{ "id": "6c9864ab-f41f-425d-9cc8-0986591b9619", "created_at": "2026-04-06T00:12:10.459672Z", "updated_at": "2026-04-10T03:21:19.258882Z", "deleted_at": null, "sha1_hash": "3bec341855df648751998b28f147f5c517b1bc79", "title": "QakBot Banking Trojan Returned With New Sneaky Tricks to Steal Your Money", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 271340, "plain_text": "QakBot Banking Trojan Returned With New Sneaky Tricks to\r\nSteal Your Money\r\nBy The Hacker News\r\nPublished: 2020-08-27 ยท Archived: 2026-04-05 15:52:23 UTC\r\nA notorious banking trojan aimed at stealing bank account credentials and other financial information has now\r\ncome back with new tricks up its sleeve to target government, military, and manufacturing sectors in the US and\r\nEurope, according to new research.\r\nIn an analysis released by Check Point Research today, the latest wave of Qbot activity appears to have dovetailed\r\nwith the return of Emotet โ€” another email-based malware behind several botnet-driven spam campaigns and\r\nransomware attacks โ€” last month, with the new sample capable of covertly gathering all email threads from a\r\nvictim's Outlook client and using them for later malspam campaigns.\r\n\"These days Qbot is much more dangerous than it was previously โ€” it has an active malspam campaign which\r\ninfects organizations, and it manages to use a 'third-party' infection infrastructure like Emotet's to spread the threat\r\neven further,\" the cybersecurity firm said.\r\nUsing Hijacked Email Threads as Lures\r\nFirst documented in 2008, Qbot (aka QuakBot, QakBot, or Pinkslipbot) has evolved over the years from an\r\ninformation stealer to a \"Swiss Army knife\" adept in delivering other kinds of malware, including Prolock\r\nransomware, and even remotely connect to a target's Windows system to carry out banking transactions from the\r\nvictim's IP address.\r\nhttps://thehackernews.com/2020/08/qakbot-banking-trojan.html\r\nPage 1 of 4\n\nAttackers usually infect victims using phishing techniques to lure victims to websites that use exploits to inject\r\nQbot via a dropper.\r\nA malspam offensive observed by F5 Labs in June found the malware to be equipped with detection and research-evasion techniques with the goal of evading forensic examination. Then last week, Morphisec unpacked a Qbot\r\nsample that came with two new methods designed to bypass Content Disarm and Reconstruction (CDR) and\r\nEndpoint Detection and Response (EDR) systems.\r\nThe infection chain detailed by Check Point follows a similar pattern.\r\nThe first step begins with a specially crafted phishing email containing an attached ZIP file or a link to a ZIP file\r\nthat includes a malicious Visual Basic Script (VBS), which then proceeds to download additional payloads\r\nresponsible for maintaining a proper communication channel with an attacker-controlled server and executing the\r\ncommands received.\r\nNotably, the phishing emails sent to the targeted organizations, which take the form of COVID-19 lures, tax\r\npayment reminders, and job recruitments, not only includes the malicious content but is also inserted with\r\narchived email threads between the two parties to lend an air of credibility.\r\nhttps://thehackernews.com/2020/08/qakbot-banking-trojan.html\r\nPage 2 of 4\n\nTo achieve this, the conversations are gathered beforehand using an email collector module that extracts all email\r\nthreads from the victim's Outlook client and uploads them to a hardcoded remote server.\r\nAside from packing components for grabbing passwords, browser cookies, and injecting JavaScript code on\r\nbanking websites, the Qbot operators released as many as 15 versions of the malware since the start of the year,\r\nwith the last known version released on August 7.\r\nWhat's more, Qbot comes with an hVNC Plugin that makes it possible to control the victim machine through a\r\nremote VNC connection.\r\n\"An external operator can perform bank transactions without the user's knowledge, even while he is logged into\r\nhis computer,\" Check Point noted. \"The module shares a high percentage of code with similar modules like\r\nTrickBot's hVNC.\"\r\nFrom an Infected Machine to a Control Server\r\nThat's not all. Qbot is also equipped with a separate mechanism to recruit the compromised machines into a botnet\r\nby making use of a proxy module that allows the infected machine to be used as a control server.\r\nhttps://thehackernews.com/2020/08/qakbot-banking-trojan.html\r\nPage 3 of 4\n\nWith Qbot hijacking legitimate email threads to spread the malware, it's essential that users monitor their emails\r\nfor phishing attacks, even in cases they appear to come from a trusted source.\r\n\"Our research shows how even older forms of malware can be updated with new features to make them a\r\ndangerous and persistent threat,\" Check Point Research's Yaniv Balmas said. \"The threat actors behind Qbot are\r\ninvesting heavily in its development to enable data theft on a massive scale from organizations and individuals.\"\r\n\"We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection\r\ninfrastructures like Emotet's to spread the threat even further,\" Balmas added.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2020/08/qakbot-banking-trojan.html\r\nhttps://thehackernews.com/2020/08/qakbot-banking-trojan.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2020/08/qakbot-banking-trojan.html" ], "report_names": [ "qakbot-banking-trojan.html" ], "threat_actors": [], "ts_created_at": 1775434330, "ts_updated_at": 1775791279, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3bec341855df648751998b28f147f5c517b1bc79.pdf", "text": "https://archive.orkl.eu/3bec341855df648751998b28f147f5c517b1bc79.txt", "img": "https://archive.orkl.eu/3bec341855df648751998b28f147f5c517b1bc79.jpg" } }