{ "id": "b3f2a739-42c8-4ba3-aeed-e777eeda048c", "created_at": "2026-04-06T00:12:30.08878Z", "updated_at": "2026-04-10T13:11:57.938197Z", "deleted_at": null, "sha1_hash": "11bba7e6cee4b9f2f77e9d3e01bd2e54c2a43647", "title": "Qbot needs only 30 minutes to steal your credentials, emails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2131392, "plain_text": "Qbot needs only 30 minutes to steal your credentials, emails\r\nBy Bill Toulas\r\nPublished: 2022-02-08 · Archived: 2026-04-05 23:22:25 UTC\r\nThe widespread malware known as Qbot (aka Qakbot or QuakBot) has recently returned to light-speed attacks, and\r\naccording to analysts, it only takes around 30 minutes to steal sensitive data after the initial infection.\r\nAccording to a new report by The DFIR Report, Qbot was performing these quick data-snatching strikes back in October\r\n2021, and it now appears that the threat actors behind it have returned to similar tactics.\r\nMore specifically, the analysts report that it takes half an hour for the adversaries to steal browser data and emails from\r\nOutlook and 50 minutes before they jump to an adjacent workstation.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe timeline of an attack\r\nAs shown in the following diagram from the researcher's report, Qbot moves quickly to perform privilege escalation\r\nimmediately following an infection, while a full-fledged reconnaissance scan takes place within ten minutes.\r\nTimeline of a typical Qbot attack\r\nSource: The DFIR Report\r\nInitial access for Qbot infections is typically achieved via phishing emails with malicious attacks, such as Excel (XLS)\r\ndocuments that use a macro to drop the DLL loader on the target machine.\r\nHistorically, BleepingComputer has seen Qbot phishing campaigns use various malicious document templates. For example,\r\none document template pretends to be a warning from \"Windows Defender Antivirus,\" providing instructions on enabling\r\nmacros.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/\r\nPage 3 of 5\n\nQbot phishing document\r\nSource: BleepingComputer\r\nWhen launched, the Qbot DLL payload will be injected and launched into legitimate Windows applications to evade\r\ndetection, such as MSRA.exe and Mobsync.exe. For example, in The DFIR Report's analysis, Qbot injected into MSRA.exe\r\nand then created a scheduled task for privilege elevation.\r\nAdditionally, the malware adds the Qbot DLL to Microsoft Defender's exclusion list, so it won't be detected when injection\r\ninto msra.exe happens.\r\nDiscovery commands injected into msra.exe\r\nSource: The DFIR Report\r\nThe malware steals emails in half an hour after the initial execution, which are then commonly used for future replay-chain\r\nphishing attacks.\r\nThe researchers note that Qbot will also steal Windows credentials by dumping the memory of the LSASS (Local Security\r\nAuthority Server Service) process and by stealing from web browsers. These credentials can then be used to spread to other\r\ndevices on the network laterally.\r\nThe DFIR Report states that it only took on average fifty minutes for credentials to be dumped after the malware was first\r\nexecuted.\r\nThe lateral movement takes place rapidly, so if there's no network segmentation to protect the workstations, the situation\r\nbecomes very challenging for defense teams.\r\nThe impact of these expeditious attacks isn't limited to data loss, as Qbot has also been observed in the past to drop\r\nransomware payloads onto compromised corporate networks. \r\nhttps://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/\r\nPage 4 of 5\n\nRansomware gangs known to have partnered with Qbot for initial access to corporate networks include REvil, Egregor,\r\nProLock, and MegaCortex.\r\nA versatile infection\r\nA Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of\r\nits infections accurately.\r\nHowever, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an\r\nemail, so this is the main access point that organizations need to strengthen.\r\nToday's announcement by Microsoft that they will be blocking macros in downloaded documents by default by removing\r\nthe 'Enable Content' and 'Enable Editing' buttons will go a long way to protecting users from Qbot phishing attacks.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/" ], "report_names": [ "qbot-needs-only-30-minutes-to-steal-your-credentials-emails" ], "threat_actors": [], "ts_created_at": 1775434350, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11bba7e6cee4b9f2f77e9d3e01bd2e54c2a43647.pdf", "text": "https://archive.orkl.eu/11bba7e6cee4b9f2f77e9d3e01bd2e54c2a43647.txt", "img": "https://archive.orkl.eu/11bba7e6cee4b9f2f77e9d3e01bd2e54c2a43647.jpg" } }