{ "id": "334c4bdf-2cba-4e48-9ead-03593ec75ebe", "created_at": "2026-04-06T00:11:24.890676Z", "updated_at": "2026-04-10T03:23:52.03047Z", "deleted_at": null, "sha1_hash": "30071a1260e5a1d9309309699199e31926266e30", "title": "Cyble - Qakbot Resurfaces With New Playbook", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 583196, "plain_text": "Cyble - Qakbot Resurfaces With New Playbook\r\nPublished: 2022-07-21 · Archived: 2026-04-05 18:06:01 UTC\r\nRead Cyble Research Lab's analysis of a recent Oakboat variant that leverages DLL-Sideloading to infect its victims.\r\nThreat Actors Leveraging DLL-SideLoading to Deliver Malware\r\nDuring a routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher shared new\r\nIoCs related to the infamous Qakbot malware.\r\nFor initial infection, Qakbot uses an email mass spamming campaign. The Qakbot Threat Actors (TAs) have continuously\r\nevolved their infection techniques ever since it was initially identified in the wild.\r\nWorld's Best AI-Native Threat Intelligence\r\nIn this campaign, the spam email contains a password-protected zip file which contains an ISO file. When mounted, this\r\nISO file shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the system is infected with Qakbot\r\nmalware. The figure below shows the Qakbot’s infection chain.\r\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nPage 1 of 6\n\nFigure 1 – Qakbot Execution Flow\r\nTechnical Analysis\r\nThe initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into\r\nopening the attachments.\r\nIn this campaign, the spam email contains an HTML file that has base64 encoded images and a password-protected ZIP\r\nfile, as shown below.\r\nFigure 2 – Embedded ZIP File in HTML File\r\nAfter opening the HTML file, it will automatically drop the password-protected zip file in the Downloads location. In our\r\nsample, the zip file is named “Report Jul 14 47787.zip.” The zip password is mentioned in the HTML, as shown below.\r\nFigure 3 – Contents of Spam HTML File\r\nUpon opening the zip file using the password, it extracts another file from the folder containing an ISO image file named\r\n“Report Jul 14 47787.iso”. The ISO file contains four different files:\r\na .lnk file\r\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nPage 2 of 6\n\na legitimate calc .exe\r\nWindowsCodecs.dll\r\n7533.dll.\r\nThe figure below shows the details of extracted files.\r\nFigure 4 – File Details\r\nIf the user executes the ISO file, it mounts the ISO to a drive and shows only the .lnk file to the user. In this case, the .lnk\r\nfile is named “Report Jul 14 4778.lnk” andmasquerades as a PDF file.\r\nThe property of the .lnk file shows that it executes calc.exe present in the ISO file. The figure below shows the .lnk file.\r\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nPage 3 of 6\n\nFigure 5 – Properties of Shortcut File\r\nDLL Sideloading:\r\nDLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique,\r\nTAs place legitimate applications and malicious .dll files together in a common directory.\r\nThe malicious .dll file name is the same as a legitimate file loaded by the application during execution. The attacker\r\nleverages this trick and executes the malicious .dll file.\r\nIn this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for\r\ncalc.exe.\r\nUpon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe.\r\nThe final payload injects its malicious code into explorer.exe and performs all the malicious activities.\r\nFigure 6 – WindowsCodec.dll file Executing 7533.dll using regsvr32.exe\r\nThe figure below shows the execution process tree of Qakbot.\r\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nPage 4 of 6\n\nFigure 7 – Qakbot Process Tree\r\nConclusion\r\nThe TAs behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and\r\nimpact.\r\nQakbot steals credentials from the victim’s system and uses them for the TA’s financial gain. Apart from the direct\r\nfinancial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot\r\nmalware.\r\nCyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates\r\npromptly.\r\nOur Recommendations \r\nDo not open emails from unknown or irrelevant senders.\r\nAvoid downloading pirated software from unverified sites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nKeep updating your passwords after certain intervals.\r\nUse reputed anti-virus solutions and internet security software packages on your connected devices, including PCs,\r\nlaptops, and mobile devices.  \r\nAvoid opening untrusted links and email attachments without first verifying their authenticity.   \r\nBlock URLs that could use to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.  \r\nEnable Data Loss Prevention (DLP) Solutions on employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1566 Phishing\r\nExecution T1204 User Execution\r\nDéfense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading\r\nDéfense Evasion T1055 Process Injection\r\nIndicator Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nPage 5 of 6\n\nd79ac5762e68b8f19146c78c85b72d5e\r\n899c8c030a88ebcc0b3e8482fbfe31e59d095641\r\ncb83a65a625a69bbae22d7dd87686dc2be8bd8a1f8bb40e318e20bc2a6c32a8e\r\nMD5\r\nSHA1\r\nSHA256\r\nReport Jul 14\r\n47787.html\r\na4a09d3d5905910ad2a207522dcec67c\r\n8e7984a0af138aac5427b785e4385cdc6b9b8963\r\n197ee022aa311568cd98fee15baf2ee1a2f10ab32a6123b481a04ead41e80eee\r\nMD5\r\nSHA1\r\nSHA256\r\nReport Jul 14\r\n47787.zip\r\nb6cb21060e11c251ed52d92e83cbcf42\r\nb2a3d6a620c050fd03f1e16649c6b5bfdc195089\r\n9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d\r\nMD5\r\nSHA1\r\nSHA256\r\nReport Jul 14\r\n47787.iso\r\n21930abbbb06588edf0240cc60302143\r\n48bf9b838ecb90b8389a0c50b301acc32b44b53e\r\n8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751\r\nMD5\r\nSHA1\r\nSHA256\r\nWindowsCodecs.dll\r\na8c071f4d69627f581fa15495218bff7\r\n25beb06d731192ea20bc7eb0c81ae952f2a0bd33\r\nc992296a35528b12b39052e8dedc74d42c6d96e5e63c0ac0ad9a5545ce4e8d7e\r\nMD5\r\nSHA1\r\nSHA256\r\n7533.dll\r\nSource: https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\r\nPage 6 of 6\n\nUpon executing the calc.exe, The final payload injects it further loads its malicious code WindowsCodec.dll into explorer.exe and executes the and performs all the final Qakbot payload malicious activities. using regsvr32.exe.\nFigure 6-WindowsCodec.dll file Executing 7533.dll using regsvr32.exe\nThe figure below shows the execution process tree of Qakbot. \n Page 4 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/" ], "report_names": [ "qakbot-resurfaces-with-new-playbook" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434284, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30071a1260e5a1d9309309699199e31926266e30.pdf", "text": "https://archive.orkl.eu/30071a1260e5a1d9309309699199e31926266e30.txt", "img": "https://archive.orkl.eu/30071a1260e5a1d9309309699199e31926266e30.jpg" } }