{ "id": "882ac774-17a9-4bdf-ad4d-51bd1ff2ef45", "created_at": "2026-04-06T01:30:09.521564Z", "updated_at": "2026-04-10T13:11:36.48533Z", "deleted_at": null, "sha1_hash": "41c9cfe95d57357d8a979afcd4cd46a2ec78b916", "title": "More Signs of a Qakbot Resurgence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 145863, "plain_text": "More Signs of a Qakbot Resurgence\r\nBy Akshaya Asokan\r\nArchived: 2026-04-06 00:30:25 UTC\r\nCybercrime , Endpoint Detection \u0026 Response (EDR) , Fraud Management \u0026 Cybercrime\r\nQakbot Wouldn't Be the First Trojan to Come Back After a Takedown (asokan_akshaya) • February 13, 2024    \r\nSecurity researchers are seeing new examples of Qakbot malware. (Image: Shutterstock)\r\nTakedowns aren't always forever in cyberspace. Months after a U.S. law enforcement operation dismantled the\r\nnotorious Qakbot botnet, security researchers say signs point to a resurgence.\r\nSee Also: 5 Keys to Building an Adversary-Ready SOC\r\nSomeone with access to the Qakbot - also known as Qbot - source code is experimenting with new builds and\r\nmaking incremental changes, said researchers from Sophos on social media.\r\nMalware analysts said they had first spotted new Qakbot samples in mid-December - around the time that\r\nMicrosoft Threat Intelligence tweeted that it had found a low-volume campaign targeting the hospitality industry\r\nthrough a PDF purportedly from the U.S. Internal Revenue Service that contained a downloader that calls the\r\nTrojan.\r\nAt the time of the August takedown, Qakbot was one of the world's longest-running botnets and accounted for\r\nhundreds of millions of dollars of losses. As part of an operation dubbed \"Duck Hunt,\" authorities pushed a\r\nremoval tool to more than 700,000 Qakbot-infected endpoints to excise malware from system memory.\r\nhttps://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352\r\nPage 1 of 2\n\nAlthough the malware took shape in 2008 as a banking Trojan, its operators evolved over the years to become an\r\ninitial access broker for other cybercriminals. They sold access to criminal gangs, including Russian-speaking\r\nransomware operations (see: Operation 'Duck Hunt' Dismantles Qakbot).\r\n\"It's likely the evolution of Qakbot will continue, until and unless its creators face criminal prosecution,\" said\r\nAndrew Brandt, principal researcher at Sophos. Many cybercrime service providers operate from Russia, which\r\ndoesn't extradite its citizens. \"The good news is: For now, these new Qakbot variants are easy to detect and block\r\nwith previously created signatures in endpoint detection software.\"\r\nResearchers from Cisco Talos identified phishing messages from Qakbot as early as October, which suggests that\r\nDuck Hunt may have not affected Qakbot operators' spam delivery infrastructure.\r\nAmong the malware's new capabilities are improved encryption to conceal strings and to communicate with the\r\ncommand-and-control server. It also now checks to see whether it's running inside a virtual machine and enters an\r\ninfinite loop if it detects one. Previous generations of the malware had that capability, but the operators had\r\nremoved it.\r\nThe new variant seems to be in the development stage, and malware authors are adding more capabilities on the\r\ngo.\r\nQakbot would hardly be the first major Trojan to come back from the dead. Operators of TrickBot and Emotet\r\nrebounded from infrastructure takedowns, although their later iterations were less fearsome (see: Cybercrime\r\nTremors: Experts Forecast Qakbot Resurgence).\r\nSource: https://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352\r\nhttps://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352" ], "report_names": [ "more-signs-qakbot-resurgence-a-24352" ], "threat_actors": [], "ts_created_at": 1775439009, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41c9cfe95d57357d8a979afcd4cd46a2ec78b916.pdf", "text": "https://archive.orkl.eu/41c9cfe95d57357d8a979afcd4cd46a2ec78b916.txt", "img": "https://archive.orkl.eu/41c9cfe95d57357d8a979afcd4cd46a2ec78b916.jpg" } }