{
	"id": "c122b936-aeb6-45b6-826b-86d753c34f28",
	"created_at": "2026-04-06T00:18:09.502655Z",
	"updated_at": "2026-04-10T13:11:55.863844Z",
	"deleted_at": null,
	"sha1_hash": "57b3d6cd08f944860f3a066777ca34cffc138cff",
	"title": "Qbot is Back.Connect",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 761452,
	"plain_text": "Qbot is Back.Connect\r\nBy Jason Reaves\r\nPublished: 2025-01-20 · Archived: 2026-04-05 16:29:35 UTC\r\nBy: Joshua Platt, Jason Reaves and Jonathan McCay\r\nQBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active since around 2007.\r\nIt has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and\r\na loader using C2 (Command and Control) servers for payload targeting and execution.\r\nOn May 30th, 2024 Law Enforcement action[1] was taken against the Qbot operators in a coordinated effort to\r\ndisrupt their activities. But like most things, while the actions taken did disrupt the activity, new signs are showing\r\noff a re-emergence of the operators.\r\nBut before we get to the interesting connection, research recently emerged from ZScaler on the addition of DNS\r\ntunneling to Zloader[2]. Their analysis highlighted a sample that upon further review contained some curious\r\noverlaps:\r\nSHA256: 22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764\r\nURL: vector123[.]xyz/PixelSignal.dll\r\nIP: 80.66.89.100\r\nThe IP contained a more interesting delivery with two overlaps:\r\nhxxp://146.19.128.138/pack.dat\r\nhxxps://80.66.89.100/pack.dat\r\nA pivot into relations shows a ZIP file named ‘pack.dat’:\r\nc8bddb338404a289ac3a9d6781d139314fab575eb0e6dd3f8e8c37410987e4de\r\nTaking a look inside the ZIP:\r\n Date Time Attr Size Compressed Name\r\n------------------- ----- ------------ ------------ ------------------------\r\n2024-08-22 09:52:30 ..... 1096192 545458 winhttp64.dll\r\n2023-11-01 17:17:28 ..... 6083072 1930818 libcrypto-3-x64.dll\r\n2023-11-01 17:17:28 ..... 776704 272981 libssl-3-x64.dll\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 1 of 7\n\n2024-11-13 03:28:05 ..... 4209176 1699649 OneDriveStandaloneUpdater.exe\r\n2024-11-19 13:53:12 ..... 1366528 1366738 settingsbackup.dat\r\n2024-11-13 12:01:31 ..... 1239040 283066 winhttp.dll\r\n------------------- ----- ------------ ------------ ------------------------\r\n2024-11-19 13:53:12 14770712 6098710 6 files\r\nA few things can be quickly ascertained here; 3 of the files have newer dates than the others. Two of them have the\r\nsame date while a .dat file has a later date. Assuming the DLL file we looked at earlier which is the ‘winhttp.dll’\r\nfile from this ZIP is loaded by the OneDriveStandaloneUpdater.exe then perhaps it will use the .dat file later. Also\r\nconsidering the PDB path of the DLL as something possibly intended to be side loaded.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOneDriveStandaloneUpdater.exe\r\nF:\\dbs\\sh\\odct\\1021_111212\\client\\onedrive\\Product\\StandaloneUpdater\\exe\\obj\\amd64\\OneDriveStandalone\r\nThis file will in fact load the winhttp.dll file:\r\nZ:\\j\\projects\\dll_side\\dll_side\\x64\\DebugDllOnedriveUpdater\\dll_side.pdb\r\nThis DLL will load and decrypt the previously seen .dat file before deploying some sort of test message:\r\nThe ‘Decode_and_load’ function will open and read in the .dat file:\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 2 of 7\n\nBefore RC4 decrypting it using a hardcoded 0x80 byte key:\r\nDecrypting it ourselves shows it is a PE file:\r\n\u003e\u003e\u003e data = open('settingsbackup.dat', 'rb').read()\r\n\u003e\u003e\u003e from Crypto.Cipher import ARC4\r\n\u003e\u003e\u003e rc4 = ARC4.new(key)\r\n\u003e\u003e\u003e t = rc4.decrypt(data)\r\n\u003e\u003e\u003e t[:100]\r\nb'MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\r\nDecoded PE file:\r\nZ:\\j\\projects\\bc_ssl\\x64\\DebugDLL\\bc_ssl_client.pdb\r\nNew BackConnect\r\nThe general overview of the startup of the BC module client thread is to hook low level createprocess and\r\nexitprocess functions before heading to the main functionality:\r\nInside the main working function the