{ "id": "4a62c77c-60b2-43a1-80b2-3661365269bc", "created_at": "2026-04-06T00:06:09.009426Z", "updated_at": "2026-04-10T03:22:03.932726Z", "deleted_at": null, "sha1_hash": "1166772a70645dc3bd660658d7015381ff9a138a", "title": "Qakbot Malware: Exploring Its Diverse Distribution Methods", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2073199, "plain_text": "Qakbot Malware: Exploring Its Diverse Distribution Methods\r\nBy cybleinc\r\nPublished: 2023-02-17 · Archived: 2026-04-05 22:58:20 UTC\r\nCyble revisits Qakbot malware and examines its recent distribution methods using various file formats.\r\nThreat Actor Uses Digital Certificate as a Cover to Hide Malicious Script\r\nThreat Actors (TAs) are constantly devising new methods to infect users for various reasons, such as avoiding\r\ndetection from anti-virus solutions, increasing the chances of successfully infecting their targets, and inventive\r\nways to compromise their victims. Recently, many malware families have been observed utilizing OneNote\r\nattachments as part of their spam campaigns. OneNote is a robust digital notebook application developed by\r\nMicrosoft, which enables users to collate and structure their notes, thoughts, and ideas in a single, convenient\r\nlocation.\r\nRecently, multiple distribution methods have been detected for the widely known banking trojan Qakbot. These\r\nmethods include using malspam with OneNote attachments, malspam with zip files containing WSF, and others.\r\nThis analysis below has detailed the techniques employed by Qakbot to propagate its infection and reach a diverse\r\naudience.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nDistribution of Qakbot Via OneNote Using Batch \u0026 PowerShell\r\nThe initial phase of the infection begins with a spam email with a OneNote attachment. Once the recipient opens\r\nthe attachment, an embedded BAT file is dropped and executed, leading to the launch of a PowerShell script. This\r\nscript then proceeds to download a DLL for the Qakbot malware. Finally, the DLL is executed using rundll32.exe.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 1 of 11\n\nThe delivery mechanism of Qakbot through OneNote using PowerShell is illustrated in the figure below.\r\nFigure 1 – Qakbot delivery using Batch \u0026 PowerShell\r\nQakbot malware is distributed to users through spam emails that contain a OneNote attachment. The email’s\r\nsubject line reads “RE: DRCP Hire- Success Story..” The attachment is named “Contracts – Copy.one”, as\r\ndepicted in the image below.\r\nFigure 2 – Spam email with OneNote attachment\r\nAfter the user opens the OneNote attachment, a page appears with a message that appears to contain a cloud-based\r\nattachment. This message is designed to deceive the user into double-clicking on it to view the attachment, which\r\nultimately triggers the Qakbot infection process.\r\nThe figure below displays the OneNote page containing the fraudulent message.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 2 of 11\n\nFigure 3 – OneNote file drops BAT file\r\nWhen the “open” button is clicked on a OneNote page, it performs a covert action by dropping a BAT file named\r\n“O p e n .Bat” without user notification and then executing it. This batch script launches an obfuscated PowerShell\r\ncontent that, in turn, drops a CMD file named “i.cmd” in the %temp% location and runs it.\r\nThe below figure shows the obfuscated batch script and command file containing an URL to download a malware\r\npayload.\r\nFigure 4 – CMD file \u0026 Obfuscated BAT file\r\nUpon execution of the “i.cmd” file, it utilizes a PowerShell script to download a file in GIF format from the URL\r\nhxxps[:]//casualscollection[.]com/l2iy4Dn/09[.]gif by using the Invoke-Webrequest command.\r\nThe file is then saved as a JPG file in the %programdata% path. However, the downloaded file is not an actual GIF\r\nfile but a DLL Qakbot executable file, which is subsequently run using “Rundll32.exe” with the “Wind” parameter.\r\nThe process tree diagram of Qakbot reveals that, following the execution of the DLL file, the malware injects\r\nmalicious code into “wermger.exe”. This code injection enables Qakbot to carry out its malware activities, such as\r\nstealing sensitive information.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 3 of 11\n\nFigure 5 – Process tree of OneNote delivering Qakbot via BAT \u0026 PowerShell\r\nDistribution of Qakbot Via Windows Script (.wsf) Files\r\nThe infection process starts with the distribution of a spam email containing an archive file. This archive file\r\nincludes a script with a .wsf extension that is executed using the Windows system file WScript.exe.