Qbot

Malware Profile Updated a month ago
Download STIX
Preview STIX
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The first known use of an ITG23 crypter with Qbot was identified by X-Force in late February 2022. Qbot has been associated with other malicious software such as Emotet and Trickbot, which are used to steal users' bank data and carry out ransomware attacks. It has also been linked with malware families such as FakeUpdates and Androxgh0st. The Black Basta ransomware group has been observed using Qbot as an initial point of entry and for lateral movement in compromised networks. This tactic is common among ransomware operations, including Qbot itself. In November 2023, TA577, an initial access broker previously known to use Qbot, was identified as using Latrodectus in three separate intrusion campaigns. The attack chain typically starts with a Qbot infection, after which operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. In August, international law enforcement agencies launched an operation dubbed "Operation Duck Hunt" against Qbot. As a result of this anti-malware campaign, U.S. authorities dismantled the botnet, leading to its cessation of operation. Despite this setback, Qbot remains a prevalent threat in the cybersecurity landscape, with new malware strains such as Latrodectus potentially taking up its mantle.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
QakBot
15
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Pinkslipbot
11
Pinkslipbot, also known as Qakbot, QBot or QuackBot, is a modular information-stealing malware that has been active since 2008. Initially emerging in 2007 as a banking trojan, it targeted financial institutions to steal sensitive data. Over the years, however, its functionality evolved and diversifi
Emotet
8
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
REvil
2
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Quackbot
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Trojan
Exploit
Windows
Loader
Phishing
Cobalt Strike
Payload
Spam
Botnet
Vulnerability
Exploits
Remcos
Kaspersky
Backdoor
Implant
Malware Loader
Downloader
exploited
Antivirus
Infostealer
Ransom
Azure
Sandbox
T1005
Ransomware P...
Malware Payl...
Malwarebytes
t1218.010
exploitation
Remote Code ...
Lateral Move...
Uk
Fbi
Fraud
Cybercrime
Avast
Gbhackers
Proofpoint
Curl
Reconnaissance
Apt
Crypter
Dropper
Linux
Zero Day
Log4j
Rmm
Malware Drop...
Trojan Malware
Proxy
t1218.011
Encryption
Banking
flaw
RaaS
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Black BastaUnspecified
6
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Qakbot (QbotUnspecified
4
None
LatrodectusUnspecified
4
Latrodectus, a new type of malware discovered in late 2023, is being used by Initial Access Brokers (IABs) in email threat campaigns. Initially mistaken for a variant of the well-known IcedID malware due to similar characteristics, researchers at Proofpoint and Team Cymru S2 Threat Research Team hav
IcedIDUnspecified
4
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
AnubisUnspecified
3
Anubis, also known as IcedID or Bokbot, is a sophisticated piece of malware primarily functioning as a banking trojan. It was first discovered by X-Force in September 2017 and has since evolved to target a wide range of financial applications. Notably, Anubis has consistently ranked among the top fi
ContiUnspecified
3
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
PikabotUnspecified
3
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
EgregorUnspecified
3
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
FormbookUnspecified
3
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
ClopUnspecified
2
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
MegaCortexUnspecified
2
MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria
ProLockUnspecified
2
ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold data
Raspberry RobinUnspecified
2
Raspberry Robin is a sophisticated malware that has been designed to exploit and damage computer systems. This malicious software infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Raspberry Robin can steal personal information, di
Brute RatelUnspecified
2
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. On
DoppelpaymerUnspecified
2
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
FakeupdatesUnspecified
2
FakeUpdates, also known as SocGholish, is a JavaScript-based loader malware that primarily targets Microsoft Windows-based environments. The malware has been in operation for over five years and uses compromised websites to trick users into running a fake browser update. In addition to its deceptive
DarkgateUnspecified
2
DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
CayosinUnspecified
1
Cayosin is a type of malware, a harmful software designed to exploit and damage computer systems or devices. It has been deployed by the Diicot cybercrime group in a new campaign, according to research from Cado Labs. Traditionally associated with cryptojacking campaigns, Diicot has shifted tactics,
Ragnar LockerUnspecified
1
Ragnar Locker is a type of malware, specifically a ransomware, that has been designed to infiltrate computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, or websites and once inside, it has the capability to steal personal information, disru
RaccoonUnspecified
1
Raccoon is a highly potent and cost-effective Malware-as-a-Service (MaaS) primarily sold on dark web forums, used extensively by Scattered Spider threat actors to pilfer sensitive data. As per the "eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0" report published on August 31, 20
