{
	"id": "030b59b8-d9d5-4efd-9b77-42d2dd289548",
	"created_at": "2026-04-06T00:10:14.450374Z",
	"updated_at": "2026-04-10T03:21:24.636436Z",
	"deleted_at": null,
	"sha1_hash": "1858ed4b73321f10766b080e2f2222285e2e44f9",
	"title": "Visualizing Qakbot Infrastructure Part II: Uncharted Territory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1278552,
	"plain_text": "Visualizing Qakbot Infrastructure Part II: Uncharted Territory\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 15:51:59 UTC\r\nA Data-Driven Approach Based on Analysis of Network Telemetry\r\nIn this blog post, we will provide an update on our high-level analysis of QakBot infrastructure, following on from\r\nour previous blog post. We will pick up the timeline from where we left it, basing our findings on data collected\r\nbetween 1 May and 20 July 2023.\r\nWe have continued to focus on elements and trends for which we do not observe in regular commentary;\r\nspecifically the relationship between victim-facing command and control (C2) infrastructure and upstream servers,\r\nwe previously referenced these as being geolocated in Russia.\r\nAs with our previous blog, this represents an ongoing piece of research, our analysis of QakBot is fluid with\r\nvarious hypotheses being identified and tested. As and when we uncover new insights into QakBot campaigns we\r\nwill seek to provide further written updates.\r\nWe welcome feedback and comment via our Twitter page on the hypotheses mentioned in this post; broadly\r\nour findings represent the benefits and challenges of working with NetFlow data - whilst we can form broad\r\nconclusions, these are sometimes open to interpretation. Confirmation and contradiction are both of value\r\nto us as we continue to understand this threat operation.\r\nKey Findings\r\nC2 activity around both victim and upstream T2 communication slowed down before spamming ended\r\naround 22 June. After spamming ceased, C2 activity continued albeit at a lower volume.\r\n15 new C2s set up after spamming ended have been identified so far. Additionally, the number of existing\r\nC2s communicating with the T2 layer significantly decreased with only 8 remaining past 22 June.\r\nWe’ve observed interesting outbound activity from the T2 layer, targeting both publicly reported and\r\nsuspected Qakbot C2s, as well as other undefined destinations.\r\nThe T2 C2s connect to the same list of ports used in the process for deploying the Qakbot proxy\r\nmodule, with usually only one or two ports observed in a day.\r\nAlthough the volume of connections, variety of destinations, and port usage appear random, over\r\ntime the destination ports are used with relatively equal frequency.\r\nDuring the first half of 2023, port 443 was assigned to approximately 48% of the C2s extracted from\r\nQakbot campaigns. Among those C2s, only a subset engaged in communication with the T2 layer. Within\r\nthis subset, 80% were assigned port 443, making it the predominant port for communication between\r\nvictims and C2s.\r\nC2s are usually compromised hosts in residential IPs space, as are the other destination IPs identified from\r\noutbound T2 connections. Additional criteria like geolocation and AS organization may influence the\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 1 of 23\n\nselection of these hosts, guiding the purchase from third parties and determining which Qakbot victims\r\nbecome bot C2s or used for other operator activity.\r\nSummer Glow Up\r\nQakbot has a history of taking an extended break each summer before returning sometime in September, with this\r\nyear's spamming activities ceasing around 22 June 2023. But are the QakBot operators actually on vacation when\r\nthey aren’t spamming, or is this \"break\" a time for them to refine and update their infrastructure and tools? It's\r\nworth considering that the summer months might offer a unique opportunity for operational work, especially when\r\ntheir main targets in the Northern Hemisphere are often on some form of holiday, leading to a potential decline in\r\nthe success rate of their attacks during this time.\r\nThe line graph below shows the volume of connections from C2s over TCP/443 to the three Tier 2 (T2) IPs\r\ngeolocated in Russia.\r\nIn our previous blog post, we referred to the three T2s as RU1, RU2, and RU3. Since then, the IPs have been\r\nmade public so we have included them in some of the legends accompanying the charts below. However, for the\r\nsake of simplicity and continuity, we will continue to refer to them collectively as RU* within this post.\r\nFigure 1: Volume of bot C2s connections with the T2 layer (RU1, RU2, RU3) over TCP/443\r\nAfter a very busy May, things began to slowly wind down at the end of the month before a sudden drop in\r\nconnections to the T2 in early June, even though spamming continued for three more weeks until around 22 June.\r\nWe were unable to identify any new T2s after this decline in activity, though traffic from some C2s persisted,\r\nsuggesting that the T2 infrastructure remained unchanged. However, it wouldn’t be surprising if fresh IPs for the\r\nT2 layer are introduced before their anticipated return in late summer.\r\nAfter this drop-off, a slight spike was observed on 21 and 22 June, the last day of pre-summer mass spamming\r\n(affiliate ID obama271). Interestingly, a few more spikes occurred after this period, which we will explore further.\r\nThe graph below represents the volume of bot C2 to T2 traffic according to C2 geolocation:\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 2 of 23\n\nFigure 2: Volume of bot C2 to T2 traffic per geolocation (of C2s) for 1 May through 20 July\r\nFrom this perspective, we observe that on 2 June, US C2s all but disappeared, and traffic from Indian C2s\r\nsignificantly decreased. We suspect the lack of US activity is at least partially attributable to Lumen’s Black Lotus\r\nLabs null-routing the T2 layer in their networks, as noted in their recent blog post.\r\nFor curiosity’s sake, let's quickly examine data for traffic volume and timing from the perspective of likely\r\nQakBot victim to C2 communications during the same time frame:\r\nFigure 3: Volume of inbound connections to C2s from hosts that are likely infected with Qakbot\r\nAs was the case with C2 to T2 communications, we can see a winding down of activity at the end of May,\r\nhowever this does not drop off as suddenly at the beginning of June. Instead, victim to C2 communications appear\r\nto gradually reduce in volume up to and beyond the date QakBot ceased spamming operations (22 June).\r\nTurning back to C2 to T2 activity, the following graph is a zoomed-in view of June onward, highlighting the start\r\nof a considerable drop in activity that persists through July.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 3 of 23\n\nFigure 4: Volume of bot C2 to T2 traffic per geolocation (of C2s) for 1 June through 20 July\r\nAccording to our data, a lull lasted from 2 June to 12 June, during which only Indian C2s communicated\r\nupstream, albeit at a drastically reduced volume compared to May. We also noted some spikes in traffic from\r\nSouth African C2s.\r\nWe examined the IPs from the geolocations present during this timeframe to determine whether these were legacy\r\nC2s with sporadic bursts of activity, or new C2s being incorporated into their infrastructure.\r\nOur analysis revealed:\r\nFifteen new C2s were set up since Qakbot ceased spamming, indicated by a green box in the timeline\r\nbelow.\r\nSix additional C2s, active since before June (some dating back to October and December 2022), that\r\ncontinued to exhibit upstream activity after spamming concluded, indicated by a blue box in the timeline\r\nbelow.\r\nTwo C2s, new in June, that also maintained activity after spamming concluded, indicated by an orange box\r\nin the timeline below.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 4 of 23\n\nFigure 5: Timeline of most recent reported and suspected Qakbot C2s\r\nWe suspect that the IPs in the above timeline represent new and existing C2s intended for use upon Qakbot’s\r\nreturn post-summer glow up break. Most of the C2s established after spamming ceased have only a few\r\nconnections to the T2 and for brief durations, possibly indicative of C2s that are not currently active but were\r\nprepared or primed for future spamming.\r\nWe will continue monitoring Qakbot during their summer break for any signs of changes in their infrastructure or\r\nhow they operate.\r\nThe Mystery of the Outbound Tier 2 Connections\r\nWhilst examining NetFlow data for the C2 to T2 communications from which we derived the findings described\r\nabove, we kept making the same unexpected observation. A clear pattern of communications sourced from the\r\nT2s, where QakBot C2s were the destination, i.e., the reverse of the traffic we were examining. These\r\ncommunications occurred over the same 32 ports: 20, 21, 22, 53, 80, 443, 465, 990, 993, 995, 1194, 2078, 2083,\r\n2087, 2222, 3389, 6881, 6882, 6883, 8443, 32100, 32101, 32102, 32103, 50000, 50001, 50002, 50003, 50010,\r\n61200, 61201, and 61202.\r\nMalware such as Qakbot, IcedID, and Emotet leverage tiered infrastructure. This consists of victim hosts\r\ncommunicating with bot C2s, which comprise the Tier 1 layer of the bot infrastructure, which then communicate\r\nupstream with the T2 layer. The traffic typically continues to be proxied through additional tiers of infrastructure\r\nbefore it reaches the pane, which is accessed by the threat actors. Aside from subtle differences, for example the\r\nports used, this process is essentially the same for the many malware families we track.\r\nThe traffic we have observed sourced from QakBot T2s to the C2 / Tier 1 layer is atypical. When we expand our\r\ndataset to look at all outbound traffic from the T2s, we establish a larger pool of ‘T2 destination IPs’. As\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 5 of 23\n\nmentioned, some of these T2 destination IPs are publicly reported QakBot C2s. However, in the majority of cases\r\nthe T2 destination IPs have not previously been identified as malicious, although many share common host\r\ncharacteristics associated with QakBot C2s.\r\nLet’s begin by examining what we already know. Qakbot C2s utilize various ports as defined in their malware\r\nconfigurations. These are the ports that an infected host would use to communicate with the bot C2. Bot C2s are\r\ngenerally compromised machines, often including previous Qakbot victims that have been elevated to C2 status.\r\nOur findings for 2023 reveal that 52 different ports were employed for C2s within the Qakbot configurations,\r\nincluding many of the ports listed above. Based on this, it is possible that the T2s are conducting a form of check-in with the C2s, utilizing the ports designated for victim traffic.\r\nWe developed a second theory based on information provided in a fantastic writeup published a few years ago by\r\nCheck Point Research, where they explored how a Qakbot-infected victim ultimately receives the proxy module.\r\nAfter the malware ensures incoming connections are allowed in the host firewall and port forwarding is enabled, it\r\nverifies incoming connections by sending a message to a bot, with confirmation based upon the response. The\r\npayload in this message contains a list of ports that match the same destination ports the T2s are using for the\r\nmysterious outbound connections, as shown in the excerpt below.\r\nFigure 6: “An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods“, Check Point\r\nResearch, 2020\r\nMystery solved? Unfortunately no, it wasn’t so simple. The activity that Check Point describes would appear\r\ndifferently in NetFlow data from what we are currently observing with respect to outbound T2 communications.\r\nOur investigation encompasses repeated connections over an extended time frame, interspersed with periods of\r\ninactivity. Usually, one to three of the T2s will sporadically reach out to the same destination IPs for months, and\r\nnot in a manner that implies verification of a fixed list of available ports.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 6 of 23\n\nHowever, this information offers another possible explanation for the activity; the mysterious outbound\r\nconnections from the T2s might be related in some way to the proxy module, given the identical port list. Spoiler\r\nalert, we believe this the most likely theory based on our analysis of the NetFlow data and information currently\r\navailable to us, into which we will now delve deeper.\r\n“You know my method. It is founded upon the observation of trifles.”\r\nSherlock Holmes\r\nNetFlow Observations I: Reported vs Unidentified C2s\r\nExamining the T2 destination IPs identified over a seven-month period, we discovered that only 29% of all\r\ndestination IPs were reported Qakbot C2s. Of these, 79% also demonstrated typical upstream C2 to T2 bot\r\ncommunication over TCP/443. The remaining 71% of destination IPs were not known as malicious, although\r\n17% of them did exhibit standard upstream C2 communication with the T2 over TCP/443.\r\nTo provide additional context for these and other data points discussed in this blog post, we compared the findings\r\nagainst both reported and unreported C2s. The unreported C2s were identified by monitoring communications to\r\nthe T2s over TCP/443 during the same time period.\r\nFigure 7: Percentages of T2 destination IPs that are Qakbot C2s, and of IPs with upstream T2 bot\r\ncommunication\r\nRepeating the same process for analyzing bot C2 to T2 NetFlow data, we found that 76% of all source IPs were\r\nrecognized as Qakbot C2s. Of all the C2s, only 17% had inbound connections from the T2, and within this subset,\r\n65% were publicly reported as Qakbot C2s.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 7 of 23\n\nFigure 8: Percentages of reported and unreported C2s with typical upstream bot traffic, and of those\r\nthat are also T2 destination IPs\r\nIn summary, only 29% of the T2 destination IPs were verified as Qakbot C2s, as opposed to 76% of the C2s\r\nexhibiting upstream T2 traffic. Consequently, over 70% of the T2 destination IPs have not been observed in the\r\nwild as malicious. Furthermore, only 12% of the T2 destination IPs displayed upstream T2 bot traffic typical of a\r\nnormal C2 but were not identified in the wild as Qakbot C2s.\r\nBased on these discrepancies, it seems improbable that the T2s are conducting any sort of management-related\r\ncheck-in for the bot C2s.\r\nNetFlow Observations II: Traffic Volume\r\nFigure 9: Line chart of traffic volume for outbound communication per T2 C2, spike outliers are cut\r\noff for legibility\r\nSimilar to the upstream bot C2 traffic we analyzed in our previous blog post, there are notable resemblances\r\nbetween RU2 and RU3 in terms of traffic volume and timing, and are also adjacent IP addresses associated with\r\nHorizon LLC (ASN 59425). In contrast, RU1 belongs to IP space assigned to SmartApe (ASN 56694), and\r\nexhibits a lower overall traffic volume compared to the other two IPs. The timing of RU1 activity generally occurs\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 8 of 23\n\nindependently of RU2 and RU3, although there are occasions when all three simultaneously experience spikes in\r\nvolume.\r\nNext, we will present a comparison of all T2 outbound communication juxtaposed with typical C2 to T2 bot\r\ncommunication, irrespective of the T2 host.\r\nFigure 10: Volume of outbound connections from the T2 layer\r\nFigure 11: Volume of inbound connections to the T2 layer, from Qakbot bot C2s, over TCP/443\r\nThere are a few notable observations:\r\nThe traffic volume for outbound T2 connections (blue) is markedly smaller than that of standard inbound\r\nbot C2 connections (orange). If they appeared on the same chart, the outbound T2 traffic would be virtually\r\nindiscernible when compared to the bot C2 traffic.\r\nOutbound T2 activity functions independently of inbound communication from C2s, meaning they do not\r\nhappen concurrently.\r\nInstances of increased outbound T2 connections often occur following spikes in activity for inbound bot C2\r\nconnections\r\nSpikes in outbound T2 connections frequently correspond with a decline in bot C2 activity.\r\nBased on these findings, we hypothesize a connection between the volume and timing of bot C2 upstream activity\r\nand the outbound T2 activity we are investigating. Although there is minimal overlap between the groups of bot\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 9 of 23\n\nC2s and T2 destination IPs, it seems that both forms of T2 activity occur in a sequential manner, contingent on\r\ntraffic volume.\r\nNetFlow Observations III: Port Usage Frequency\r\nIn Qakbot C2 configurations, many C2s (often exceeding 100) are present, but only a small subset have been\r\nobserved communicating with the T2 layer in our data. Taking into account all C2s, regardless of T2\r\ncommunication, we found that approximately 48% were assigned port 443, 29% port 2222, and 16% port 995. All\r\nother ports were allocated to fewer than 3% of C2s.\r\nIt’s worth noting that for C2s we’ve identified communicating upstream over TCP/443, these percentages change;\r\naround 80% of C2s are assigned port 443, 9% port 995, 5% port 2078, and 4% port 2222. The remaining ports\r\nwere associated with less than 1% of C2s.\r\nIn comparison, the chart below illustrates the frequency of destination ports utilized for outbound connections\r\nfrom the T2:\r\nFigure 12: Frequency of ports used as destination ports in outbound T2 connections, since\r\nNovember 2022\r\nUpon examination, it’s immediately evident that there is no correlation between the two datasets regarding port\r\nusage frequency. Although port 443 was technically the most frequently utilized destination port for outbound T2\r\nconnections, its usage is far from the 48% seen with all reported bot C2s (regardless of T2 communication), and\r\nport 3389 was observed just as often. In fact, all of the 32 ports we identified with this type of communication\r\nwere seen at roughly equivalent rates, with port 21 being the least common.