{
	"id": "275c76fd-56af-4c2a-8e0c-521ec2f7acad",
	"created_at": "2026-04-06T00:16:11.182469Z",
	"updated_at": "2026-04-10T03:23:52.399391Z",
	"deleted_at": null,
	"sha1_hash": "54fdd2b78d3d34904719bf67a9492923c3467fd1",
	"title": "A closer look at Qakbot’s latest building blocks (and how to knock them down) | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1981656,
	"plain_text": "A closer look at Qakbot’s latest building blocks (and how to knock\r\nthem down) | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-12-09 · Archived: 2026-04-05 19:41:07 UTC\r\nMultiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be\r\nmany attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor\r\ngroups that utilize it. Since emerging in 2007 as a banking Trojan, Qakbot has evolved into a multi-purpose\r\nmalware that provides attackers with a wide range of capabilities: performing reconnaissance and lateral\r\nmovement, gathering and exfiltrating data, or delivering other payloads on affected devices.\r\nIts modular nature allows Qakbot to persist in today’s computing landscape because it enables attackers to pick\r\nand choose the “building blocks” they need for each attack chain depending on the network environment the\r\nmalware lands on. In many cases, the attackers who deliver Qakbot also sell access to affected devices to other\r\nthreat actors, who use the said access for their own goals. For example, Qakbot infections have been known to\r\nlead to human-operated ransomware, including Egregor or Conti. Its impact, therefore, is far-reaching: based on\r\nour threat data, recent Qakbot activities are seen in several countries and territories across almost all the\r\ncontinents: Africa, Asia, Europe, and the Americas.\r\nQakbot’s modularity and flexibility could pose a challenge for security analysts and defenders because concurrent\r\nQakbot campaigns could look strikingly different on each affected device, significantly impacting how these\r\ndefenders respond to such attacks. Therefore, a deeper understanding of Qakbot is paramount in building a\r\ncomprehensive and coordinated defense strategy against it.\r\nBased on our research and analysis of three recent notable Qakbot campaigns, we break down a Qakbot attack\r\nchain into several distinct building blocks. Within each campaign, some of these building blocks are consistent,\r\nalthough not all will be observed. Knowing these details allows defenders to correctly identify related threats and\r\nattacks, regardless of their source. Such intelligence and insights also feed into Microsoft’s multi-layer protection\r\ntechnologies, like those delivered through Microsoft 365 Defender, to detect and block these threats at various\r\nstages of the attack chain.\r\nThis blog post provides technical details of each of the building blocks that comprise Qakbot campaigns. It also\r\nincludes mitigation recommendations and advanced hunting queries to help defenders proactively surface this\r\nthreat.\r\nFrom email to ransomware: Breaking down a Qakbot campaign\r\nLike other modular malware, Qakbot infections may look differently on each affected device, depending on the\r\noperator using the said malware and their deployment of the threat campaign. However, based on our analysis, one\r\ncan break down a Qakbot-related incident into a set of distinct “building blocks,” which can help security analysts\r\nidentify and respond to Qakbot campaigns. Figure 1 below represents these building blocks. From our\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 1 of 17\n\nobservation, each Qakbot attack chain can only have one block of each color. The first row and the macro block\r\nrepresent the email mechanism used to deliver Qakbot.\r\nFigure 1. Qakbot attack chain “building blocks” observed\r\nCertain building blocks within each campaign are consistent, but not all of them are observed on each affected\r\ndevice. As seen in a sample Qakbot campaign below (Figure 2), the top two rows represent the mechanisms\r\nadopted to deliver the malware on the three devices, while the succeeding ones are the activities it performs once\r\nrunning on each device. For instance, notice that Devices A and C were seen to have email exfiltration, while\r\nDevice B was not:\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 2 of 17\n\nFigure 2. Sample differences among devices affected by a single Qakbot campaign\r\nTherefore, from an analyst’s viewpoint, what Figure 2 implies is that even if email exfiltration was not observed in\r\none device, it doesn’t mean that this routine didn’t happen at all in their organization’s network.\r\nFrom our research, we identified ten building blocks, which we will discuss in the succeeding sections.\r\nEmail delivery\r\nQakbot is delivered via one of three email methods: malicious links, malicious attachments, or, more recently,\r\nembedded images.\r\nThe messages in these email campaigns typically consist of one- or two-sentence lures (for example, “please see\r\nattached” or “click here to view a file”). Such brevity provides sufficient information and a call to action for the\r\ntarget users but little for content security solutions to detect.\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 3 of 17\n\nFigure 3. Sample Qakbot campaign email message\r\nMalicious links\r\nThe email campaigns we observed delivering Qakbot typically include the URLs that download the malware on\r\ntarget devices in the message body. Earlier this year, we began to observe that some of these URLs were missing\r\nthe HTTP or HTTPS protocol, rendering them unclickable in most email clients. Therefore, to download the\r\nmalware, target recipients had to manually enter the link into a browser.\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 4 of 17\n\nFigure 4. Sample Qakbot campaign email containing an unclickable URL and fake-reply lure\r\nAlthough the missing protocol poses a challenge for some email security solutions that detonate links through\r\nsandboxing, the extra step needed from targets to copy and paste the URL hinders the attack’s success rate.\r\nHowever, it should also be noted that what the messages sometimes lack in formatting, they make up for in the\r\ncontent by using fake-reply lures.\r\nThis fake-reply technique, which has already been seen in previous Qakbot and other major malware delivery\r\ncampaigns, uses stolen subject lines and message content to construct a malicious reply to appear as part of a prior\r\nemail thread. Qakbot is also known for reusing email threads exfiltrated from prior infections to create new\r\ntemplates for their next email campaign runs, allowing an attacker to use an actual subject line and message\r\ncontent to construct the spoofed reply. This increases the likelihood of target users clicking or copy-pasting the\r\nlink because the message they receive from this campaign feels more expected. At the same time, attackers benefit\r\nfrom growing entropy among messages because no two emails in the same campaign will be alike. Unfortunately,\r\nsuch entropy also makes it more difficult for security analysts and defenders to fully scope a campaign.\r\nMalicious attachments\r\nSome Qakbot-related emails sent by attackers may include a ZIP file attachment. Within the ZIP is a spreadsheet\r\ncontaining Excel 4.0 macros.\r\nThe attachment name is meant to appear as an official corporate document to trick a target recipient into opening\r\nit. For example, between September and November this year, the naming patterns we observed for the attachment\r\nincluded but were not limited to the following:\r\nCMPL-[digits]-[month]-[day].zip\r\nCompensation_Reject-[digits]-[mmddyyyy].zip\r\nDocument_[digits]-[mmddyyyy].zip\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 5 of 17\n\nDocument_[digits]-Copy.zip\r\nPRMS-[digits].zip\r\nRebate-[digits]-[mmddyyyy].zip\r\nREF-[digits]-[month]-[day].zip\r\nTXN-[digits].zip\r\nFigure 5. Sample Qakbot campaign email containing a ZIP attachment\r\nEmbedded images\r\nIn its third and most recent evolution, Qakbot arrives via an email message that only contains an embedded image\r\nin its body, a stark contrast to its previous delivery methods that used file attachments or direct hyperlinks. We\r\nuncovered this Qakbot campaign while investigating malware infections from malicious Excel files associated\r\nwith emails that abuse Craigslist’s email messaging system to deliver malicious files—a routine first reported by\r\nINKY.\r\nThis campaign is more involved than previous Qakbot email campaigns because, unlike its previous delivery\r\nmethods, the malicious components in the email (in this case, the malicious URL) are not in the message body as\r\ntext but are contained instead within an image designed to look like the message body. The image instructs\r\nrecipients to type the URL directly in their browser to download an Excel file that eventually leads to Qakbot.\r\nThe said image is a screenshot of text formatted to impersonate an automated Craigslist notification, and it\r\ninforms the target recipient of a supposed policy infraction on their Craigslist posting. The said fake notification\r\nfurther instructs the user to enter a URL into a browser to access a form for more detailed information, threatening\r\nto delete their account if they don’t follow.\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 6 of 17\n\nFigure 6. Craigslist campaign email luring targets with an embedded image\r\nAttackers crawl Craigslist ad posts to harvest email relay addresses, where they then send custom-crafted\r\nmessages directly. The email relay receives the sent messages and removes personal data—including the sender’s\r\nactual email address, appends original post details to the end of the message, then forwards it through Craigslist\r\ninfrastructure to mask the original sender. As a result, the ad owner will receive an anonymized email sent from\r\nthe legitimate craigslist.org domain.\r\nThe attackers’ abuse of the email relay system allows them to remain anonymous and impersonate Craigslist. It\r\nalso adds a sense of legitimacy to the messages because it comes from a popular domain that is generally deemed\r\nsafe by traditional security solutions.