{
	"id": "30edc49e-ab12-4b80-a66a-7aae351145a7",
	"created_at": "2026-04-06T00:22:25.07288Z",
	"updated_at": "2026-04-10T03:30:32.736101Z",
	"deleted_at": null,
	"sha1_hash": "3e9ccca64f1b59e023ec251d308bda13a8dcc981",
	"title": "Hibernating Qakbot | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2149683,
	"plain_text": "Hibernating Qakbot | ThreatLabz\r\nBy Meghraj Nandanwar, Satyam Singh, Pradeep Mahato\r\nPublished: 2023-07-25 · Archived: 2026-04-05 15:24:03 UTC\r\nAnalysis Of Qakbot Attack Chains \r\nThis section presents distinct variations of the Qakbot banking trojan attack chain, examined across samples\r\ndiscovered between March and May of 2023. The case studies below specifically concentrate on how diverse file\r\nformats and techniques execute the Qakbot end payload on the victim's machine, instead of directly dropping and\r\nexecuting the malware.\r\nCase Study 1: March 2023 - Evolving Qakbot Tactics: Exploiting File Formats for Deceptive\r\nPayload Delivery\r\nAt the outset of the year, Qakbot began spreading through OneNote files. Subsequently, in March, a shift was\r\nobserved, as Qakbot transitioned to using PDF and HTML files as the initial attacking vectors to download further\r\nstage files, leading to the delivery of the final payload. These file formats are commonly utilized by numerous\r\nthreat actors to infect users.\r\nMultiple attack chains were observed, wherein Qakbot utilizes PDF files as the initial vector to download the next\r\nstage file, which contains an obfuscated JS (Javascript) file bearing names like \"Invoice,\" \"Attach,\" \"Report,\" or\r\n\"Attachments\" to deceive users into executing the file. Upon running the JS file, Qakbot initially creates a registry\r\nkey and adds the base64 encoded Powershell command into the registry key using the reg.exe command line tool,\r\nenabling the download and execution of the Qakbot DLL.\r\nAttack Chain: MalSpam -\u003e PDF -\u003e URL -\u003e JS -\u003e PS -\u003e Qakbot Payload \r\nFigure 1 - Illustrates the attack chain involving a Malicious PDF as the initial attack vector.\r\nQakbot recently reverted to utilizing HTML smuggling as a means of delivering its initial attack payload. This\r\ntechnique was observed across numerous campaigns during the previous year. In March, the identification of\r\nseveral new malspam emails indicated that threat actors were leveraging Latin-themed HTML files to facilitate the\r\ndownload of zip archives. These archives contained an obfuscated JS file, initiating a sequence similar to the one\r\ndepicted in Fig.1, ultimately leading to the delivery of the Qakbot payload.\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 1 of 9\n\nThe attack chain discovered in March follows the following progression: Malspam -\u003e HTML -\u003e URL -\u003e ZIP -\r\n\u003e JS -\u003e PS -\u003e Qakbot Payload\r\nIn this chain, malspam serves as the initial delivery method, targeting unsuspecting victims through deceptive\r\nemails. The HTML files play a pivotal role in exploiting HTML smuggling techniques, concealing malicious\r\nactivities within seemingly innocuous web content.\r\nUpon accessing the HTML files, URLs are triggered, initiating the download of zip archives containing the\r\nobfuscated JS file. The use of obfuscation ensures that the malicious code remains hidden from casual detection\r\nand analysis, enhancing the threat actors' ability to evade detection.\r\nSubsequently, the JS file is executed, setting off a series of actions that culminate in the execution of a Powershell\r\ncommand (PS). The Powershell command is instrumental in obtaining and executing the final payload, which, in\r\nthis case, is the notorious Qakbot banking trojan. During our campaign follow up we found this sample from\r\nTwitter handle @Pr0xylife and @Cryptolaemus1.\r\nThis resurgence of HTML smuggling by Qakbot highlights the significance of continuous monitoring and\r\nawareness of evolving malware tactics and shifting attack chains for detecting and countering such threats.\r\nFigure 2 - Shows the attack chain with a Malicious HTML file as the initial attack vector.\r\nLater, a similar attack chain was identified, where the initial attack vector involved a PDF file. This PDF file was\r\ndesigned to download a zip archive, which, in turn, contained an obfuscated WSF/HTA file. Upon execution, the\r\nWSF/HTA file ran a base64 encoded Powershell command, leading to the download and execution of the final\r\nQakbot payload.