AgentteslaUnspecified
1
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
SocgholishUnspecified
1
SocGholish is a malicious software (malware) known for its ability to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, in 2023, several distinct website malware campaigns were identified to serve SocGholish malw
ChromeloaderUnspecified
1
ChromeLoader, first identified in early 2022, is a persistent and evolving malware family known for hijacking browsers, stealing sensitive information, and running additional payloads such as other malware families. This malicious software is particularly harmful as it can infiltrate systems without
DarkloaderUnspecified
1
DarkLoader, first discovered in 2017, is a malicious software-as-a-service (MaaS) available on the dark web. It has a comprehensive set of capabilities that include privilege escalation, keylogging, hidden network computing, and browser-stealing. DarkLoader operates through a sideloaded DLL, which s
MiraiUnspecified
1
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
Yellow CockatooUnspecified
1
The SolarMarker malware, also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer, has been a persistent threat since its inception in 2020. It has steadily evolved over the years, posing significant risks to sectors such as education, healthcare, and small to medium-sized enterprises (SMEs)
BatloaderUnspecified
1
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
BlackbastaUnspecified
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
LokibotUnspecified
1
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
HancitorUnspecified
1
Hancitor is a malicious software (malware) known for its ability to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, Hancitor can steal personal information, disrupt operations, or e
DtrackUnspecified
1
DTrack is a type of malware, or malicious software, known for its destructive capabilities. It can infiltrate systems through dubious downloads, emails, or websites and wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, DTrack was utiliz
HiveUnspecified
1
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA577Unspecified
5
TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Androxgh0stUnspecified
1
AndroxGh0st is a threat actor or hacking group that has been identified as a significant cybersecurity concern. The group utilizes a botnet for victim identification and exploitation, with alerts raised by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Ag
Hive RansomwareUnspecified
1
Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January
FrostUnspecified
1
Frost, a threat actor in the cybersecurity landscape, poses significant challenges to enterprises that strive to handle their security operations independently. The dynamic nature of the cybersecurity industry necessitates comprehensive solutions capable of countering such threats. In this context,
ITG23Unspecified
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Asylum AmbuscadeUnspecified
1
Asylum Ambuscade is a threat actor that has been operational since at least 2020, primarily engaging in cybercrime and cyberespionage. The group has shown a particular focus on small to medium-sized businesses (SMBs) and individuals across North America and Europe. Asylum Ambuscade's activities are
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-41073Unspecified
2
None
FollinaUnspecified
2
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Socgholish FakeupdatesUnspecified
1
None
CVE-2022-30190Unspecified
1
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
Source Document References
Information about the Qbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
a month ago
17th June – Threat Intelligence Report - Check Point Research
RIA - Information System Authority
2 months ago
Topics of RIA’s quarterly overview: a clever Trojan is taking over Estonians’ computers and the HOIA app is safe
Pulsedive
2 months ago
Pulsedive Blog | Latrodectus Threat Research
BankInfoSecurity
2 months ago
Breach Roundup: Fluent Bit Flaw Is Risky for Cloud Providers
Securityaffairs
2 months ago
Blackbasta group claims to have hacked Atlas, one of the largest US oil distributors
BankInfoSecurity
2 months ago
Breach Roundup: Kimsuky Serves Linux Trojan
BankInfoSecurity
2 months ago
Microsoft Patches Zero-Day Exploited by QakBot
Krebs on Security
2 months ago
Patch Tuesday, May 2024 Edition
Securityaffairs
3 months ago
Blackbasta gang Synlab Italia attack
InfoSecurity-magazine
3 months ago
New Malware “Latrodectus” Linked to IcedID
BankInfoSecurity
4 months ago
Sophisticated Latrodectus Malware Linked to 2017 Strain
DARKReading
4 months ago
Latrodectus Downloader Picks Up Where QBot Left Off
CERT-EU
4 months ago
Cybersecurity threats escalate | SC Media | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
Cloud Account Attacks Surged 16-Fold in 2023
CERT-EU
4 months ago
New Email Scam Targets NTLM Hashes in Covert Data Theft Operation
CERT-EU
5 months ago
Kaspersky spam and phishing report for 2023
CERT-EU
5 months ago
Hackers steal Windows NTLM authentication hashes in phishing attacks
Malwarebytes
5 months ago
PikaBot malware on the rise: What organizations need to know  | Malwarebytes
BankInfoSecurity
5 months ago
BlackCat Pounces on Health Sector After Federal Takedown
CERT-EU
5 months ago
O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks