{
	"id": "843f0c96-d151-461e-a97e-3e0fb1bf5026",
	"created_at": "2026-04-06T00:09:39.674215Z",
	"updated_at": "2026-04-10T13:12:05.953553Z",
	"deleted_at": null,
	"sha1_hash": "3519766284d124e9a9a4a7931e5337e3662772b0",
	"title": "Hackers using Follina Windows zero-day to spread Qbot malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80863,
	"plain_text": "Hackers using Follina Windows zero-day to spread Qbot malware\r\nBy Jonathan Greig\r\nPublished: 2023-01-13 · Archived: 2026-04-02 11:13:53 UTC\r\nHackers are using a recently disclosed Windows zero-day vulnerability named Follina to spread a widely-used\r\nbanking trojan with ties to several ransomware groups.\r\nThe vulnerability — CVE-2022-30190 — is in the Microsoft Support Diagnostic Tool (MSDT) in Windows and is\r\nalready being exploited by several state-backed threat actors, according to reports from multiple security\r\ncompanies. \r\nFollina, which was given its name by cybersecurity expert Kevin Beaumont because the sample references 0438\r\n— the area code of Follina, Italy — currently doesn’t have a patch and allows attackers to “install programs, view,\r\nchange, or delete data, or create new accounts in the context allowed by the user’s rights.”\r\nAlmost immediately after the vulnerability was highlighted, cybersecurity firm Proofpoint said that Chinese state-sponsored hacking groups were seen exploiting the zero-day in attacks on organizations associated with the\r\nTibetan Government in Exile. The campaigns impersonate the “Women Empowerments Desk” of the Central\r\nTibetan Administration, the firm said.\r\nOn Tuesday, Proofpoint shared evidence that a threat actor they’ve named “TA570” – who they’ve been tracking\r\nsince 2018 and is heavily associated with the Qbot malware – is now using CVE-2022-30190 to deliver the\r\npopular malware used to steal banking information. \r\n“Actor uses thread hijacked messages with HTML attachments which, if opened, drop a zip archive,” the company\r\nexplained on Twitter. \r\n“Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot.\r\nThe doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download\r\nand execute Qbot.”\r\nArchive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to\r\nstart Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-\r\n30190 used to download and execute Qbot.\r\n— Threat Insight (@threatinsight) June 7, 2022\r\nSeveral other cybersecurity experts corroborated Proofpoint’s findings this week. Nicole Hoffman, senior cyber\r\nthreat intelligence analyst at Digital Shadows, told The Record that Qbot, also known as QakBot, has been\r\nidentified in attacks where the Follina vulnerability was exploited. \r\nBoth Hoffman and Recorded Future ransomware expert Allan Liska noted that Qbot has a long history of\r\ncoordinating with ransomware groups. \r\nhttps://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/\r\nPage 1 of 3\n\n“QakBot is associated with several ransomware variants, including Conti and Black Basta, given its ability to\r\nestablish a persistent foothold in target networks. It is likely only a matter of time before a ransomware group\r\ntakes advantage of this,” Hoffman said. \r\nAndrew Brandt, principal researcher at Sophos, said his team has seen Follina being used to deliver other kinds of\r\npayloads, but some of them — notably Cobalt Strike — can be used to deliver other malware, or to give\r\nransomware actors a foothold into the network.\r\n\"But so far there doesn't seem to be any direct connection between a Follina-type attack and a subsequent\r\nransomware incident,\" Brandt said.\r\nLiska echoed those remarks, adding that while it appears QBot is using Follina, he has not seen any ransomware\r\nattacks yet exploiting the bug. \r\n“But QBot works with a couple of different ransomware groups, so it is likely just a matter of time,” Liska said. \r\nNew TTPs from #qakbot #qbot discovered by @k3dg3\r\nIn case you haven't seen it yet, here's the top and bottom of the res.123 file downloaded by the .docx\r\nfile.\r\nFrom the top of the file, it seems like the threat actor is feeling pretty cocky right now. Bottom shows\r\n#follina use. pic.twitter.com/dMXOTF1te7\r\n— ExecuteMalware (@executemalware) June 7, 2022\r\nProofpoint previously said Qbot’s operators had been seen delivering several different kinds of ransomware\r\nincluding ProLock and Egregor. \r\nFrance’s Computer Emergency Response Team (CERT-FR), a division of ANSSI, the country’s national\r\ncybersecurity agency, released a lengthy report in November that found the Lockean ransomware affiliate group\r\nwould deploy the QakBot malware during attacks. \r\nQbot has seen a resurgence in activity since the takedown of Emotet, with multiple companies reporting a surge in\r\nactivity since January 2021. Group-IB researchers found that Qbot has also been used by Prometheus, a\r\ncybercrime service that helps malware gangs distribute malicious payloads.\r\nMicrosoft previously told The Record that it did not know when a patch will be released for CVE-2022-30190 but\r\npointed to the documents they published about ways the issue can be mitigated.\r\nSeveral security researchers tested the issue and found it affects Office 2013, 2016, 2019, 2021, Office ProPlus\r\nand Office 365. \r\nResearchers published suggestions for security teams of things they can do to limit exposure, including removing\r\nthe ms-msdt URI schema registry key.\r\nhttps://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/\r\nhttps://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/"
	],
	"report_names": [
		"hackers-using-follina-windows-zero-day-to-spread-qbot-malware"
	],
	"threat_actors": [
		{
			"id": "96d5b301-0872-444c-ba32-eecf7a9241c0",
			"created_at": "2023-02-15T02:01:49.560566Z",
			"updated_at": "2026-04-10T02:00:03.347926Z",
			"deleted_at": null,
			"main_name": "TA570",
			"aliases": [
				"DEV-0450"
			],
			"source_name": "MISPGALAXY:TA570",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434179,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3519766284d124e9a9a4a7931e5337e3662772b0.pdf",
		"text": "https://archive.orkl.eu/3519766284d124e9a9a4a7931e5337e3662772b0.txt",
		"img": "https://archive.orkl.eu/3519766284d124e9a9a4a7931e5337e3662772b0.jpg"
	}
}