module will look for running copies of itself:\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 3 of 7\n\nPress enter or click to view image in full size\r\nThen begins a sleep loop that will check for a hardcoded registry key of ‘Software\\\\TitanPlus’:\r\nPress enter or click to view image in full size\r\nThis value will be sent to a function labeled for parsing a string by a semicolon character:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 4 of 7\n\nEventually these values will be passed off to the main worker function for ‘nattun_client_loop’:\r\nWhen the client connects in it will send in information about the infected system:\r\nWhile pivoting on the PDB information we managed to find a number of interesting files with references to Qbot.\r\n4b4398f64e574cfdb8de05d388d97ed255e888045f0316808311f51f63212efb\r\nZ:\\j\\projects\\qbot4\\tests\\test_wmi\\Release\\x64\\test_wmi.pdb\r\n7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74\r\nZ:\\j\\projects\\qbot4\\Release\\Win32\\qd_x86.pdb\r\nThe references on this qd_x86 file:\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 5 of 7\n\nhxxps://upd5[.pro/update/qd_x86.exe\r\nThis file looks like it might be some sort of a debugging tool:\r\nUsage: %S \u003c-t | -T | -s | -i | -c cmd | -h | -n base_random_name | -l seclog_file brn | -L seclog_blz\r\n -t send shutdown command to bot\r\n -T stop bot, and clean config\r\n -s run as test server\r\n -c cmd send server command\r\n -n [base_random_name] generate nick for local host or from base_random_name\r\n -l seclog_file [base_random_name] decrypt seclog to stdout\r\n -L seclog_file decrypt blzipped seclog to stdout\r\n -i decrypt current config to stdout\r\n -b check Update running\r\n -dm file drop saved main dll to disk\r\n -du file drop update dll to disk\r\n -h print this help\r\nA certain string related to a command can be traced back to the law enforcement takedown of Qbot.[3]\r\nQPCMD_BOT_SHUTDOWN sent ok.\r\nIn addition to the new backConnect malware developed by Qbot operators, research has emerged tying zloader[4]\r\nactivity to that of the BlackBasta ransomware operation. It is highly likely this new side loading backConnect\r\nmalware has been or is going to be utilized to further ransomware attacks. We have released a yara rule in order to\r\nbetter identify the samples and help with detections.\r\nIOCs\r\nSHA256: 22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764\r\nSHA256: 98d38282563c1fd09444724eacf5283626aeef36bcb3efa9d7a667db7314d81f\r\nSHA256: c8bddb338404a289ac3a9d6781d139314fab575eb0e6dd3f8e8c37410987e4de\r\nSHA256: bf861f5bd384707e23148716240822208ceeba50c132fb172b784a6575e5e555\r\nSHA256: 9cdef45dc9f7c667a54effa9b8187ef128d64ea49c97bdae4e9567d866c63f5a\r\nSHA256: 651e49a45b573bb39e21746cb99fcd5d17679e87e04201f4cc6ca10ff2d166e4\r\nSHA256: 4cad17ef867f03081eb690b1c16d7f4d5c937c3f20726af0442d7274413e3620\r\nSHA256: a197804c6ae915f59add068e862945b79916c92a508c0287a97db718e72280a3\r\nvector123[.]xyz/PixelSignal.dll\r\nupd5[.pro\r\n146.19.128[.]138/pack.dat\r\n80.66.89[.]100/pack.dat\r\n80.66.89[.]100\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 6 of 7\n\n146.19.128[.]138\r\nRegistry:\r\nSoftware\\\\TitanPlus\r\nYARA\r\nrule new_bc\r\n{\r\nstrings:\r\n$a1 = {4a6869736864694932556873766f6339346b65696f6a6e376e7331396d30646f}\r\ncondition:\r\nall of them\r\n}\r\nReferences\r\n1: https://operation-endgame.com/\r\n2: https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling\r\n3: https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot\r\n4: https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/\r\nSource: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nhttps://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f"
	],
	"report_names": [
		"qbot-is-back-connect-2d774052369f"
	],
	"threat_actors": [],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/57b3d6cd08f944860f3a066777ca34cffc138cff.pdf",
		"text": "https://archive.orkl.eu/57b3d6cd08f944860f3a066777ca34cffc138cff.txt",
		"img": "https://archive.orkl.eu/57b3d6cd08f944860f3a066777ca34cffc138cff.jpg"
	}
}