Goldberg's technical analysis of a real, long-running threat. Atomic indicators rotate per campaign — see references for canonical and current detail.
Overview
QakBot began as a banking trojan and matured into a modular access platform: a resilient foothold that harvests credentials, moves laterally, and — most consequentially — stages follow-on ransomware. For years it was a primary on-ramp for major ransomware affiliates.
Delivery
QakBot was an early and agile adopter of new lures. It abused hijacked email threads for credibility, and as Microsoft tightened macro execution it pivoted quickly — to OneNote attachments in early 2023, then to PDF and HTML droppers that fetched later stages. That adaptability is a hallmark.
Technical traits
- Multi-stage, multi-process design with process injection to hide in legitimate processes.
- Detection evasion, privilege escalation, and registry/scheduled-task persistence.
- Keylogging, backdoor control, and credential/email theft; C2 over a rotating IP set.
The 2023 takedown — and after
In August 2023 a multinational operation dismantled QakBot's infrastructure, identifying and remediating 700,000+ infected devices and seizing $8.6M. It was a genuine win — but by December 2023 low-volume Qbot campaigns reappeared, a reminder that infrastructure seizures degrade rather than end resilient operations.
Detection
- Office/mail clients spawning script hosts or opening OneNote/HTML droppers that reach out to the internet.
- Injection into legitimate processes (e.g.,
wermgr.exe) followed by beaconing. - Scheduled-task persistence created shortly after document execution.
Remediation
- Because QakBot stages ransomware, treat any confirmed infection as a potential precursor to encryption — respond fast and assume lateral movement.
- Isolate, hunt for injected processes and persistence, rotate credentials, reimage.