\r\nOn its own, this data point might suggest some form of automation governing which ports are accessed. However,\r\nthis inference alone is not sufficient. Incorporating the timing of when the ports are used in these connections\r\ncould provide further insights into whether the process appears automated.\r\nOur analysis focused on the period from May through 16 June, when activity gradually diminished to become\r\nalmost nonexistent.\r\nRU1\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 10 of 23\n\nFigure 13: Destination ports identified in outbound connections per day from T2 188.127.231.177\r\nRU2\r\nFigure 14: Destination ports identified in outbound connections per day from T2 62.204.41.187\r\nRU3\r\nFigure 15: Destination ports identified in outbound connections per day from T2 62.204.41.188\r\nThis data may not be pretty, but fortunately, a detailed examination of the individual colored bars representing\r\neach port isn't essential to grasp the overarching trends of what's occurring. By viewing the visuals collectively,\r\nit's apparent that typically only a small number of ports are accessed in a single day, with usually just one or two\r\ndestination IPs accessed via each port (y-axis). Interestingly, all of the T2 IPs have visually different patterns from\r\nthis perspective, a finding that contradicts the general similarities observed between RU2 and RU3. However,\r\nRU2 and RU3 do share a similar volume of ports seen per day compared to RU1.\r\nDespite these variations, there are common patterns that all three hosts exhibit. For example, they all display\r\nconsistent periods of inactivity, such as those occurring from May 1-2, June 4-6, and June 9-13. They also share\r\nsome spikes related to the variety of different ports used for outbound connections within specific time frames, as\r\nseen on 8 June and the period around 14/15 June.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 11 of 23\n\nSo far, we’ve determined that the T2 makes outbound connections over different ports at relatively the same\r\nfrequency, with no one or two ports used far more or less than others. However, usually, only a few of the ports are\r\nseen in connections per day, and they seem to be chosen sporadically, with the exception of certain days when\r\nalmost all of the ports are utilized. Regardless, over time, the T2s communicate across each of the 32 ports with a\r\ngenerally equal frequency.\r\nWhat remains unclear is the rhythm or cadence of how often a T2 connects to each destination IP using these\r\nports, and whether this process is automated. If blatant automation is involved, we would anticipate a pattern of\r\nrepeated connections with consistent timing and volume. Behavior attributed to human intervention wouldn't be so\r\norderly; instead, it would appear more random and unpredictable. While automation can be configured to mimic\r\nthis, we can at least rule out the more evident instances.\r\nTo delve deeper, we chose a small sample of IPs that showed inbound T2 connections over an extended period and\r\nmapped out a timeline. In this illustration, each line color symbolizes a different T2 destination IP from the\r\nsample. A spike in a line indicates that at least one of the T2 C2s connected to that IP on that day, with the Y axis\r\nrepresenting how many of the 32 destination ports were observed in those communications.\r\nFigure 16: Volume and timing of inbound connections from the T2 for a sample of nine destination\r\nIPs\r\nExamining the timing and volume of connections for each destination IP, there appears to be no evident pattern\r\nsuggesting the use of automation. The T2 C2s communicate with these IPs erratically and in inconsistent volumes.\r\nWhile it's conceivable that the activity is directly linked to operator actions, considering the observations\r\npreviously discussed, it may actually be a hybrid of both systematic automation and random activity.\r\nWe hypothesize that the selection of ports used in connections may be determined by an automated process, yet\r\nthe connections themselves seem to be responsive to the unpredictable nature of C2 bot communications that\r\noutbound T2 connections appear to follow.\r\nNetFlow Observations IV: Characteristics of Destination IPs\r\nTo enrich our analysis, we examined and compared characteristics such as AS and geolocation to those of hosts\r\nidentified from typical upstream bot communication. Some T2 destination IPs were confirmed as proxies and\r\nsubsequently removed from the data to prevent skewing observations based on specific host details.