\r\nBased on our observation, this email campaign replies to job-related ads, which we believe is the attackers’\r\nattempt to target recipients who open such types of messages while connected to a corporate network. However,\r\nbased on our threat data, users’ success rate accessing the related malicious domains is relatively low. Such a\r\nresult is likely because the campaign requires the target recipients to perform the additional step of typing a URL.\r\nMacro enablement\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 7 of 17\n\nDespite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their\r\nuse of malicious macros in Office documents, specifically Excel 4.0 macros. It should be noted that while threats\r\nuse Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires\r\nusers to enable it manually for such threats to execute properly.\r\nOnce the user downloads and opens the malicious Excel file, the text in the document attempts to lure them into\r\nenabling the macro. The said text claims that the file is “protected” by a service such as Microsoft or DocuSign,\r\nand that the user must enable the macro to view the document’s actual content.\r\nFigure 7. XLS file with a DocuSign lure urging targets to enable macros\r\nIf the user goes ahead and enables the macro, Excel immediately checks if there is a subprocedure predefined in\r\nthe macro to run automatically once the document opens; in this case, auto_open(). The Visual Basic for\r\nApplications (VBA) code written within this subprocedure creates a new macrosheet and then writes Excel 4.0\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 8 of 17\n\nformulas in several of its cells. Next, it jumps to one cell in this sheet by calling the Application.Run method. In\r\nthis way, the VBA code starts the Excel 4.0 macro code that was just written to the macrosheet.\r\nFigure 8. Example of an Excel 4.0 macro generated by the VBA script.\r\nGenerating and calling Excel 4.0 macro from VBA is an evasion technique to prevent static analysis tools from\r\ndecoding the macro. When the user closes the document, the auto_close() function launches to clean up and\r\nremove the malicious macrosheet created by the VBA macro.\r\nQakbot delivery\r\nOnce macros are enabled, the next phase of the attack begins. First, the macro connects to a predefined set of IP\r\naddresses or domains to download the malicious files. Some macros are designed to connect to three domains\r\nsimultaneously, downloading a file of the same name. This is likely done for one of two reasons: first, as a\r\nredundancy measure to ensure that the malware is still delivered even if one or two of the domains have been\r\nblocked or taken down; and second, to enable the attacker to deliver multiple payloads if desired.\r\nFigure 9. Portion of the generated Excel 4.0 macro that shows its attempts to download three payloads from three\r\nlocations.\r\nIn most cases, the downloaded file is a Portable Executable (PE) file renamed with either an .htm or .dat file\r\nextension, in order to bypass web filtering systems that prevent certain file types. Depending on the specific\r\ncampaign, the naming of these files varies greatly. For example, a recent campaign using .htm files named them\r\nwith simple letters and numbers, such as goh[1].htm or j[1].htm. However, a separate campaign that used an\r\ninvoice theme and used .dat files named them with an extremely long string of numbers, such as\r\n44494.4409064815[1].dat. Again, these differences from campaign to campaign highlight that Qakbot is used\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 9 of 17\n\nsimultaneously by different threat actors, which can make concurrent campaigns of the same malware look\r\nstrikingly different.\r\nOnce this file is downloaded onto the device, the file is promptly renamed to a different file name with a\r\nnonexistent file name extension. Some examples include test.test and good.good (derived from .htm files), or\r\nGiCelod.waGic and Celod.wac (derived from .dat files). In many of the incidents involving .htm files, a folder\r\ncalled C:\\Datop is created, and the files are saved in that location. Meanwhile, the incidents with .dat files are\r\nsaved in the C:\\Users\\AppData\\Local\\Temp location.\r\nProcess injection for discovery\r\nWhichever file the user ends up with is loaded using regsvr32.exe, which injects into a legitimate process. Both\r\nMSRA.exe and Mobsync.exe have been used for this process injection behavior in recent Qakbot-related\r\ncampaigns.\r\nThe injected process is then used for a series of discovery commands, including the following:\r\nScheduled tasks\r\nThe injected process from the previous building block then creates a .dll file with a randomly generated name.