\r\nThe script then downloads a DLL file containing the Qakbot malware, which is subsequently run using\r\nrundll32.exe.\r\nThe figure below illustrates the delivery mechanism of Qakbot using WSF files.\r\nFigure 6 – Qakbot Delivery Mechanism using wsf file\r\nOne of the methods of disseminating the Qakbot malware involves sending spam emails that come with a\r\ncompressed file attachment named “Shared Document From Cloud 913815.zip”, as shown below.\r\nFigure 7 – Spam email with zip attachment\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 4 of 11\n\nOne of the three files that come with the email attachment is a .wsf file with the name “Adobe Cloud Certificate\r\n913815.wsf”.\r\nFigure 8 – Contents of Email Attachment\r\nInterestingly, the Threat Actor (TA) has inserted a malicious JScript between digital certificates in the .wsf file, as\r\nshown below.\r\nFigure 9 – Malicious JScript Inserted Between Digital Certificates\r\nWhen the user attempts to open the “Adobe Cloud Certificate 913815.wsf” file, it will be launched through\r\nwscript.exe. The .wsf script has code to download a Qakbot DLL file from the URL:\r\nhxxp://gkjdepok[.]org/crtfc/lwbYFO.dll and saves it to the C:\\ProgramData directory. Finally, the .wsf script\r\nlaunches the Qakbot DLL by utilizing “Rundll32.exe” with the “Wind” parameter.\r\nThe figure below shows the code of the .wsf script.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 5 of 11\n\nFigure 10 – Content of the .wsf file\r\nBelow, you can see the process tree of Qakbot’s execution through the .wsf file.\r\nFigure 11 – Process Tree\r\nDistribution of Qakbot Via OneNote Using Jscript (.jse) file\r\nThe first step of the infection process is initiated by a spam email that includes a OneNote attachment. Upon\r\nopening the attachment, an embedded JSE file is deployed and executed. This JSE file then drops and triggers the\r\nexecution of a BAT file, which in turn launches a PowerShell script and will execute the QakBot payload.\r\nThe PowerShell script proceeds to download a DLL associated with the Qakbot malware, which is ultimately\r\nexecuted using the rundll32.exe command. The below figure shows the delivery mechanism of Qakbot using the\r\n.jse file.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 6 of 11\n\nFigure 12 – QakBot Delivery Mechanism Using JScript and Batch Script\r\nOnce the user opens the malicious OneNote file, a page is displayed, which contains a deceptive message that\r\nappears to contain a cloud-based attachment.\r\nThe message is intended to mislead the user into double-clicking it to view the attachment, which initiates the\r\nQakbot infection process.\r\nThe image below depicts the OneNote page that contains the false message.\r\nFigure 13 – Malicious OneNote Attachment\r\nAfter a user clicks on the “Open” button, the OneNote file drops a file named “Open.jse” in the temp folder. It is an\r\nencoded script file, which will further drop and execute the .bat file named “default.bat”.\r\nThe figure below shows the encoded/decoded .jse file.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 7 of 11\n\nFigure 14 – Encoded/Decoded JScript File\r\nUpon execution of the “default.bat” file, it utilizes a PowerShell script to download a file named “150223.gif” from\r\nthe URL http[:]//104.236[.]1.43/YXF/ using the PowerShell command and saves it to the temporary folder of the\r\nuser’s system with a random name, “aTgzWLspf.tmp”.\r\nThe file downloaded from the provided URL is not a genuine GIF file but rather an executable file of the Qakbot\r\nmalware in DLL format, which is then executed using the “Rundll32.exe” command with the “Wind” parameter.\r\nFigure 15 – Process Tree\r\nDistribution of Qakbot Via OneNote Using html Application (hta) file\r\nIn this method, the Qakbot infection begins with a spam email that contains a OneNote attachment. Once the user\r\nopens the attachment, an embedded HTA file is dropped, which then executes through mstha.exe. This leads to the\r\ndownload of a Qakbot DLL file that is subsequently executed via rundll32.exe.\r\nOur earlier blog here contains a thorough analysis of Qakbot malware’s infection chain.\r\nFinal Payload\r\nQakBot, also known as QBot or QuakBot, is a type of banking Trojan that mainly targets Windows systems. It was\r\nfirst discovered in 2007 and has since undergone numerous updates and changes to its code in order to evade\r\ndetection by security software. It can steal sensitive information, exfiltrate confidential data, and propagate to other\r\nmachines on the network to install other malicious software.