{
	"id": "fb8d494d-8f30-4535-b5b7-3dec08fd81d4",
	"created_at": "2026-04-06T00:10:33.306598Z",
	"updated_at": "2026-04-10T03:23:51.229891Z",
	"deleted_at": null,
	"sha1_hash": "75cf431cccabd159d3b6473070faca535cd3d44a",
	"title": "Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9845827,
	"plain_text": "Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta\r\nRansomware\r\nBy George Tubin\r\nPublished: 2022-10-31 · Archived: 2026-04-05 19:20:04 UTC\r\nMax Malyutin – Orion Threat Research Team Leader\r\nThis report covers the execution of the notorious Qakbot malware infection, with in-depth details about TTPs (Tactics,\r\ntechniques, and procedures) and the Qakbot different functionalities.\r\nQakbot Executive Summary\r\nQakbot (also known as QBot, QuakBot, or Pinkslipbot) is a modular information stealer and banking trojan malware that has\r\nbeen active for over a decade. Qakbot was discovered in the wild in 2007.\r\nThreat actors behind the malware are financially motivated cybercriminals. They steal financial data, banking credentials,\r\nand web browser information from infected systems and compromise systems.\r\nOnce Qakbot threat actors succeed in infecting a system, they install a backdoor to grant access to ransomware operators,\r\nleading to double extortion attacks.\r\nQakbot’s main goals are:\r\nCollecting credentials and financial information\r\nInstalling a backdoor\r\nDropping additional malware (in most cases ransomware)\r\nQakbot has led to widespread infections and is known as one of the most dangerous malwares.\r\nQakbot has evolved in the last two years and has a wide range of capabilities such as installing persistence, evading\r\ndefenses, escalating privileges, and communicating with a Command and Control (C2). These capabilities allow it to\r\ncompromise the system without being detected by endpoint detection and response (EDR) vendors or antivirus (AV)\r\nsolutions.\r\nRecently (in the last three months), multiple Qakbot campaigns were seen in the wild.\r\nQakbot’s rapid change in its TTPs provides the ability to quickly spread and avoid defenses. The frequency of changing its\r\nTTPs makes it harder for security analysts and defenders to monitor and prevent Qakbot attacks.\r\nOrion’s observations\r\nCynet Orion Threat Research team closely monitors Qakbot campaigns, TTPs, and attack methods. Since Microsoft changed\r\nthe default policy in their Office products by disabling macros, threat actors changed their initial infection methods. Qakbot\r\nin the past used malicious documents (MalDocs) to infect the system but these days it uses different methods.\r\nQakbot Infection Flow Summary\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 1 of 31\n\nQakbot’s initial infection distribution starts with a spam\\hijacked email that contains malicious HTML (HTML smuggling),\r\nor password-protected ZIP. We have also observed malicious URL links as part of the malicious email. All of them lead to an\r\nISO image file (could also be VHD or IMG), which lures the victim to execute a malicious LNK file. After the LNK\r\nexecution, the next infection step could be different due to the change in the TTPs.\r\nUsually, Qakbot threat actors at this stage of the infection abuse legitimate binaries (LOLBins – Living Off the Land\r\nBinaries) or capabilities of the Microsoft Windows operating system. Orion observed the following LOLBins (From June\r\n2022 until today) that were recently used – CMD and WScript for script\\batch file execution, CURL for downloading\r\nQakbot’s DLL, and Regsvr32 or Rundll32 for Qakbot’s stager DLL execution.\r\nIn the technical part of this report, we will cover different TTPs and explain each one.\r\nOnce Qakbot’s DLL is executed, a process injection is taking place. A new process is created and injected with Qakbot’s\r\nDLL. After Anti-VM and Anti-Analysis checks, the injected process installs its configuration in a registry key. A copy of the\r\nsame DLL is dropped for persistence which is executed by the registry Run key. In the case of a high-privileged\r\ncompromised user (Administrator), it will install persistence via a Scheduled Task.