\r\nThis DLL is used to query existing scheduled tasks for a specific ID, and if that scheduled task does not already\r\nexist, the DLL creates the task. The scheduled task is to run a predefined task as a means of persistence, as\r\noutlined in the following command line:\r\nThis scheduled task is created with the /F flag, which is used to suppress warnings if the specified task already\r\nexists, even though the malware has already queried for a specific scheduled task.\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 10 of 17\n\nCredential and browser data theft\r\nQakbot attempts to steal credentials from multiple locations. First, the injected MSRA.exe or Mobsync.exe process\r\nloads the Vault Credential Library file to enumerate credentials. Additionally, this process injects into ping.exe and\r\nattempts to read credentials from CredMan using the passport.net\\* parameter.\r\nQakbot also targets browser data. The injected process launches the esentutl.exe process. Browser data, including\r\ncookies and browser history, are recovered from the web cache using the following commands:\r\nThese commands specifically look for log files, system files, and database files (/l, /s, and /d).\r\nEmail exfiltration\r\nAs mentioned in a previous section, many of the emails delivering Qakbot use the fake-reply technique. To do\r\nthis, Qakbot is also designed to exfiltrate emails from affected devices.\r\nTo exfiltrate emails, the injected process launches into the ping.exe process and launches a command to ping\r\nlocalhost:\r\nFrom there, ping.exe is used to copy dozens of email message files and save them in an “Email Storage” folder.\r\nThese email messages are saved with sequential naming schema, starting with 1.eml and increasing by one for as\r\nmany email messages as the attacker copies. We have identified instances where the attacker copied out over 100\r\nmessage files from a single device.\r\nOnce the copied email files are exfiltrated, the evidence of the action is deleted by removing the “Email Storage”\r\nfolder using the rmdir command.\r\nAdditional payloads, lateral movement, and ransomware\r\nAs is the case with many malware variants today, getting Qakbot onto a device is frequently just the first step in\r\nwhat ends up being a larger attack. Attackers can use the access from Qakbot infections to deliver additional\r\npayloads or sell access to other threat actors who can use the purchased access for their objectives.\r\nIn many cases, attackers will expand the scope of their attack by using credentials obtained in earlier stages of the\r\nattack to move laterally throughout the network. In several instances, attackers would move laterally using\r\nWindows Management Instrumentation (WMI) and drop a malicious DLL on the newly accessed device. From\r\nthere, the attacker will run the same series of discovery commands as they did on the initial access device and will\r\nconduct further credential theft.\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 11 of 17\n\nIn other instances, other malicious files are dropped in conjunction with the malicious DLL. For example, several\r\nBAT files that were specifically designed to turn off security tools on the affected device were dropped before\r\ndropping the malicious DLL. These slight differences in the attack chain are evidence of multiple actors using\r\nQakbot for lateral movement.\r\nIn addition to lateral movement, attackers frequently drop additional payloads on affected devices, especially\r\nCobalt Strike. Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot\r\ninfections may also drop their own Cobalt Strike beacons and additional payloads. Using Cobalt Strike lets\r\nattackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional\r\ndiscovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor.\r\nResurging and evolving threats require coordinated threat defense\r\nQakbot’s continued prevalence in the threat landscape demands comprehensive protection capable of detecting\r\nand stopping this malware, its components, and other similar threats at every stage of the attack chain: email\r\ndelivery, network activity, endpoint behavior, and follow-on attacker activities. Microsoft 365 Defender provides\r\ncoordinated defense using multiple layers of dynamic protection technologies—including machine learning-based\r\nprotection—and correlating threat data from email, endpoints, identities, and cloud apps. It is also backed by a\r\nglobal network of threat experts who continuously monitor the threat landscape for new, resurging, and evolving\r\nattacker tools and techniques.\r\nMicrosoft Defender for Office 365 detects and blocks emails that attempt to deliver Qakbot. Safe Links and Safe\r\nAttachments provide real-time protection by leveraging a built-in sandbox that examines and detonates links and\r\nattachments in messages before they get delivered to target recipients. However, for those messages without such\r\nartifacts, Microsoft Defender SmartScreen in Microsoft Edge and other web browsers that support it blocks the\r\nmalicious websites and prevents downloading the malicious Excel file on devices.\r\nOn endpoints, attack surface reduction rules detect and block common attack techniques used by Qakbot and\r\nsubsequent threats that may result from its activities. Endpoint detection and response (EDR) capabilities detect\r\nmalicious files, malicious behavior, and other related events before and after execution. Network protection also\r\nblocks subsequent attempts by Qakbot to connect to malicious domains and IP addresses, and Advanced hunting\r\nlets defenders create custom detections to proactively find this malware and other related threats.\r\nDefenders can also do the following mitigation steps to reduce the impact of Qakbot in their organizations:\r\nCheck your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with\r\nmalware. Use Office 365 security for enhanced phishing protection and coverage against new threats and\r\npolymorphic variants. Configure Office 365 to recheck links on click.\r\nEnable Zero-hour auto purge (ZAP) in Exchange Online, which is an email protection capability that\r\nretroactively detects and neutralizes malicious messages that have already been delivered in response to\r\nnewly acquired threat intelligence.\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies\r\nand blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 12 of 17\n\nmalware. Enable network protection to prevent applications or users from accessing malicious domains and\r\nother malicious content on the internet.\r\nStop malicious XLM or VBA macros by ensuring runtime macro scanning by Windows Antimalware Scan\r\nInterface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run\r\nTime Scan Scope is set to Enable for All Files or Enable for Low Trust Files.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a huge majority of new and unknown variants.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nRun EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when\r\nyour non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in\r\npassive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are\r\ndetected post-breach.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nUse device discovery to increase your visibility into your network by finding unmanaged devices on your\r\nnetwork and onboarding them to Microsoft Defender for Endpoint.\r\nUse multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA\r\nalways-on for privileged accounts and apply risk-based MFA for normal accounts. Consider transitioning\r\nto a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for\r\nBusiness.\r\nRun realistic, yet safe, simulated phishing and password attack campaigns in your organization using\r\nAttack Simulator for Microsoft Defender for Office 365. Run spear-phishing (credential harvest)\r\nsimulations to train end users against clicking URLs in unsolicited messages and disclosing their\r\ncredentials.\r\nEducate end users about identifying lures in spear-phishing emails and watering hole attacks, protecting\r\npersonal and business information in social media, and filtering unsolicited communication. Encourage\r\nusers to report reconnaissance attempts and other suspicious activity.\r\nLearn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nAppendix\r\nMicrosoft researchers published the following threat analytics reports, which are available to Microsoft 365\r\nDefender customers through the Microsoft 365 security center:\r\nMalware profile: Qakbot provides additional information about Qakbot’s building blocks discussed in this\r\nblog post, including references to previously monitored campaigns and detailed mitigation steps\r\nThreat Insights: Qakbot abuses Craigslist email relay provides more technical details about the Craigslist\r\nemail abuse campaign that was recently seen delivering Qakbot\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 13 of 17\n\nThese reports serve as a good starting point for organizations to understand these active attacks, determine if they\r\nare affected, and investigate related incidents and alerts. The reports provide and consolidate real-time data\r\naggregated from across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization.\r\nThe following sections provide the specific Microsoft 365 Defender detections that can help surface Qakbot and\r\nrelated threats.\r\nAntivirus\r\nMicrosoft Defender Antivirus detects Qakbot installers as the following malware:\r\nQakbot downloader\r\nTrojanDownloader:O97M/Qakbot\r\nQakbot implant\r\nTrojan:Win32/QBot\r\nTrojan:Win32/Qakbot\r\nTrojanSpy:Win32/Qakbot\r\nQakbot behavior\r\nBehavior:Win32/Qakbot.A\r\nAdditional detections based on activity group behavior\r\nDue to Qakbot’s high likelihood of transitioning to human-operated attack behaviors including data exfiltration,\r\nlateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely. During\r\nthe activity described in this report, at least one major activity group was provided Qakbot access after initial\r\ninfection, but other groups have been known to purchase access so any initial infection indicated by advanced\r\nhunting queries, behavior, or Qakbot infection should be fully investigated.