\r\nThe observed attack chain follows the following progression: Malspam -\u003e PDF -\u003e ZIP -\u003e WSF/HTA -\u003e PS -\u003e\r\nQakbot Payload\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 2 of 9\n\nIn this scenario, malspam continues to serve as the initial method of propagation, disseminating malicious content\r\nthrough email campaigns. The PDF file, acting as the attack vector, entices users to access its contents, ultimately\r\ntriggering the download of a zip archive.\r\nInside the zip archive, an obfuscated WSF/HTA file is concealed, obscuring its malicious intent and complicating\r\ndetection efforts. Once executed, the WSF/HTA file initiates a base64 encoded Powershell command, a common\r\ntechnique used by threat actors to download and execute further payloads without leaving a conspicuous trail.\r\nThe culmination of this attack chain results in the delivery and execution of the Qakbot banking trojan against the\r\ntargeted system and its users.\r\nFigure 3 - Features a Malicious PDF as the initial attack vector in the attack chain, accompanied by WSF and\r\nHTA files.\r\nIn another discovery made by ThreatLabz researchers, a variant of the Qakbot malware was observed employing a\r\nstealthy attack chain with the use of Microsoft Excel add-ins (XLL) as the initial vector. Microsoft Office add-ins\r\nare DLL files with distinct extensions based on the application they are designed for. While Microsoft Word add-ins use the '.wll' extension, Excel add-ins utilize the '.xll' extension.\r\nThe choice of using XLL files as the initial attacking vector is strategic for threat actors due to their ease of use.\r\nUnlike Word add-ins that must be placed in specific trusted locations depending on the Office version, XLL files\r\nare automatically loaded and opened by the Excel application, simplifying the delivery process for the attackers.\r\nMoreover, XLL files possess unique characteristics that differentiate them from regular DLLs. They can have\r\nexport functions that are invoked by the Excel Add-In manager when triggered by Excel. Upon launching an XLL\r\nfile, Excel activates the export functions defined by the XLL interface, such as xlAutoOpen and xlAutoClose,\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 3 of 9\n\nsimilar to Auto_Open and Auto_Close in VBA macros. This mechanism is exploited by the attackers to load the\r\nmalicious payload seamlessly, evading security measures and detection.\r\nThe attack chain follows a sequence where the threat actor utilizes a .xll file in the initial phase. When a user\r\nopens this .xll file, it proceeds to drop two files, \"1.dat\" and \"2.dat,\" into the '\\Users\\User\\AppData\\Roaming\\'\r\ndirectory. The \"1.dat\" file contains a 400-byte header of the PE file, while the \"2.dat\" file holds the remaining\r\ndata of the PE file. These two files are then combined to create the \"3.dat\" file, which contains the actual Qakbot\r\npayload. Additionally, the attackers establish scheduled tasks to execute the Qakbot payload every 10 minutes,\r\nensuring its persistence on the victim's machine.\r\nThe observed attack chain follows the following progression: Malspam -\u003e ZIP -\u003e XLL \u003e Qakbot Payload\r\nThis attack chain sample underscores the ever-evolving nature of Qakbot, which continuously adapts its tactics\r\nand techniques to avoid detection and infiltrate systems. By utilizing XLL files and implementing sophisticated\r\ntechniques to hide and deliver its payload, Qakbot continues to pose a significant threat to users and organizations.\r\nFigure 4 - Shows the attack chain involving Malicious XLL files as the initial attack vector.\r\nCase Study 2: April 2023 - Adapting Qakbot: Unraveling the XMLHTTP Experiment in the\r\nAttack Chain\r\nIn April, researchers noted more significant changes in the Qakbot attack chain, as the samples revealed the\r\nmalware continued to experiment with different file formats to infect users.\r\nIn this evolved attack chain, the WSF (Windows Script File) contains a hex-encoded XMLHTTP request to\r\ndownload the Qakbot payload, replacing the previous base64 encoded PowerShell command.