{
	"id": "4307eb97-c151-4e89-b743-dd9bfbb4245c",
	"created_at": "2026-04-06T00:13:27.19899Z",
	"updated_at": "2026-04-10T03:21:28.305463Z",
	"deleted_at": null,
	"sha1_hash": "5cb66c1837b55c35a268d739d56f9ed7afecd6ab",
	"title": "Visualizing QakBot Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1107857,
	"plain_text": "Visualizing QakBot Infrastructure\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 19:23:06 UTC\r\nA Data-Driven Approach based on Analysis of Network Telemetry\r\nThis blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot\r\ncommand and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement\r\nother research into this particular threat family, which in general focuses on specific infrastructure elements; e.g.,\r\ndaily alerting on active C2 servers.\r\nThis blog represents an ongoing piece of research, our analysis of QakBot is fluid with various hypotheses being\r\nidentified and tested. As and when we uncover new insights into QakBot campaigns we will seek to provide\r\nfurther written updates.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 1 of 13\n\nWe are not going to go over the entire history and functionality of Qakbot, for which there are numerous, well\r\nwritten reports on the subject. However, there are a couple of details relevant for this analysis worth mentioning.\r\n1. Qakbot campaigns are tracked by the threat actors via affiliate IDs that are included in the malware\r\nconfigurations, at present the most active are “Obama” and “BB”.\r\n2. Whilst each malware configuration includes a list of around 100 to 150 potential C2s, only a fraction are\r\nactually used for bot communications.\r\nRefill your coffee and get comfortable, things are about to get data heavy.\r\nKey Findings\r\nQakBot C2 servers are not separated by affiliate ID.\r\nQakBot C2 servers from older configurations continue to communicate with upstream C2 servers months\r\nafter being used in campaigns.\r\nIdentification of three upstream C2 servers located in Russia, two of which behave similarly based on\r\nnetwork telemetry patterns and the geolocations of the bot C2s communicating with them.\r\nWhen one upstream C2 server goes down for a period of time, other upstream C2 servers see a spike in C2\r\ntraffic volume.\r\nThe majority of Qakbot bot C2 servers are likely compromised hosts that were purchased from a third-party. Based on our data, most of these compromised hosts are located in India.\r\nActive C2 Servers\r\nBy analyzing outbound connections from known victim-facing C2 servers, we are able to determine upstream\r\nmanagement (Tier 2) infrastructure based on communications with common peers. In most cases a particular\r\nmanagement port is utilized and generally communications are ‘ongoing’ for extended periods.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 2 of 13\n\nOnce this Tier 2 (T2) management layer is identified, we are able to further determine which victim-facing C2\r\nservers are currently active, based on the observation of connections to this T2 layer.\r\nThis is a family agnostic process, not limited to QakBot C2 infrastructure.\r\nIn the case of Qakbot, C2 servers from campaigns associated with the affiliate IDs “Obama” and “BB” have been\r\ncommunicating with the same three upstream Russian T2 servers over TCP/443 for months.\r\nRussian IP space is often used in higher tiers of botnet infrastructure due to the protection it offers against (non-Russian) LEA activity and researcher visibility. It is a bit of a catch-22, however, since repeated outbound\r\nconnections to Russian IP space from source IPs located in various random countries tend to stand out as\r\nanomalous, or at least, of interest.\r\nUsing C2 configuration data from April 2023 QakBot campaigns, we confirmed that the upstream Russian T2\r\nservers remained unchanged. We then sifted through all of the C2 servers to identify those that connected to them\r\nover TCP/443. Interestingly, most of the C2 servers with this upstream traffic were listed in configurations from\r\nboth Obama and BB campaigns. Five IPs were unique to Obama campaigns, and only one was unique to BB\r\nwithin this timeframe (specifically BB23 with campaign ID 1681114726).\r\nObama \u0026 BB Obama BB\r\n23.30.22.225 59.153.96.4 174.171.130.96\r\n23.30.173.133 73.22.121.210\r\n27.0.48.233 119.82.121.251\r\n27.109.19.90 189.151.95.176\r\n43.243.215.206 197.94.95.20\r\n43.243.215.210\r\n69.242.31.249\r\n73.36.196.11\r\n73.161.176.218\r\n74.92.243.115\r\n75.149.21.157\r\n76.16.49.134\r\n96.87.28.170\r\n98.37.25.99\r\n103.42.86.42\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 3 of 13\n\nObama \u0026 BB Obama BB\r\n103.111.70.66\r\n103.113.68.33\r\n103.123.223.130\r\n103.123.223.141\r\n103.212.19.254\r\n114.143.176.235\r\n119.82.120.15\r\n119.82.123.160\r\n157.119.85.203\r\n183.87.163.165\r\n197.94.78.32\r\n202.142.98.62\r\nBot C2s to Upstream T2s\r\nThe graphs below display the volume of traffic flows from 1 March to 8 May 2023 for the active C2 servers\r\nidentified above, categorized by the affiliate configurations they appeared in. Each color represents one of the\r\nupstream Russian IPs, referred to as RU1, RU2, and RU3.