\r\nOnce the threat actors set up persistence, the Qakbot-injected process communicates to multiple C2 servers. The C2 servers\r\nwait for information about the compromised system, which leads to the execution of an automated series of discovery\r\ncommands that collect information about the system.\r\nThe injected process also extracts information from web browsers (Internet Explorer and Microsoft Edge) by abusing a\r\nbuilt-in utility, esentutl binary. In addition, the C2 sends an info-stealing module that allows the injected process to access\r\nweb browser data and credentials.\r\nAfter Qakbot has all the information and sends it to the C2 server, the infection leads to Cobalt Strike or Brute Ratel. These\r\nframeworks allow threat actors to control the compromised system and perform multiple actions such as credential dumping,\r\nlateral movement, exfiltration, etc.\r\nThe final stage of the infection is a human-operated ransomware attack with double extortion.\r\nRansomware threat actors locate and secure access to high-value assets, exfiltrate sensitive data and execute ransomware\r\nacross the domain.\r\nFrom spam email to ransomware infection: Breaking down Qakbot campaign TTPs\r\nInitial Access, Execution, and Defense Evasion\r\nThe Qakbot campaign distribution method is through malicious spam (malspam) emails.\r\nHere are some examples below.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 2 of 31\n\nA malicious email with an HTML file attachment\r\nThe HTML distribution is extremely popular in the recent Qakbot campaigns.\r\nThe victim opens the HTML attachment in their browser which leads to a fake local HTML site. Threat actors use different\r\nfake sites which seem legitimate and lure the victim to keep executing (clicking) until the Qakbot infection starts. The\r\nHTML fake site then downloads a password-protected ZIP archive.\r\nThreat actors use this technique – Obfuscated Files or Information: HTML Smuggling (MITRE ID: T1027.006) – to avoid\r\ndetection by smuggling a hidden ZIP file inside of an HTML file.\r\nA fake Google Drive site with a password and drops a ZIP file\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 3 of 31\n\nA fake Dropbox site with a password and drops a ZIP file\r\nA fake Acrobat site with a password and drop a ZIP file\r\nThe malicious HTML file contains JavaScript code and a Base64 encoded chunk that runs once the file opens. The\r\nJavaScript automatically saves the Base64 data (ZIP archive) to a local file.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 4 of 31\n\nExamples of HTML smuggling file names:\r\nContract#[digits].html\r\nCancellation_[digits].html\r\nIN[digits].html\r\nComplianceReportCopy#[digits]4.html\r\nGrant#[digits].html\r\nREF#[digits]_ [month]_ [day].html\r\nContractCopy#[digits].html\r\nDocument#[digits](mmdd).html\r\nNow we will cover some Qakbot infection flows and check which TTPs are being used.\r\nThe password-protected ZIP archive contains an ISO image. The password of the ZIP is presented in the HTML fake site.\r\nExample of ISO files names:\r\nDetails[digits].iso\r\nContract_[digits].iso\r\nCancellation#[digits].iso\r\nComplianceReportCopy_[digits].iso\r\nGrant_[digits].iso\r\nA7[digits].iso\r\nDK[digits].iso\r\nVV[digits].iso\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 5 of 31\n\nUntil this point, the victim did exactly what the threat actors planned. The victim was first lured by a malicious spam email\r\nand then downloaded an attachment, saved a ZIP file that contained an ISO file, and opened it.\r\nThe ISO contains an LNK file that has an icon of a directory or a document to lure the victim to double-click on it. In\r\naddition, there is a hidden folder that contains some payloads and the Qakbot DLL.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 6 of 31\n\nThe LNK file serves as a shortcut to the cmd.exe command line that executes a batch script (.cmd) from the hidden\r\ndirectory.\r\nLNK file meta-data:\r\nLNK file properties and origin:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 7 of 31\n\nIn the hidden directory there are four files (.txt, .cmd, .gif and .dat), the LNK file executes the .cmd file which contains the\r\nfollowing code:\r\nThe batch script has two batch commands “set” (lines 4-8) and “call” (line 10). The “set” command creates five environment\r\nvariables and the “call” command executes an obfuscated command line with all the environment variables.