\r\nThe observed attack chain follows the following progression: Malspam -\u003e PDF -\u003e ZIP -\u003e WSF -\u003e XMLHTTP\r\n-\u003e Qakbot Payload\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 4 of 9\n\nFigure 5 - Depicts the attack chain utilizing the XMLHTTP file.\r\nTowards the end of April, Qakbot's persistent use of OneNote files as the initial attack vector was still evident in\r\nits latest campaign. OneNote files served as an effective disguise, luring unsuspecting users into opening and\r\nexecuting the embedded contents. The attackers leveraged the familiarity and widespread use of OneNote files to\r\nincrease the chances of successful infections.\r\nWithin this attack chain, the OneNote file contains an embedded MSI (Microsoft Installer) file. This MSI file was\r\ndesigned to trick users by posing as a legitimate Microsoft Azure installer, exploiting victims' trust in these\r\nfamiliar software installations and delivering the Qakbot payload.\r\nThe MSI file was purposely crafted to include several components, enhancing its evasive capabilities and making\r\nit difficult for security systems to detect its true intent. Among these components, a self-deletion PowerShell script\r\nwas incorporated, allowing the malware to erase its tracks after execution, reducing the chances of detection and\r\nanalysis.\r\nFurthermore, the MSI file contained a configuration file that held essential information, including the path to\r\nexecute a WSF (Windows Script File) script. This WSF script served as a critical link in the attack chain, acting as\r\nan intermediary to facilitate the download and execution of the Qakbot payload.\r\nTo ensure further obfuscation and evasion, the WSF script was hex-encoded, making it challenging for traditional\r\nsecurity measures to interpret its true purpose. This encoded script was responsible for executing an XMLHTTP\r\nrequest, a technique used to download the actual Qakbot payload from a remote server.\r\nThrough this intricate sequence of deception and evasion, attackers aim to successfully deliver the Qakbot payload\r\nonto victim machines. By continuously adapting their attack techniques and leveraging familiar file formats, the\r\nthreat actors behind Qakbot seek to stay one step ahead of security defenses and professionals.\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 5 of 9\n\nThe observed attack chain follows the following progression: Malspam -\u003e OneNote -\u003e MSI -\u003e WSF -\u003e\r\nXMLHTTP -\u003e Qakbot Payload\r\nFigure 6 -  Evolving Attack Chain: Leveraging Malicious OneNote and MSI Files as Initial Attack Vector.\r\nCase Study 3: May 2023: Qakbot Explores Advanced Defense Evasion Tactics\r\nThroughout the month of May, researchers closely monitored Qakbot's activities and observed the threat actor's\r\nefforts to experiment with innovative Defense Evasion Tactics aimed at infecting users and evading detection.\r\nAlongside changes in the attack chain, Qakbot introduced sophisticated techniques, including Indirect Command\r\nExecution using conhost.exe and DLL Side-Loading, further complicating its detection and removal.\r\nIn this attack chain, Qakbot takes advantage of conhost.exe as a proxy binary to bypass defensive measures. By\r\nemploying conhost.exe, Qakbot attempts to outwit security counter-measures that restrict the use of typical\r\ncommand-line interpreters. This enables the threat actor to execute commands using various Windows utilities,\r\ncreating a clever diversion and making it more challenging for security tools to identify and mitigate the threat\r\neffectively.\r\nThe attack sequence starts with malspam, where malicious emails are distributed to unsuspecting victims. These\r\nemails often contain malicious attachments disguised as innocent files, luring users into opening them. The threat\r\nactors use PDF files packed within ZIP archives, which, when accessed, lead to the execution of WSF files via\r\nXMLHTTP.\r\nTo further obscure its activities, Qakbot then leverages conhost.exe, employing it as an intermediary to carry out\r\nspecific commands. This tactic is part of Qakbot's strategy to operate stealthily within the compromised system,\r\nremaining undetected by conventional security mechanisms that may primarily focus on detecting direct malicious\r\ncode execution.\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 6 of 9\n\nThe ultimate goal of this attack chain is to deliver the Qakbot payload, allowing the malware to infiltrate the\r\nvictim's system, steal sensitive information, and potentially carry out other malicious activities, including\r\nespionage and financial theft.\r\nThe observed attack chain follows the following progression: Malspam -\u003e PDF -\u003e ZIP -\u003e WSF -\u003e XMLHTTP\r\n-\u003e conhost.exe -\u003e Qakbot Payload\r\nFigure 7 - Demonstrates Qakbot's utilization of Indirect Command Execution with conhost.exe.\r\nIn this intricate attack chain, the initial vector is a ZIP file that conceals an executable (EXE) file. Upon execution,\r\nthe EXE file loads a hidden dynamic-link library (DLL) that employs a curl command to download the final\r\nQakbot payload. This attack chain also involves the use of DLL side loading technique, adding another layer of\r\ncomplexity to the attack.\r\nThe threat actor initiates this attack through malspam, sending deceptive emails containing URLs that lead to the\r\ndelivery of the ZIP file. Once the user accesses the ZIP file and executes the embedded EXE file, the attack\r\nunfolds, triggering the loading of the concealed DLL. This DLL utilizes a curl command to download the final\r\nQakbot payload from a remote server.\r\nBy incorporating DLL side loading, the threat actor creates a diversion, making it more challenging for security\r\nmeasures to detect the malicious activities. This advanced technique allows the malware to execute code indirectly\r\nand evade traditional detection mechanisms, adding an extra layer of sophistication to the attack.\r\nThe attack sequence follows: Malspam -\u003e URL -\u003e ZIP -\u003e EXE -\u003e DLL -\u003e CURL -\u003e Qakbot Payload\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 7 of 9\n\nFigure 8 - Depicts Qakbot's utilization of DLL Side Loading in its attack chain.\r\nOn May 17th, several Pikabot samples were distributed using tactics, techniques, and procedures (TTPs) similar to\r\nthose of Qakbot within the Zscaler Cloud. This discovery is valuable as it highlights a potential link or copycat\r\nscenario and provides insights into Pikabot malware behavior and distribution methods. The resemblance between\r\nPikabot and Qakbot, including similarities in their behavior and internal campaign identifiers, suggests a possible\r\nconnection between the two. However, there is not yet sufficient evidence to definitively link these malware\r\nfamilies to the same threat actor.\r\nUnderstanding the similarities and differences between Pikabot and Qakbot is critical for cybersecurity\r\nprofessionals to effectively respond to these threats. The identification of new malware variants helps security\r\nteams stay ahead of evolving attack trends, enabling them to adjust their defense strategies accordingly. By closely\r\nmonitoring the behavior and distribution patterns of these malware families, security experts can enhance their\r\nthreat intelligence and improve their ability to detect and mitigate such attacks in the future.\r\nThreatlabz's ongoing technical analysis of Pikabot will provide further insights into its capabilities and potential\r\nimpact on organizations. Keeping abreast of such developments and conducting thorough examinations of new\r\nmalware variants is crucial for safeguarding networks, systems, and sensitive data from cyber threats. As the\r\ninvestigation progresses, security professionals can better assess the potential risks posed by Pikabot and\r\nformulate effective mitigation measures to protect against its infiltration and harmful activities.\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 8 of 9\n\nFigure 9 - Shows the distribution of Pikabot, discovered in Zscaler Cloud.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis\r\nPage 9 of 9\n\n https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis  \nFigure 9-Shows the distribution of Pikabot, discovered in Zscaler Cloud.\nExplore more Zscaler blogs \nSource: https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis   \n   Page 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis"
	],
	"report_names": [
		"hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e9ccca64f1b59e023ec251d308bda13a8dcc981.pdf",
		"text": "https://archive.orkl.eu/3e9ccca64f1b59e023ec251d308bda13a8dcc981.txt",
		"img": "https://archive.orkl.eu/3e9ccca64f1b59e023ec251d308bda13a8dcc981.jpg"
	}
}