\r\nApril C2 servers present in both Obama and BB campaigns\r\nApril C2 servers only present in Obama campaigns\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 4 of 13\n\nApril C2 servers only present in BB campaigns\r\nIn general, the affiliates do not seem to be separated by the upstream infrastructure with which their C2 servers\r\ncommunicate. However, there are some exceptions. For instance, a single unique BB C2 was live for two days and\r\nmostly communicated with RU3, with one connection to RU2 on the first day. C2s from the Obama campaigns\r\nprimarily communicated with RU2 and RU3, although there were a few interactions with RU1 in early April.  \r\nIn April, there seems to be a gap in activity for RU2 and RU3. To gain a clearer understanding of the overall C2 to\r\nT2 traffic volumes, it is necessary to combine all active C2s from April, regardless of affiliation.\r\nAll April C2 Servers\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 5 of 13\n\nRU2 and RU3 exhibit similar patterns to each other, while RU1 follows a separate pattern. Traffic volumes\r\nconsistently decrease over weekends for all three, a trend commonly observed in e-crime infrastructure.\r\nInterestingly, RU2 and RU3 were nearly inactive from 21 April until 1 May 2023. Upon resuming activity, C2\r\ncommunication over TCP/443 spiked to levels twice as high as before the period of inactivity. During the\r\ninactivity period, there was a significant surge in traffic volume to RU1. However, just before the return of RU2\r\nand RU3 in early May, the traffic volume to RU1 reduced to roughly match their volume patterns.\r\nMany C2 servers from this timeframe became active around mid-March and increased their activity beyond April.\r\nFor comparison, the graph below includes all other confirmed or high confidence C2 servers that communicated\r\nwith the Russian IPs over TCP/443 since 26 January 2023 (but were not included in April campaigns).\r\nC2 Servers First Active Prior to April 2023\r\nThese previous C2 servers experienced spikes in activity, presumably when they were included in malware\r\nconfigurations, as observed with the C2 servers identified as active during April 2023. Subsequently, the traffic\r\nvolume of these previous C2 servers significantly decreased but remained active.\r\nIn a future blog post, we will revisit this topic and explore the timelines of C2 servers and the relationships\r\nbetween affiliates.\r\nFrom this perspective, there are fewer similarities between RU2 and RU3, although they still share more\r\nalignment than with RU1. It also appears there have been previous periods of inactivity when C2 servers ceased\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 6 of 13\n\ncommunicating with an upstream Russian IP, as observed with RU1 from 25 February to 6 March 2023. These\r\nolder C2 servers also stopped communicating with RU1 for approximately three weeks from the end of March\r\nthrough April, but they resumed connections on 19 April 2023. C2 servers included in April campaigns continued\r\nto communicate with RU1 during this period.\r\nTelemetry by IP Geolocation\r\nThere appears to be a potential relationship between RU2 and RU3 based on the April C2 traffic volume patterns.\r\nHypothesizing from Qakbot's intermittent use of geofencing payloads, perhaps this relationship is influenced by\r\ngeolocation. The following comparison shows confirmed and high confidence C2s, active between 26 January and\r\n8 May 2023, categorized by geolocation for each of the three Russian T2s.\r\nThis section is caveated by the potential for observation bias. Team Cymru’s global coverage varies from\r\nregion to region, and from day to day based on sampling rates and data volumes.\r\nRU1\r\nRU2\r\nRU3\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 7 of 13\n\nThe volume and diversity of C2s for all three Russian T2s changed their patterns around the second week of\r\nMarch, with increased activity for India (IN) and United States (US) located IPs, and a decrease in the number of\r\ndifferent GEOs with active C2 servers. RU2 and RU3 once again exhibit similar patterns and receive traffic from\r\nall US-based C2 servers, as well as C2s from other North American locations not observed with RU1.\r\nDuring this timeframe, RU1 showed less diversity compared to RU2 and RU3, predominantly utilizing hosts\r\nlocated in India. There were only two short periods in February and March when US and Czech Republic (CZ) C2\r\nservers connected to RU1.\r\nThe CZ hosts were seen communicating with all three T2s around the same time period in February. More\r\nrecently, hosts geo-tagged as South African (ZA) have started communicating with all three T2s, but most\r\nconsistently connect to RU1.\r\nOne last thing to note: Qakbot C2 servers are historically compromised machines, either purchased from third\r\nparties or infected and turned into bots (although the latter is less common). Combining the above information\r\ninto one graph reveals that starting in March, India is by far the most prevalent country for active Qakbot C2s.\r\nThese compromised machines are most likely purchased from a broker serving the e-crime community.\r\nConclusion\r\nThis analysis provides a recent snapshot of the Qakbot infrastructure, highlighting observed trends and anomalies.\r\nBy visualizing this data through line charts, we have uncovered intriguing insights into the inner workings of\r\nQakbot's infrastructure. While the data can be utilized to identify potential threats and implement proactive\r\nmeasures, the primary focus of this post is to highlight the interesting data points that can be uncovered through\r\nnetwork telemetry analysis. By leveraging these insights, readers can gain a deeper understanding of the tactics\r\nand strategies employed by cybercriminals to carry out their attacks.\r\nRecommendations\r\nWe recommend that the IOCs listed at the end of this blog post are used by cyber defenders to hunt for\r\nexisting QakBot infections, as well as in blocking future attacks.\r\nFor users of Pure Signal™ Recon and Scout, the aforementioned Russian T2 servers are identifiable by\r\nquerying against the IOC list; filtering on outbound connections to remote TCP/443.\r\nPivoting on inbound connections to the Russian T2 servers will illuminate new QakBot C2 infrastructure\r\nover time.\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 8 of 13\n\nIndicators of Compromise\r\nBelow are the confirmed Qakbot bot C2 servers that we have identified communicating with upstream T2\r\ninfrastructure over TCP/443 this year.\r\n23.30.22.225\r\n23.30.173.133\r\n24.9.220.167\r\n27.0.48.205\r\n27.0.48.233\r\n27.109.19.90\r\n43.243.215.206\r\n43.243.215.210\r\n59.153.96.4\r\n64.237.207.9\r\n64.237.212.162\r\n64.237.221.254\r\n64.237.245.195\r\n64.237.251.199\r\n67.187.130.101\r\n68.62.199.70\r\n69.242.31.249\r\n73.22.121.210\r\n73.29.92.128\r\n73.36.196.11\r\n73.60.227.230\r\n73.78.215.104\r\n73.88.173.113\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 9 of 13\n\n73.155.10.79\r\n73.161.176.218\r\n73.161.178.173\r\n73.165.119.20\r\n73.215.22.78\r\n73.223.248.31\r\n73.228.158.175\r\n73.230.28.7\r\n74.92.243.113\r\n74.92.243.115\r\n74.93.148.97\r\n75.149.21.157\r\n76.16.49.134\r\n76.27.40.189\r\n89.203.252.238\r\n96.87.28.170\r\n98.37.25.99\r\n98.159.33.25\r\n98.222.212.149\r\n99.251.67.229\r\n99.252.190.205\r\n99.254.167.145\r\n103.11.80.148\r\n103.12.133.134\r\n103.42.86.42\r\n103.42.86.110\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 10 of 13\n\n103.42.86.238\r\n103.42.86.246\r\n103.71.20.249\r\n103.71.21.107\r\n103.87.128.228\r\n103.111.70.66\r\n103.111.70.115\r\n103.113.68.33\r\n103.123.221.16\r\n103.123.223.76\r\n103.123.223.121\r\n103.123.223.130\r\n103.123.223.131\r\n103.123.223.132\r\n103.123.223.141\r\n103.123.223.144\r\n103.123.223.168\r\n103.123.223.171\r\n103.212.19.254\r\n103.231.216.238\r\n103.252.7.228\r\n103.252.7.231\r\n103.252.7.238\r\n109.49.47.10\r\n114.143.176.234\r\n114.143.176.235\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 11 of 13\n\n117.248.109.38\r\n119.82.120.15\r\n119.82.120.175\r\n119.82.121.87\r\n119.82.121.251\r\n119.82.122.226\r\n119.82.123.160\r\n157.119.85.203\r\n174.58.146.57\r\n174.171.10.179\r\n174.171.130.96\r\n180.151.104.240\r\n180.151.108.14\r\n183.82.107.190\r\n183.82.112.209\r\n183.87.163.165\r\n183.87.192.196\r\n189.151.95.176\r\n197.92.136.122\r\n197.94.78.32\r\n197.94.95.20\r\n201.130.119.176\r\n201.142.195.172\r\n201.142.207.183\r\n201.142.213.13\r\n202.142.98.62\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 12 of 13\n\nSource: https://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nhttps://www.team-cymru.com/post/visualizing-qakbot-infrastructure\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.team-cymru.com/post/visualizing-qakbot-infrastructure"
	],
	"report_names": [
		"visualizing-qakbot-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5cb66c1837b55c35a268d739d56f9ed7afecd6ab.pdf",
		"text": "https://archive.orkl.eu/5cb66c1837b55c35a268d739d56f9ed7afecd6ab.txt",
		"img": "https://archive.orkl.eu/5cb66c1837b55c35a268d739d56f9ed7afecd6ab.jpg"
	}
}