{ "id": "e293361a-22bd-42cd-801a-4ca4f6fac7ea", "created_at": "2026-04-06T00:09:26.653958Z", "updated_at": "2026-04-10T03:24:30.116773Z", "deleted_at": null, "sha1_hash": "460b58d56cf4765e920d5d15a239b5afcc080178", "title": "Malware | Qakbot - the takedown and the remediation | Spamhaus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 927206, "plain_text": "Malware | Qakbot - the takedown and the remediation | Spamhaus\r\nArchived: 2026-04-05 23:13:49 UTC\r\nIntroduction\r\nWriting \"Qakbot\" and \"takedown\" in the same sentence is quite something. Usually, Spamhaus is bemoaning the\r\never-growing numbers of compromised IPs associated with this malware. But, on Tuesday, August 29th, 2023, the\r\nFederal Bureau of Investigation (FBI) announced that it coordinated an international group of law enforcement\r\nauthorities in Operation 'Duck Hunt' to take control of the Qakbot infrastructure. Working together with the\r\nrelevant authorities, the Spamhaus Project is assisting with remediation efforts.\r\nWe've previously reported on takedowns, for example, Emotet, when its infrastructure was disrupted in January\r\n2021. Similar to the takedown of Qakbot, it resulted from a highly coordinated effort between multiple countries.\r\nThis time, the United States, France, Germany, The Netherlands, The United Kingdom, Romania, and Latvia all\r\nworked together, led by the FBI, to disrupt the Qakbot botnet infrastructure used by cybercriminals.\r\nHowever, one notable difference between the Emotet and Qakbot takedown is the novel method employed to\r\n\"disrupt the duck\". Through Bureau-controlled servers, the FBI instructed infected computers to download an\r\nuninstaller file. This uninstaller, specifically created to remove Qakbot malware, untethered infected computers\r\nfrom the botnet and prevented the installation of any additional malware. We won't lie - we think this is genius.\r\nTo be honest, we think the entire operation is to be hugely applauded, and it once again illustrates that in the\r\nWorld Wide Web era, a World Wide Community is required to keep its users safe.\r\nWant to know more about Qakbot?\r\nAnyone who has read the Botnet Updates or Malware Digests will have heard about this malware. Qakbot, around\r\nsince 2008, has been one of the most significant malware threats for corporate networks. To understand the size of\r\nthis malware, here's a data point: In 2022, every fourth malware site shared by abuse.ch's URLHaus was related to\r\nQakbot.\r\nOften acting as Initial Access, Qakbot has been used by many prolific ransomware groups in recent years,\r\nincluding Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. Subsequently, these ransomware actors\r\nextort their victims, seeking ransom payments in bitcoin before returning access to the victim's computer\r\nnetworks.\r\nThese ransomware groups have caused significant harm to businesses, healthcare providers, and government\r\nagencies worldwide. Investigators have found evidence that, between October 2021 and April 2023, Qakbot\r\nadministrators received fees corresponding to approximately $58 million in ransoms paid by victims.\r\nOver the past year, our researchers have observed increased activity; in Q4 2022, Qakbot botnet command and\r\ncontrollers (C\u0026Cs) were associated with 379% more IP addresses than in the previous quarter. Meanwhile, in\r\nhttps://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation\r\nPage 1 of 2\n\nFebruary 2023, the largest number of Indicators of Compromise (IOCs) reported via abuse.ch's ThreatFox\r\nplatform were associated with Qakbot.\r\nThe disruption of this malware cannot have come soon enough. We are deeply grateful to all those concerned, and\r\nlook forward to contributing to the remediation efforts.\r\nHelp and recommended content\r\nSee below for helpful articles and recommended content\r\nOperation Endgame | Botnets disrupted after international action\r\nOn Thursday, May 30th, 2024, a coalition of international law enforcement agencies announced \"Operation\r\nEndgame\". This effort targeted multiple botnets, such as IcedID, Smokeloader, SystemBC, Pikabot, and\r\nBumblebee, as well as their operators, and Spamhaus is assisting with the remediation efforts.\r\nNews • May 30, 2024 • The Spamhaus Team\r\nSource: https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation\r\nhttps://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation" ], "report_names": [ "qakbot-the-takedown-and-the-remediation" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/460b58d56cf4765e920d5d15a239b5afcc080178.pdf", "text": "https://archive.orkl.eu/460b58d56cf4765e920d5d15a239b5afcc080178.txt", "img": "https://archive.orkl.eu/460b58d56cf4765e920d5d15a239b5afcc080178.jpg" } }