\r\nBehavior:Win32/Mikatz.gen!B\r\nBehavior:Win32/MimikatzTrigger\r\nBehavior:Win32/TurtleLoader.A!dha\r\nBehavior:Win32/CobaltStrike.A!nri\r\nBehavior:Win32/UACBypassExp.A!mmc\r\nEndpoint detection and response (EDR)\r\nAlerts with the following titles in the security center can indicate threat activity on your network related directly to\r\nthe material in this report covering Qakbot initial infection and future human operated or ransomware activity:\r\nQakbot malware\r\nQakbot credential stealer\r\nQakbot download URL\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 14 of 17\n\nQakbot network infrastructure\r\nEmail security\r\nMicrosoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. In the\r\nemail entity page, administrators can get enhanced information on emails in a unified view. Administrators can\r\nview known campaigns impacting inboxes and investigate malicious emails by drilling down to view all\r\nattachments or URL detonation details from dynamic analysis.\r\nThe following dynamic detonation signature may indicate threat activity associated with Qakbot. By utilizing\r\nemail Campaigns view, you can filter based on campaign subtype for the following signals. These signals,\r\nhowever, can be triggered by unrelated threat activity:\r\nDownloader_Macro_Donoff_ZGA\r\nAdvanced hunting\r\nThe following Advanced Hunting Queries are accurate as of this writing. For the most up-to-date queries, visit\r\naka.ms/QakbotAHQ.\r\nTo locate possible exploitation activity, run the following queries in Microsoft 365 Defender.\r\nCraigslist impersonation domains lead to XLS download\r\nUse this query to locate devices connecting to malicious domains registered to impersonate Craigslist.org. These\r\ndomains act as redirectors which direct the target to a malicious XLS download.\r\nDeviceNetworkEvents\r\n| where RemoteUrl matches regex @\"abuse\\.[a-zA-Z]\\d{2}-craigslist\\.org\"\r\nQakbot-favored process execution after anomalous Excel spawning\r\nUse this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain\r\nadditional markers from recent Qakbot executions. The presence of such anomalous processes indicate that the\r\npayload was delivered and executed, though reconnaissance and successful implantation hasn’t been completed\r\nyet.\r\nDeviceProcessEvents\r\n| where InitiatingProcessParentFileName has \"excel.exe\" or InitiatingProcessFileName =~ \"excel.exe\"\r\n| where InitiatingProcessFileName in~ (\"excel.exe\",\"regsvr32.exe\")\r\n| where FileName in~ (\"regsvr32.exe\", \"rundll32.exe\")\r\n| where ProcessCommandLine has @\"..\\\"\r\nQakbot reconnaissance activities\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 15 of 17\n\nUse this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance\r\ncommands are consistent with the current version of Qakbot and occur automatically to exfiltrate system\r\ninformation. This data, once exfiltrated, will be used to prioritize human operated actions.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName == InitiatingProcessCommandLine\r\n| where ProcessCommandLine has_any (\r\n\"whoami /all\",\"cmd /c set\",\"arp -a\",\"ipconfig /all\",\"net view /all\",\"nslookup -querytype=ALL -\r\ntimeout=10\",\r\n\"net share\",\"route print\",\"netstat -nao\",\"net localgroup\")\r\n| summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d),\r\nInitiatingProcessFileName, InitiatingProcessCommandLine\r\n| where dcount_FileName \u003e= 8\r\nQakbot email stealing by ping.exe\r\nUse this query to find email stealing activities ran by Qakbot that will use “ping.exe -t 127.0.0.1” to obfuscate\r\nsubsequent actions. Email theft that occurs might be exfiltrated to operators and indicates that the malware\r\ncompleted a large portion of its automated activity without interruption.\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName =~ 'ping.exe'\r\n| where FileName endswith '.eml'\r\nGeneral attempts to access local email store\r\nUse this query to find attempts to access files in the local path containing Outlook emails.\r\nDeviceFileEvents\r\n| where FolderPath hasprefix \"EmailStorage\"\r\n| where FolderPath has \"Outlook\"\r\n| project FileName, FolderPath, InitiatingProcessFileName,\r\nInitiatingProcessCommandLine, DeviceId, Timestamp\r\nEmail collection for exfiltration\r\nUse this query to find attempts to copy and store emails for later exfiltration.\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 16 of 17\n\nDeviceFileEvents\r\n| where InitiatingProcessFileName =~ 'ping.exe' and InitiatingProcessCommandLine == 'ping.exe -t\r\n127.0.0.1'\r\nand InitiatingProcessParentFileName in~('msra.exe', 'mobsync.exe') and FolderPath endswith \".eml\"\r\nSource: https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/"
	],
	"report_names": [
		"a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434571,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54fdd2b78d3d34904719bf67a9492923c3467fd1.pdf",
		"text": "https://archive.orkl.eu/54fdd2b78d3d34904719bf67a9492923c3467fd1.txt",
		"img": "https://archive.orkl.eu/54fdd2b78d3d34904719bf67a9492923c3467fd1.jpg"
	}
}