{
	"id": "602c5bce-611c-49e0-a9a5-958281696a56",
	"created_at": "2026-04-06T00:11:32.823661Z",
	"updated_at": "2026-04-10T03:20:16.534219Z",
	"deleted_at": null,
	"sha1_hash": "6f7e15a2b9dc20b88f47226b1be6132dbc82cc92",
	"title": "Qakbot Botnet Disruption | The Shadowserver Foundation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70241,
	"plain_text": "Qakbot Botnet Disruption | The Shadowserver Foundation\r\nArchived: 2026-04-05 20:16:58 UTC\r\nOn Tuesday 29th August 2023, the US Department of Justice (DoJ) and US Federal Bureau of Investigations\r\n(FBI) – along with law enforcement partners in France, Germany, the Netherlands, and the United Kingdom –\r\nannounced a disruption action against the very long running Qakbot botnet.\r\nQakbot (also known as QBot, Pinkslipbot, Quakbot and Oakbot) has been active since around 2007, having\r\ninitially been developed as information stealer and banking trojan malware, before later becoming primarily a\r\ndistribution network for other malware/ransomware. See Malpedia’s timeline for more information about its\r\nlengthy evolution, and CISA’s advisory for Indicators of Compromise (IOCs) and mitigation information.\r\nIn recent years, Qakbot has been used as an initial infection vector by many ransomware groups including Conti,\r\nProLock, Egregor, REvil, MegaCortex, and Black Basta. This has likely enabled significant financial losses\r\nglobally.\r\nThe outcomes from the coordinated law enforcement action included:\r\ndeleting the Qakbot malware from infected victim computers (to reduce the risk of further harm)\r\ntaking down the Qakbot technical infrastructure\r\nseizing $8.6M of alleged illicit cryptocurrency profits.\r\nAs part of the takedown, the FBI was able to gain access to Qakbot infrastructure and identify over 700,000\r\ncomputers worldwide that appear to have been infected with Qakbot, including more than 200,000 in the United\r\nStates. To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled\r\nby the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file\r\nhttps://www.shadowserver.org/news/qakbot-botnet-disruption/\r\nPage 1 of 2\n\ncreated by law enforcement that would uninstall the Qakbot malware – thus preventing additional malware from\r\nbeing deployed on victim systems in future.\r\nMore detailed information is available in the DoJ court documents, including the hash of the Qakbot Uninstall file\r\n(SHA-256 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117) and associated search\r\nwarrants. Independent technical analysis of observed deletion activity was reported by Secureworks.\r\nThe scope of this law enforcement action was limited to information installed on the victim computers by the\r\nQakbot actors. It did not extend to remediating other malware already installed on the victim computers and did\r\nnot involve access to or modification of the information of the owners and users of the infected computers. It is\r\ntherefore important that anyone who is notified that they might have been infected with Qakbot also looks\r\nfor and remediates other malware infections that are likely also running on the same computer. Even after\r\nthe removal of Qakbot, they may still be infected with other malware and be a part of other botnets, so at risk\r\nfrom cybercriminals.\r\nThe Shadowserver Foundation is happy to support our law enforcement partners and private sector in this major\r\ncybercrime disruption operation. We are currently analyzing the collected data and will soon issue a Qakbot\r\nSpecial Report for National CSIRTs and network owners, to help notify and remediate any remaining victims.\r\nIf you do not already subscribe to Shadowserver’s free daily network reports, which contain many unique cyber\r\nthreat intelligence data feeds not available elsewhere, please subscribe here now. In the meantime, you can contact\r\nus with any questions, follow us on Twitter/X, Mastodon, BlueSky or LinkedIn, and join our public mailing list to\r\nreceive further updates.\r\nSource: https://www.shadowserver.org/news/qakbot-botnet-disruption/\r\nhttps://www.shadowserver.org/news/qakbot-botnet-disruption/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.shadowserver.org/news/qakbot-botnet-disruption/"
	],
	"report_names": [
		"qakbot-botnet-disruption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f7e15a2b9dc20b88f47226b1be6132dbc82cc92.pdf",
		"text": "https://archive.orkl.eu/6f7e15a2b9dc20b88f47226b1be6132dbc82cc92.txt",
		"img": "https://archive.orkl.eu/6f7e15a2b9dc20b88f47226b1be6132dbc82cc92.jpg"
	}
}