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 8 of 31\n\nNote: at line 8, the last set command the new environment variables contain the replace.exe binary that will be used to copy\r\nregsvr32 to a different location to evade security products.\r\nThe “call” command executes the following:\r\nThe threat actors use a masquerading technique to avoid detections by placing the regsvr32.exe binary in a different location\r\nwith the replace.exe Microsoft built-in utility.\r\nreplace C:\\Windows\\system32\\regsvr32.exe C:\\Users\\Admin\\AppData\\Local\\Temp /A\r\nThe /A parameter copies the new file to the requested directory instead of moving the existing file.\r\nThe %1 %2 %3 are the arguments that reside in the LNK command line. Their concatenation results in regsvr32.exe, which\r\nwill be executed to load the Qakbot’s DLL. The Qakbot’s DLL in this case is the “volleyed.dat” file.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 9 of 31\n\nThis is the execution flow after double-clicking the LNK file:\r\nAnother example of Qakbot infection uses different TTPs which will be described in the next section.\r\nThis infection also starts with an LNK file execution.\r\nLNK meta-data:\r\nLNK file properties and origin:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 10 of 31\n\nThe batch file (.cmd) also has “set” and “call” commands.\r\nThe interesting part is found in line 7 where an unknown executable is in the %temp% directory (C:\\Users\\\r\n{User}\\AppData\\Local\\Temp). At lines 4-6 the batch file sets environment variables. The concatenation of the environment\r\nvariables values will result in regsvr32.exe which will be copied to the %temp% directory and renamed.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 11 of 31\n\nThe Qakbot DLL that is executed by the masqueraded Regsvr32\r\nThe execution flow after double-clicking the LNK file:\r\nIn the last three months, Qakbot’s threat actors used unique TTPs for each campaign. We are monitoring Qakbot campaigns\r\nclosely and we observed unique infections flow each time:\r\nJune 2022: LNK \u003e CMD \u0026 CURL \u003e PING \u003e Regsvr32\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 12 of 31\n\nExecution flow description: A LNK file executes a curl command to download a Qakbot DLL to\r\n\\\\AppData\\\\Roaming\\\\[RandomDir] for a compromised distribution URL, and finally executes the DLL with\r\nregsvr32.\r\nJuly 2022: LNK \u003e CALC \u003e Regsvr32\r\nExecution flow description: A LNK file executes a copy of calc.exe (stored in the ISO). The ISO also contains\r\ntwo DLL files, WindowsCodecs.dll, and a payload named [Random].dll to exploit a DLL hijacking. Finally,\r\nregsvr32 loads the Qakbot DLL.\r\nSeptember 2022: LNK \u003e CURL \u0026 WSCRIPT \u003e CMD \u003e PING \u0026 Regsvr32\r\nExecution flow description: A LNK file executes curl to download a .js file to \\\\AppData\\\\Roaming\\\\\r\n[RandomDir]\\\\[RandomDir]. The JS script downloads the Qakbot DLL and executes it with Regsvr32.\r\nNow that we have covered different Qakbot TTPs and infection flows, let’s focus on what happens after the Qakbot\r\nDLL is executed by regsvr32.exe.\r\nQakbot DLL targets system processes for process injection (Process Hollowing). The targeted process will be chosen from a\r\nhardcoded list according to AV solutions that are running on the compromised system to evade them.\r\nCreateToolhelp32Snapshot, Process32Next, and Process32First APIs allow enumerating running processes on the\r\ncompromised system.\r\nThe target processes are:\r\n%SystemRoot%\\SysWOW64\\wermgr.exe (in the last campaigns the target process was:\r\n%SystemRoot%\\SysWOW64\\explorer.exe)\r\n%SystemRoot%\\SysWOW64\\mobsync.exe\r\n%SystemRoot%\\ SysWOW64\\msra.exe\r\n%SystemRoot%\\ SysWOW64\\OneDriveSetup.exe\r\n%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe\r\nWe observed a new process in the new Qakbot campaign: %SystemRoot%\\ SysWOW64\\dxdiag.exe thanks to @Kostastsale\r\nfrom the DFIR Report Team.