakBot. NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once Unspecified
3
The Hive Malware is associated with QakBot. Hive is a malicious software (malware) known for its ransomware capabilities, which has been highly active in numerous countries, including the US. This malware infects systems often through suspicious downloads, emails, or websites, disrupting operations and stealing personal information. Notably, Unspecified
3
The Xworm Malware is associated with QakBot. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operatiUnspecified
2
The Batloader Malware is associated with QakBot. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
2
The Blackbasta Ransomware Malware is associated with QakBot. BlackBasta is a ransomware-type malware, designed to infiltrate systems undetected and hold data hostage in exchange for ransom. Originating from Russian-speaking regions, this malicious software has been linked to numerous high-profile cyber attacks. The group behind BlackBasta has demonstrated itsUnspecified
2
The Egregor Malware is associated with QakBot. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
2
The Ursnif Malware is associated with QakBot. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for raUnspecified
2
The Cobaltstrike Malware is associated with QakBot. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunctUnspecified
2
The Raspberry Robin Malware is associated with QakBot. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obsUnspecified
2
The Socgholish Malware is associated with QakBot. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, MicrosofUnspecified
2
The Bazarloader Malware is associated with QakBot. BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used BUnspecified
2
The Anubis Malware is associated with QakBot. Anubis, also known as IcedID or Bokbot, is a sophisticated piece of malware primarily functioning as a banking trojan. It was first discovered by X-Force in September 2017 and has since evolved to target a wide range of financial applications. Notably, Anubis has consistently ranked among the top fiUnspecified
2
The Ragnar Locker Malware is associated with QakBot. Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA577 Threat Actor is associated with QakBot. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicallUnspecified
4
The Alphv Threat Actor is associated with QakBot. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
3
The Lapsus Group Threat Actor is associated with QakBot. The Lapsus Group, identified as a threat actor originating from North Korea, has been involved in various cybercriminal activities, primarily focusing on cryptocurrency theft. This group is known for its use of sophisticated tools such as RedLine and QakBot, which have been instrumental in their opeUnspecified
2
The TA551 Threat Actor is associated with QakBot. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other maUnspecified
2
The Conti Ransomware Gang Threat Actor is associated with QakBot. The Conti ransomware gang, a notorious threat actor in the cybersecurity landscape, has been responsible for extorting at least $180 million globally. The gang is infamous for the HSE cyberattack in 2021 and has been sanctioned by the National Crime Agency (NCA). In late 2021, experts suggested thatUnspecified
2
The Hive0106 Threat Actor is associated with QakBot. Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, deliveUnspecified
2
The Hive Ransomware Threat Actor is associated with QakBot. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, eUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Darkgate/pikabot is associated with QakBot. Unspecified
2
The Follina Vulnerability is associated with QakBot. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Unspecified
2
Source Document References
Information about the QakBot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
Securelist
a month ago
InfoSecurity-magazine
a month ago
BankInfoSecurity
2 months ago
CISA
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
DARKReading
3 months ago
CERT-EU
10 months ago
CERT-EU
8 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Unit42
3 months ago
Recorded Future
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago