{
	"id": "272728bd-1107-4684-9c32-56d8cd87927c",
	"created_at": "2026-04-06T00:22:04.042074Z",
	"updated_at": "2026-04-10T03:21:12.245092Z",
	"deleted_at": null,
	"sha1_hash": "72481b3989dd720c021f3c5207f8be9fe9598ee8",
	"title": "QBot malware is back replacing IcedID in malspam campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3499140,
	"plain_text": "QBot malware is back replacing IcedID in malspam campaigns\r\nBy Ionut Ilascu\r\nPublished: 2021-04-13 · Archived: 2026-04-05 19:25:49 UTC\r\nMalware distributors are rotating payloads once again, switching between trojans that are many times an intermediary stage\r\nin a longer infection chain.\r\nIn one case, the tango seems to be with QBot and IcedID, two banking trojans that are often seen delivering various\r\nransomware strains as the final payload in the attack.\r\nReturn to initial payload\r\nEarlier this year, researchers observed a malicious email campaign spreading weaponized Office documents that delivered\r\nQBot trojan, only to change the payload after a short while.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIn February, IcedID was the new malware coming from the URLs that used to serve QBot. Brad Duncan of Palo Alto\r\nNetworks caught the change and notes in his analysis at the time:\r\n“HTTPS URL generated by the Excel macro ends with /ds/2202.gif which normally would deliver Qakbot, but today it\r\ndelivered IcedID” - Brad Duncan\r\nThreat researcher James Quinn of Binary Defense makes the same observation in a blog post in March, as the company\r\ndiscovered a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.\r\nIcedID started as a banking trojan in 2017 and adjusted its functionality for malware delivery. It has been seen distributing\r\nRansomExx, Maze, and Egregor ransomware in the past.\r\nAfter about a gap of a month and a half, the malware distributor switched the payload back to QBot (a.k.a. QakBot), which\r\nhas been seen delivering ProLock, Egregor, and DoppelPaymer ransomware in the past.\r\nMalware researcher and reverse engineer reecDeep spotted the switch on Monday, saying that the campaign relies on\r\nupdated XLM macros.\r\nAs seen in the screenshot above, the malicious Office file poses as a DocuSign document to trick users into enabling macro\r\nsupport that fetches the payload on the system.\r\nThe same trick is seen in the analysis from both Binary Defense and Brad Duncan on the malware distributor’s switch to\r\ndelivering IcedID in February 2021.\r\nRecently, security researchers at threat intelligence firm Intel 471 published details about EtterSilent, a malicious document\r\nbuilder that’s been gaining in popularity due to its constant development and ability to bypass several security mechanisms\r\n(Windows Defender, AMSI, email services).\r\nOne feature of the tool is that it can create malicious documents that look like DocuSign or DigiCert-protected files that\r\nrequire user interaction for decryption.\r\nAccording to Intel 471, multiple cybercriminal groups started to use EtterSilent services, including IcedID, QakBot, Ursnif,\r\nand Trickbot.\r\nContacted by BleepingComputer about the recent switch to QakBot, James Quinn confirmed the campaigns, saying that all\r\nevidence points to \"a fairly large update to QakBot\" that comes with changed decryption algorithms for the internal\r\nconfiguration.\r\nQuinn notes that this breaks the configuration extraction on many samples.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/"
	],
	"report_names": [
		"qbot-malware-is-back-replacing-icedid-in-malspam-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434924,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72481b3989dd720c021f3c5207f8be9fe9598ee8.pdf",
		"text": "https://archive.orkl.eu/72481b3989dd720c021f3c5207f8be9fe9598ee8.txt",
		"img": "https://archive.orkl.eu/72481b3989dd720c021f3c5207f8be9fe9598ee8.jpg"
	}
}