{
	"id": "84098639-ba7b-4bd0-b106-c956ededd9a9",
	"created_at": "2026-04-06T00:17:50.347805Z",
	"updated_at": "2026-04-10T03:21:23.617548Z",
	"deleted_at": null,
	"sha1_hash": "6cf65735e2066afe75e3d64c8ce1fab7076810c6",
	"title": "Qakbot Returns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 462091,
	"plain_text": "Qakbot Returns\r\nPublished: 2024-01-04 · Archived: 2026-04-05 15:28:33 UTC\r\nThe Qakbot malware has reappeared just four months after law enforcement disrupted its distribution in the “Duck\r\nHunt” operation. Lately, various security companies have noticed the malware spreading through phishing emails.\r\nMicrosoft, which discovered this, described it as a small-scale campaign starting on December 11, 2023,\r\nspecifically targeting the hospitality industry. Although the number of these emails is currently low, given\r\nQakbot’s past persistence, it’s anticipated that the volume will rise soon. We got our hands on one such sample by\r\nthis tweet. \r\nFigure 1: Microsoft discovery of Qakbot resurface\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 1 of 7\n\nBinary Analysis\r\nAs per Microsoft’s tweet, in the recent campaign, an MSI file is being downloaded to the user’s machine from the\r\nmalicious PDFs which were spread through phishing mails.\r\nFigure 2: Execution Flow\r\nOn analysing the MSI file, we found that the suspicious DLL compressed inside was a patched IDM (Internet\r\nDownload Manager) DLL with Qakbot inside.\r\nFigure 3: Qakbot inside IDM DLL\r\nWe found that this DLL was packed with a custom packer. Usually unpacking the Qakbot DLL is quite simple. It\r\nuses VirtualAlloc() to allocate memory to unpacked code and VirtualProtect() to change the protection on a\r\nmemory region. We set breakpoints on both of those APIs to unpack. We first got the dump of the PE file without\r\nthe MZ header. Later, we found that it was the Qakbot second stage loader by manually adding the MZ header.\r\nThe threat actor employs this method to avoid detection by EDR, as it scans memory regions for MZ headers to\r\nidentify potential process injection methods.\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 2 of 7\n\nFigure 4: Unpacking Qakbot\r\nOn further unpacking, we got the final Qakbot payload which loads from memory while executing. Some security\r\nresearchers found that in the new campaign, Qakbot uses AES encryption to encrypt and store victim information\r\nbut the final payload we got was the usual Qakbot payload with the same RC4 encryption.\r\nFigure 5: Final Qakbot payload\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 3 of 7\n\nOn dynamic analysis, the MSI drops an installer temp file which passes the command line to invoke rundll32.exe\r\nand hides the window to run in background.\r\nFigure 6: MSI installer\r\nSince the threat actor uses PDF in their kill chain, the malicious DLL self copies itself in the name of\r\nAcrobatAC.dll and passes the command line arguments to execute the DLL with Qakbot export function\r\nEditOwnerInfo.\r\nFigure 7: Malicious DLL running on background\r\nIt showed the dummy Acrobat window and fake error window as a decoy. Further we found that the malicious\r\nDLL invokes the wermgr.exe – Windows Error Manager in suspended state to pursue its kill chain. \r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 4 of 7\n\nFigure 8: Decoy and invoking wermgr.exe\r\nWe dumped the PE file from wermgr.exe which was our previously unpacked final Qakbot payload. The threat\r\nactor implied Process Hollowing technique to inject malicious code into the suspended process of Windows Error\r\nManager.\r\nFigure 9: Process Hollowing wermgr.exe\r\nAs mentioned earlier, the wermgr.exe creates a registry key with RC4 encrypted data of victim system\r\ninformation, timestamp of installation and C2 information which is a usual Qakbot TTP.\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 5 of 7\n\nFigure 10: Creates registry key\r\nQakbot tries to make a C2 connection in the background when the victim believes wermgr.exe is running. Since\r\nthe C2 was down at the time of analysis, it was unable to establish a connection for carrying out any further\r\nmalicious activity.\r\nFigure 11: C2 connection by wermgr.exe\r\nWe at K7 Labs provide detection against latest threats and also for this newer variant of Qakbot. Users are advised\r\nto use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard their\r\ndevices.\r\nIoCs\r\nHash Detection Name\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 6 of 7\n\n723DAE8ED3F157E40635681F028328E6 Backdoor ( 005af9cf1 )\r\n88BBF2A743BAAF81F7A312BE61F90D76 Backdoor ( 005af9cf1 )\r\nReferences\r\n1. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/\r\n2. https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/\r\nSource: https://labs.k7computing.com/index.php/qakbot-returns/\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/qakbot-returns/"
	],
	"report_names": [
		"qakbot-returns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434670,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6cf65735e2066afe75e3d64c8ce1fab7076810c6.pdf",
		"text": "https://archive.orkl.eu/6cf65735e2066afe75e3d64c8ce1fab7076810c6.txt",
		"img": "https://archive.orkl.eu/6cf65735e2066afe75e3d64c8ce1fab7076810c6.jpg"
	}
}