\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 8 of 11\n\nIts modular design makes it customizable to carry out specific tasks such as keylogging, credential theft, network\r\nreconnaissance, botnet functionality, and ransomware deployment. Its operators continuously update its code to\r\nevade detection and carry out successful attacks.\r\nConclusion\r\nQakbot malware represents a clear example of the constantly evolving threat landscape, underlining the importance\r\nof remaining vigilant in the cybersecurity domain.\r\nIts complex structure, extensive impact, and widespread prevalence reinforce the need for proactive and robust\r\nsecurity measures. The TAs responsible for Qakbot remain highly active. They consistently adapt their methods to\r\navoid detection and maximize their gains, using innovative attack vectors such as OneNote attachments to display\r\ntheir sophistication and ingenuity.\r\nCyble Research and Intelligence Labs continues to monitor the activity of Qakbot and other malware and will\r\nprovide timely updates to our readers.\r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nDo not open emails from unknown or unverified senders.\r\nAvoid downloading pirated software from unverified sites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nKeep updating your passwords after certain intervals.\r\nUse reputed anti-virus solutions and internet security software packages on your connected devices,\r\nincluding PCs, laptops, and mobile devices.  \r\nAvoid opening untrusted links and email attachments without first verifying their authenticity.   \r\nBlock URLs that could use to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.  \r\nEnable Data Loss Prevention (DLP) Solutions on employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name   \r\nInitial Access  T1566 Spearphishing Attachment  \r\nExecution \r\nT1204 \r\nT1059\r\nT1218\r\nT1059\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nRundll32 \r\nPowerShell\r\nDefense Evasion  T1140\r\nT1564\r\nDeobfuscate/Decode Files or Information\r\nHidden Window\r\n \r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 9 of 11\n\nT1055 Process Injection\r\nCredential Access   \r\nT1555\r\nT1056\r\nCredentials from Password Stores   \r\nKeylogging\r\nDiscovery   \r\nT1087\r\nT1518\r\nT1057\r\nT1007\r\nAccount Discovery   \r\nSoftware Discovery   \r\nProcess Discovery   \r\nSystem Service Discovery   \r\n \r\nCollection\r\nT1113\r\nT1115\r\nScreen Capture\r\nClipboard Data\r\nCommand and\r\nControl   \r\nT1071\r\nT1105\r\nApplication Layer Protocol   \r\nIngress Tool Transfer\r\n \r\nIndicators Of Compromise (IoCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\ne0481af37fbb369ced2bff17468218b4676995b609fac1f96f604d93c55cfb5a Sha256 Spam Email\r\n82ea16ea858ac6b9580f604695ebeaf1f004ae882a7d0e48688c28d466662f10 Sha256\r\nOneNote\r\nAttachment\r\n518518b0929911353cd7ab95d873e1fb290d8a494122cfb88e7f8bcf015576c8 Sha256 O p e n .Bat\r\n5ade2a474118032ab353c7e835a0ca90669e690c997c8b374f94f408a9510b4e Sha256 i.cmd\r\n7dd17b8cb0639732fe6929a5d7e1431fedae58acd401a7810afc0be8f9c42ad0 Sha256\r\na8qZzTS.jpg\r\n(DLL file)\r\nhxxps[:]//casualscollection[.]com/l2iy4Dn/09[.]gif URL\r\nURL used to\r\ndownload\r\nQakbot DLL\r\nd80f18f5fc088c87905ee19c3f7b1dfd22920584913cc7b5925d64ad375e838f Sha256 Spam Email\r\n9981bf6ad64c2f48de970948b4dc6ca5e3e5f9ca8b86c2db921e032cd4a4c6cb Sha256\r\nwsf Zip\r\nAttachment\r\nd13f70c241681df78ffa91ef105bfee069e78e7daa125cb7c47a50d34b234f12 Sha256 wsf file\r\n4949b9d77f80cdb79f498b2def775dea9371dd08e2d66b4f513da35337af38c9 Sha256\r\nlwbYFO.dll\r\n(DLL file)\r\nhxxp://gkjdepok[.]org/crtfc/lwbYFO.dll URL URL used to\r\ndownload\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 10 of 11\n\nQakbot DLL\r\neca50ee3c2ed694bf8b42a4e0eb14555c70c0d6186cc2dc863af8265c25ba4f1 Sha256\r\nOneNote\r\nAttachment\r\nb0339e18da6bfea0c60e388e631de79a83e2bc20880d6b9624d4784465a330b7 Sha256 Open .jse\r\nb435653b9e1860cf38d78911eb7341c4b9c8e09af765b28a490ed269413eb2b1 Sha256 default.bat\r\nhxxp[:]//104.236.1[.]43/YXF/150223[.]gif URL\r\nURL used to\r\ndownload\r\nQakbot DLL\r\nSource: https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nhttps://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/" ], "report_names": [ "the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods" ], "threat_actors": [], "ts_created_at": 1775433969, "ts_updated_at": 1775791323, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1166772a70645dc3bd660658d7015381ff9a138a.pdf", "text": "https://archive.orkl.eu/1166772a70645dc3bd660658d7015381ff9a138a.txt", "img": "https://archive.orkl.eu/1166772a70645dc3bd660658d7015381ff9a138a.jpg" } }