{
	"id": "75074848-461a-4b45-84ef-7eb47e00658c",
	"created_at": "2026-04-06T00:10:15.259032Z",
	"updated_at": "2026-04-10T03:21:11.842497Z",
	"deleted_at": null,
	"sha1_hash": "1f845985bde0f3bad4396ee7ef4e194644996bb8",
	"title": "Identifying and Defending Against QakBot's Evolving TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 895698,
	"plain_text": "Identifying and Defending Against QakBot's Evolving TTPs\r\nBy Scott Small\r\nPublished: 2022-11-30 · Archived: 2026-04-05 21:12:08 UTC\r\nIf you’re an information security practitioner, or just keep up with cybersecurity reporting, you have almost\r\ncertainly seen QakBot mentioned in your news feeds recently. And if you’re keeping tabs on the Tidal blog, you\r\nrecently read about how adversaries are evolving their tactics, techniques, and procedures (“TTPs”) at alarming\r\nrates. In this blog, we will discuss why most organizations should care about QakBot, and how it represents a clear\r\nexample of adversary TTP evolution (and the importance of threat-informed defense). We’ll also show how\r\nTidal’s free Community Edition can help identify the latest TTPs associated with threats like QakBot, and give\r\npractical, actionable guidance for defending against these adversary behaviors. Explore the Community Edition\r\nhere, and don’t forget to create an account to save and customize the QakBot Technique Sets shared below and to\r\nengage others in the threat-informed defense space in our Community Slack! \r\nWhat is QakBot, and Why is it a Concern? \r\nIn our view, most organizations should include QakBot in their threat profile, a register of the most notable cyber\r\nthreats relevant to the organization and its industry. QakBot (also known as QBot and Pinkslipbot) is a prolific\r\nmalware tied to a large number of attacks since its debut in 2007. Historically, QakBot operators have executed\r\nintense campaigns (individual vendors can see 1,000+ detections per month), followed by lulls in activity. QakBot\r\nhas attacked victims in virtually every major industry. \r\nQakBot was originally designed as a banking Trojan, a type of malware built to steal financial information, but it\r\nnow includes many “modules” that broaden its functionality. Notably, in recent years, security teams have\r\nobserved QakBot being used in association with malware designed for a range of other purposes, including pre-and post-infection activities. These include other prolific malware responsible for attacks on victims in very many\r\nindustries, such as Cobalt Strike, Emotet, and Brute Ratel. Security teams typically use factors like these to further\r\nelevate a threat’s priority level within their threat profile. \r\nQakBot: A Case Study in TTP Evolution\r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 1 of 7\n\nAs we highlighted in our last blog, adversaries are increasingly demonstrating the ability to modify their\r\nbehaviors, in some cases with incredible speed. QakBot represents a clear example of this trend. After a lull in\r\nactivity last summer, QakBot operators resumed attacks in September 2021. QakBot infections at the time relied\r\nheavily on malicious Excel email attachments containing macros, which serve as efficient means of automating\r\nmalicious command execution built into common file types. In direct response to frequent macro abuse by QakBot\r\nand other threats, Microsoft announced in February 2022 that it would begin to block macro execution in popular\r\nMicrosoft Office file types when those files were downloaded from the Internet, which includes files attached to\r\nor linked within spam emails like those frequently delivered during QakBot campaigns. This new security\r\nmeasure is achieved by assigning a hidden value, known as Mark of the Web (“MotW”), to files originating from\r\nthe Internet. \r\nQakBot operators appeared to adapt to this significant new security measure and began to implement alternative\r\ninfection techniques to bypass these MotW protections for Office files almost immediately. Researchers from\r\nHornetsecurity began to observe QakBot spam emails now containing HTML attachments, which provide a\r\nstealthy means of downloading additional files (in this case ZIP files) that contained multiple other file types\r\n(ISOs, LNKs, and DLLs), which were accessed sequentially to ultimately run the main QakBot executable. The\r\nHornetsecurity researchers witnessed a major drop in the rate of Excel email attachments, from 22% of all\r\nmalicious attachments in March to just 4% in September, while Proofpoint researchers observed a dramatic rise in\r\nthe prevalence of ISO email attachments and campaigns involving LNK files beginning in March and February,\r\nrespectively (as well as a large drop in macro-enabled email attachments starting in March). \r\nWith the November 8 Patch Tuesday updates, Microsoft took further steps to address some of these techniques,\r\nannouncing that MotW security features would propagate to relevant files contained within ISO files, among other\r\nrelevant fixes. However, just six days after this announcement, QakBot appeared to evolve its technique set once\r\nagain, as security teams observed QakBot infections involving files crafted to bypass some of these latest\r\nprotections. Interestingly, QakBot operators may have adopted this latest defense evasion method from other\r\nthreat actors, as the infection vector was recently observed in a campaign involving Magniber ransomware. \r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 2 of 7\n\nDefending Against QakBot’s Evolving TTPs \r\nQakBot’s repeated TTP evolution over the past year alone highlights why a threat-informed approach to defense is\r\nabsolutely necessary; without intelligence around QakBot’s current techniques, you could be focusing defensive\r\nresources on techniques that are now less relevant (an especially impactful issue if QakBot is one of the top-priority adversaries in your threat profile). Let’s now take a look at how Tidal’s free Community Edition can help\r\nidentify techniques – and, importantly, relevant defensive capabilities – associated with QakBot’s recent TTP\r\nevolutions. \r\nFor a historical baseline, we can begin by loading the set of techniques associated with QakBot from the MITRE\r\nATT\u0026CK® knowledge base into Tidal’s matrix view. This set covers 64 techniques linked with QakBot based on\r\nnine public reports from June 2020 to September 2021: \r\nNext, let’s examine the body of more recent public threat intelligence around QakBot. For these examples, I\r\ncompiled custom Tidal Technique Sets based on 16 reports that I could quickly surface online and which had\r\nreadily identifiable technique details – certainly not the full body of QakBot reporting since last year, but a good\r\namount to show depth within the technique data. Overlaying the custom technique set, which also comprised 64\r\ntechniques, onto the ATT\u0026CK knowledge base set revealed 37 techniques which were exclusively referenced in\r\nthe most recent QakBot intelligence reporting (October 2021-October 2022). The darker shades of red represent\r\nreferences in more reports in the recent dataset, with a range of one to eight reports:\r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 3 of 7\n\nThis final view rearranges the same technique datasets discussed above into three sets of techniques organized by\r\ntime period: the ATT\u0026CK knowledge base, which covers June 2020-September 2021 reporting (yellow), October\r\n2021-March 2022 (orange), and April 2022-October 2022 (red). This visual helped surface techniques that were\r\nnewly reported during each of the recent phases of QakBot’s TTP evolution (prior to the current activity waves\r\nstarting last fall, and before and after the period around the macro-blocking announcement this year), to more\r\naccurately see where technique use shifted: \r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 4 of 7\n\nThe following graphic summarizes the key techniques newly reported during each time period: \r\nThe Community Edition enables intuitive pivoting and overlays of defensive capabilities aligned with the same\r\nadversary techniques described in threat intelligence reporting. Our top guidance around the key techniques\r\ndiscussed in this blog (and covered in the linked QakBot Technique Sets) includes: \r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 5 of 7\n\nDelivery: Most QakBot infections begin with malicious file delivery via phishing, including spearphishing\r\nattachments and spearphishing links. Robust email security and anti-phishing capabilities are\r\nrecommended to mitigate these first stages of most QakBot attacks. User training and awareness around\r\ncurrent phishing techniques is also highly encouraged. In an effort to further trick victims, QakBot is\r\nknown to hijack legitimate email threads for initial malware delivery, either by compromising legitimate\r\naccounts, and recently by hijacking external/third-party email threads. \r\nUser Execution: Macro-based techniques observed during the first phase of QakBot’s recent activity\r\ntypically relied on users manually clicking to enable macros, while later attacks used email content themes\r\nthat lured users into downloading attachments and opening one or even multiple downloaded files.\r\nMitigations around user interaction and execution of suspicious files and links, including blocking of\r\ncertain executables not typically seen in the environment and user training and awareness, are highly\r\nrecommended. \r\nInitial Footholds: While writing detections for all possible variations of HTML Smuggling may be\r\nchallenging, Microsoft suggests policies around automatic Javascript code execution and other mitigations\r\nhere. Red Canary published an excellent explainer and defensive guidance around attacks leveraging ISO\r\nfiles to bypass MotW protections, and Huntress recently shared an approach to disable ISO mounting by\r\ndefault entirely. We were only able to identify a limited amount of defensive guidance around the latest,\r\nyet-unpatched MotW bypass technique involving files with “malformed” signatures. Keep in mind too that,\r\ndespite new macro-related safeguards, threat actors have not entirely abandoned Excel and other macro-supported documents as malicious email attachments. Security teams should use this knowledge to inform\r\nhunting and detection prioritization. \r\nRegsvr32: The Regsvr32 technique had the highest overall reference count (eight) in the October 2021-\r\nOctober 2022 Technique Set discussed above, seven of which appeared in the recent April-October 2022\r\nperiod. Adversaries abuse regsvr32.exe to proxy execution of malicious code. See the Regsvr32 Technique\r\nDetails page to pivot to five Products with capabilities mapped to this technique, as well as 16 open-source\r\nAnalytics. Red Canary’s recent Intelligence Insights also provides a good strategy for detecting a recent,\r\nspecific QakBot implementation of this technique. \r\nOther Post-Exploit Techniques: Detection opportunities and other defensive capabilities exist around\r\nmany of the other techniques not yet discussed here. Community Edition users can use the Technique\r\nDetails pages to easily pivot to Products and Analytics aligned with adversary techniques. Readers are\r\nencouraged to focus especially on techniques most recently observed in association with QakBot, like those\r\nhighlighted in the list in the graphic above. A few other recently observed post-exploit techniques include:\r\nRundll32, Process Injection, Scheduled Task, System Binary Proxy Execution, File Deletion, and Impair\r\nDefenses. A set of Sigma analytics written directly around recent QakBot technique implementations,\r\nincluding DLL execution \u0026 loading, process injection, and scheduled tasks, can be found in Micah\r\nBabinski’s GitHub repository. \r\nLogging \u0026 Data Sources: The Technique Details pages can also be used to pivot to relevant Data Sources\r\nthat, if logged, can provide visibility into instances of adversary technique use (you can also view the full\r\nlist of ATT\u0026CK Data Sources here and add them to your own matrix views). \r\nBranching Out: The Technique Details pages enable quick pivoting to relevant capabilities and analytics,\r\nsaving time when trying to surface detections or capabilities that align directly with QakBot technique\r\nimplementations (Procedures). They can also provide a springboard for testing and strengthening\r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 6 of 7\n\ndetections around other implementations of the same techniques. This is especially important as we\r\nconsider how often and how quickly QakBot has evolved its technique set in recent times. Beyond just the\r\nProcedures observed in recent QakBot reporting, considering atomic testing, simulation, or emulation\r\naround variations on these technique implementations in an effort to proactively address possible TTP\r\nshifts by QakBot (and other actors and malware). \r\n*Note: The Mark-of-the-Web Bypass technique was not explicitly mentioned in any of the source reporting we\r\nreviewed. Reported incident investigations may not have determined (or may not have disclosed) whether certain\r\nfiles possessed or did not possess MotW signatures. However, given the suspected use of ISO files to help bypass\r\nMotW safeguards, we are highlighting the technique here to represent the three reports in our sample that\r\ndescribed QakBot infections involving ISO files. \r\nExperience the Community Edition\r\nSource: https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nhttps://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps"
	],
	"report_names": [
		"identifying-and-defending-against-qakbots-evolving-ttps"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f845985bde0f3bad4396ee7ef4e194644996bb8.pdf",
		"text": "https://archive.orkl.eu/1f845985bde0f3bad4396ee7ef4e194644996bb8.txt",
		"img": "https://archive.orkl.eu/1f845985bde0f3bad4396ee7ef4e194644996bb8.jpg"
	}
}