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 12 of 23\n\nWe first compared geolocations between T2 destination IPs and bot C2s identified from November to July 2023.\r\nWe identified geolocations that were unique to bot C2s and not present among T2 destination IPs. Geolocations\r\nthat were shared between the two datasets appeared in differing quantities. For instance, while only 31% of bot\r\nC2s were situated in the US, this figure increased to 60% of T2 destination IPs.\r\nFigure 17: Side-by-side comparison of the geolocations that are associated bot C2s and T2\r\ndestination IPs\r\nNext, we made a similar comparison of AS designations, filtered by geolocations with more than one IP. As\r\npointed out by Black Lotus Labs, Qakbot seems to favor compromised hosts located in residential IP space, and\r\nour findings align with this observation. We found that Comcast is the predominant AS organization for both bot\r\nC2s and T2 destination IPs. According to our NetFlow data, the vast majority of US-based T2 destination IPs and\r\n(high confidence) bot C2s with upstream T2 connections are located within Comcast’s IP space.\r\nFigure 18: Side-by-side comparison of AS organizations associated with bot C2s and T2 destination\r\nIPs. Click the image to view it in full screen for better legibility.\r\nThese characteristics lead us to develop a theory that additional criteria, such as geolocation and AS organization,\r\nmay influence the selection of compromised hosts. These factors could determine which hosts are purchased from\r\nthird parties, or decide which Qakbot victims are escalated to the status of bot C2s or become T2 destination IPs,\r\nat least in some cases.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 13 of 23\n\nConclusion\r\nIn this post, we have sought to continue our understanding of the relationship between the various tiers of\r\ninfrastructure associated with the QakBot operation. Our data illustrates the winding down of operations leading\r\nup to QakBot’s seasonal ‘lull’ in operations, which appears in part to have been accelerated by good work from\r\nLumen’s Black Lotus Labs. However, we also demonstrate that there is not a total cessation in operations, new\r\ninfrastructure continues to be stood up albeit at a reduced cadence - likely for future use once spamming\r\nrecommences.\r\nWe have also sought to illuminate interesting communications sourced from QakBot’s upstream infrastructure,\r\nwith outbound traffic occurring to both reported and unreported QakBot C2s, as well as currently undefined\r\nservers. We have demonstrated possible relationships between this activity and inbound communications to the\r\nsame upstream infrastructure, noting that activity does not overlap, but one may precede the other.\r\nWe have established an interest in 32 specific ports, which the upstream infrastructure seeks to communicate with,\r\npotentially associated with QakBot’s proxy module. We have also shown that this activity is, at least in part,\r\npossibly human-generated, with some reliance on automation for certain elements of the activity (specifying\r\nports).\r\nFinally, we hypothesized that certain factors may be considered when elevating a victim / compromised host to C2\r\nstatus; including geolocation and who the host is assigned to from a hosting perspective.\r\nDrawing this all together, we hope to have provided some interesting leads into further investigation of the\r\nQakBot operation, as well as providing opportunities for identification and mitigation of its threat. In elevating\r\nvictims to be used as C2 infrastructure with T2 communication, QakBot effectively punishes users twice, first in\r\nthe initial compromise, and second in the potential risk to reputation of a host being identified publicly as\r\nmalicious.\r\nWe believe cutting off communications to the upstream servers is an effective remedy to the second part of this\r\nprocess; meaning that victim machines are cut off from further C2 instructions and in doing so protecting current\r\nand future users from compromise.\r\nRecommendations\r\nUsers of Pure Signal Recon and Scout are able to follow this activity by querying for the three Russian T2\r\nIPs.\r\nCyber defenders should monitor for inbound connections from the three Russian T2 IPs over the ports\r\nlisted below.\r\nIn addition, to identify any compromised hosts that were elevated to Qakbot C2 status, monitor for\r\noutbound connections from the host to any of the T2 IPs over TCP/443.