{
	"id": "0ab222b2-7d4e-4bb4-a9b9-892b854aa409",
	"created_at": "2026-04-06T01:31:39.858462Z",
	"updated_at": "2026-04-10T03:20:19.356908Z",
	"deleted_at": null,
	"sha1_hash": "5c00ff11db53d0a2ab77ff0d352979f8f95fca13",
	"title": "New Qbot malware variant uses fake Adobe installer popup for evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2025445,
	"plain_text": "New Qbot malware variant uses fake Adobe installer popup for evasion\r\nBy Bill Toulas\r\nPublished: 2024-02-15 · Archived: 2026-04-06 00:39:53 UTC\r\nThe developer of Qakbot malware, or someone with access to the source code, seems to be experimenting with new builds\r\nas fresh samples have been observed in email campaigns since mid-December.\r\nOne of the variants observed uses on Windows a fake installer for an Adobe product to trick the user into deploying the\r\nmalware.\r\nAlso named QBot, the malware has served for many years as a loader for various malicious payloads, including\r\nransowmare, delivered to victims mainly over email.\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nUntil its takedown last August, QBot had infected over 700,000 systems and in just 18 months it caused financial damages\r\nestimated to more than $58 million.\r\nCodenamed Duck Hunt, the operation didn’t involve any arrests, and many security researchers believed that Qakbot\r\ndevelopers would rebuild their infrastructure and restart the distribution campaigns.\r\nLast year, Cisco Talos reported on a Qakbot campaign that had started before the takedown and was still active in early\r\nOctober. The researchers believe this was possible because law enforcement disrupted only the malware's command and\r\ncontrol servers, not the spam delivery infrastructure.\r\nIn December 2023, Microsoft observed a QBot phishing campaign impersonating the IRS, confirming fears about the\r\nmalware’s return.\r\nSophos' advanced threat response joint task force, Sophos X-Ops, noticed fresh Qbot activity recently, with up to 10 new\r\nmalware builds emerging since mid-December.\r\nThe new developments regarding Qbot have also been noticed by researchers at cloud security company Zscaler, who\r\npublished in late January a technical report about the malware and its evolution since 2008.\r\nNew QBot variants\r\nSophos X-Ops analysts reverse-engineered new Qbot samples, noting small increments in the build number, which indicates\r\nthat the developers are testing and refining the binaries.\r\nSamples from December and January came as a Microsoft Software Installer (.MSI) executable that dropped a DLL binary\r\nusing a .CAB (Windows Cabinet) archive.\r\nThis method differs from previous versions that injected code into benign Windows processes (AtBroker.exe,\r\nbackgroundTaskHost.exe, dxdiag.exe) to evade detection.\r\nThe new Qakbot variants use enhanced obfuscation techniques, including advanced encryption to hide strings and\r\ncommand-and-control (C2) communication.\r\nSpecifically, the malware uses AES-256 encryption on top of the XOR method seen in older samples.\r\nThe malware checks for endpoint protection software and reintroduced checks for virtualized environments, attempting to\r\nevade detection by entering an infinite loop if it finds itself on a virtual machine.\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/\r\nPage 3 of 5\n\nAV checks performed by QBot (Sophos)\r\nAdditionally, Qakbot presents a misleading popup suggesting Adobe Setup is running on the system, to trick users with\r\nbogus installation prompts that launch the malware regardless of what is clicked.\r\nBogus Adobe installation prompt (Sophos)\r\nSophos researchers say that by monitoring QBot’s development closely, they can update their detection rules and share\r\ncrucial info with other security vendors.\r\nAlthough a small number of samples have surfaced after Qbot's C2 infrastructure was taken down last year, researchers\r\nbelieve \"that any activity by threat actors to bring it back deserves surveillance and scrutiny.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/"
	],
	"report_names": [
		"new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion"
	],
	"threat_actors": [],
	"ts_created_at": 1775439099,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c00ff11db53d0a2ab77ff0d352979f8f95fca13.pdf",
		"text": "https://archive.orkl.eu/5c00ff11db53d0a2ab77ff0d352979f8f95fca13.txt",
		"img": "https://archive.orkl.eu/5c00ff11db53d0a2ab77ff0d352979f8f95fca13.jpg"
	}
}