\r\nIndicators of Compromise\r\nPorts\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 14 of 23\n\n20\r\n21\r\n22\r\n53\r\n80\r\n443\r\n465\r\n990\r\n993\r\n995\r\n1194\r\n2078\r\n2083\r\n2087\r\n2222\r\n3389\r\n6881\r\n6882\r\n6883\r\n8443\r\n32100\r\n32101\r\n32102\r\n32103\r\n50000\r\n50001\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 15 of 23\n\n50002\r\n50003\r\n50010\r\n61200\r\n61201\r\n61202\r\nRU T2\r\n188.127.231.177\r\n62.204.41.187\r\n62.204.41.188\r\nNew Bot C2s (Figure 5)\r\n73.32.187.91\r\n81.20.248.72\r\n103.107.36.56\r\n113.193.95.44\r\n113.193.166.238\r\n180.151.16.132\r\n197.86.195.132\r\n197.87.63.16\r\n197.87.135.186\r\n197.87.135.218\r\n197.87.143.152\r\n197.87.143.229\r\n197.89.10.173\r\n197.92.136.237\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 16 of 23\n\n201.130.167.212\r\nOther C2s Observed Active January - July 2023\r\nHigh Confidence\r\n23.30.22.225\r\n23.30.22.230\r\n23.30.173.133\r\n24.9.220.167\r\n27.0.48.205\r\n27.0.48.233\r\n27.109.19.90\r\n43.243.215.206\r\n43.243.215.210\r\n49.248.11.251\r\n50.248.58.241\r\n59.153.96.4\r\n64.237.207.9\r\n64.237.212.162\r\n64.237.221.254\r\n64.237.245.195\r\n64.237.251.199\r\n67.177.41.245\r\n67.177.42.38\r\n67.187.130.101\r\n68.59.64.105\r\n68.62.199.70\r\n69.242.31.249\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 17 of 23\n\n73.0.34.177\r\n73.1.85.92\r\n73.22.121.210\r\n73.29.92.128\r\n73.36.196.11\r\n73.41.215.237\r\n73.60.227.230\r\n73.78.215.104\r\n73.88.173.113\r\n73.127.53.140\r\n73.155.10.79\r\n73.161.176.218\r\n73.161.178.173\r\n73.165.119.20\r\n73.197.85.237\r\n73.207.160.219\r\n73.215.22.78\r\n73.223.248.31\r\n73.226.175.11\r\n73.228.158.175\r\n73.230.28.7\r\n74.92.243.113\r\n74.92.243.115\r\n74.93.148.97\r\n75.149.21.157\r\n76.16.49.134\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 18 of 23\n\n76.27.40.189\r\n79.168.224.165\r\n89.203.252.238\r\n96.87.28.170\r\n98.37.25.99\r\n98.222.212.149\r\n99.251.67.229\r\n99.252.190.205\r\n99.254.167.145\r\n102.130.200.134\r\n103.11.80.148\r\n103.12.133.134\r\n103.42.86.42\r\n103.42.86.110\r\n103.42.86.238\r\n103.42.86.246\r\n103.71.20.249\r\n103.71.21.107\r\n103.87.128.228\r\n103.111.70.66\r\n103.111.70.115\r\n103.113.68.33\r\n103.123.221.16\r\n103.123.223.76\r\n103.123.223.121\r\n103.123.223.124\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 19 of 23\n\n103.123.223.125\r\n103.123.223.130\r\n103.123.223.131\r\n103.123.223.132\r\n103.123.223.133\r\n103.123.223.141\r\n103.123.223.144\r\n103.123.223.153\r\n103.123.223.168\r\n103.123.223.171\r\n103.134.117.111\r\n103.176.239.98\r\n103.195.16.175\r\n103.211.63.108\r\n103.212.19.254\r\n103.221.68.250\r\n103.231.216.238\r\n103.252.7.228\r\n103.252.7.231\r\n103.252.7.238\r\n109.49.47.10\r\n113.11.92.30\r\n114.143.176.234\r\n114.143.176.235\r\n114.143.176.236\r\n114.143.176.237\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 20 of 23\n\n117.248.109.38\r\n119.82.120.15\r\n119.82.120.175\r\n119.82.121.87\r\n119.82.121.251\r\n119.82.122.226\r\n119.82.123.160\r\n125.63.121.38\r\n157.119.85.203\r\n174.58.146.57\r\n174.171.10.179\r\n174.171.129.247\r\n174.171.130.96\r\n180.151.13.23\r\n180.151.19.13\r\n180.151.104.240\r\n180.151.108.14\r\n183.82.107.190\r\n183.82.112.209\r\n183.87.163.165\r\n183.87.192.196\r\n189.151.95.176\r\n195.146.105.72\r\n197.83.246.187\r\n197.83.246.199\r\n197.90.177.242\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 21 of 23\n\n197.92.136.122\r\n197.92.141.173\r\n197.94.78.32\r\n197.94.95.20\r\n197.148.17.17\r\n200.8.245.72\r\n201.130.116.138\r\n201.130.119.176\r\n201.142.207.183\r\n202.142.98.62\r\n203.109.44.236\r\nMedium Confidence\r\n49.205.181.242\r\n64.237.188.252\r\n64.237.213.86\r\n69.255.128.224\r\n73.14.226.243\r\n73.45.247.179\r\n76.149.184.246\r\n96.85.69.170\r\n96.85.69.171\r\n96.92.67.169\r\n98.244.148.34\r\n103.204.192.220\r\n138.68.166.127\r\n138.197.95.196\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 22 of 23\n\n175.100.177.171\r\n180.151.18.235\r\n180.151.107.118\r\n180.151.118.243\r\n183.82.122.136\r\n187.199.135.157\r\n187.211.104.152\r\n187.211.105.137\r\n189.248.64.238\r\n197.92.131.106\r\n201.142.195.172\r\n201.142.197.29\r\n201.142.213.13\r\nSource: https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory"
	],
	"report_names": [
		"visualizing-qakbot-infrastructure-part-ii-uncharted-territory"
	],
	"threat_actors": [],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1858ed4b73321f10766b080e2f2222285e2e44f9.pdf",
		"text": "https://archive.orkl.eu/1858ed4b73321f10766b080e2f2222285e2e44f9.txt",
		"img": "https://archive.orkl.eu/1858ed4b73321f10766b080e2f2222285e2e44f9.jpg"
	}
}