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 13 of 31\n\nThese are the AV processes that were checked:\r\nkavtray.exe, avp.exe == Kaspersky\r\nbdagent.exe, vsserv.exe, vsservppl.exe == Bitdefender\r\nSavService.exe, SAVAdminService.exe == Sophos\r\ncoreServiceShell.exe, PccNTMon.exe, NTRTScan.exe == Trend Micro\r\nMsMpEng.exe == Windows Defender\r\nAvastSvc.exe == Avast\r\nThe process injection uses the following Windows APIs: CreateProcessW, WriteProcessMemory, and NtResumeThread.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 14 of 31\n\nCreateProcessW API is used to start a new system process using the flag CREATE_SUSPENDED to create the targeted\r\nprocess in suspended mode.\r\nAfter injecting the Qakbot DLL code with WriteProcessMemory, it finally resumes the injected process and its execution\r\nwith NtResumeThread.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 15 of 31\n\nThe injected process (wermgr.exe) contains a newly allocated memory space found in 0x302000. The page has RWX (Read,\r\nWrite, Execute) protection, and this page contains an MZ header of the injected Qakbot DLL.\r\nIn addition to the AV enumeration, Qakbot also checks if it is running on the Windows Defender sandbox. Qakbot checks\r\nthe existence of a subdirectory: “C:\\\\INTERNAL\\\\__empty.” If this folder exists, the Qakbot process terminates itself.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 16 of 31\n\nDuring our analysis, we spotted that the unpacked Qakbot DLL was inside the injected process memory.\r\nThis unpacked Qakbot DLL has unique indicators:\r\nDLL internal name: fwpolicyiomgr.dll\r\nDLL export functions: DllRegisterServer, DllInstall\r\nHere is an older version of the Qakbot unpacked DLL from previous campaigns:\r\nDLL internal name: visualstudio_helper.dll\r\nDLL export function: DllRegisterServer\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 17 of 31\n\nAfter the injection, Qakbot stores the content of its DLL in memory, and it corrupts the image file (DLL) on the disk by\r\noverwriting it with junk data. This is done to interfere with forensics and analysis attempts:\r\nQakbot stores its configuration in a fileless manner by loading its configuration from its resource section and then storing its\r\nconfiguration in the registry, in HKCU\\\\Software\\\\Microsoft\\\\[RandomDir].\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 18 of 31\n\nTwo suspicious Qakbot resources\r\nPersistence\r\nThe persistence mechanism of Qakbot is a registry Run key (HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run).\r\nFirst Qakbot creates a subdirectory with a random name under the %APPDATA%\\\\Microsoft\\\\ and drops a copy of Qakbot’s\r\nDLL for the Run key persistence. The persistence mechanism triggers when the system shuts down or restarts.\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 19 of 31\n\nDuring the system shutdown/restart the copy of the Qakbot DLL is dropped to “C:\\\\Users\\\\\r\n{User}\\\\AppData\\\\Roaming\\\\Microsoft\\\\Zadabakyje\\\\uboeuai.dll”:\r\nAnd a new value in the registry Run key is created. Registry value = KNBLORIAPI, the data type of the value is a REG_SZ\r\nand it contains the following data: regsvr32.exe “C:\\\\Users\\\\\r\n{User}\\\\AppData\\\\Roaming\\\\Microsoft\\\\Zadabakyje\\\\uboeuai.dll”:\r\nAt the reboot of the compromised system, the Run key is executed, and run the following command:\r\nHere’s another example of the persistence process:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 20 of 31\n\nQakbot uses an anti-forensics technique by deleting and removing the persistence. On the system boot, the DLL file is\r\nremoved from the C:\\\\Users\\\\{User}\\\\AppData\\\\Roaming\\\\Microsoft\\\\{RandomDir}\\\\, and the run key value is removed\r\nfrom the registry key.\r\nDiscovery\r\nThe injected Qakbot process executes automated discovery commands with legitimate Microsoft Windows built-in\r\ncommand-line binaries.\r\nThese discovery commands collect information about the compromised system and send the information to the C2 server.\r\nThis action serves the threat actors for mapping the system for lateral movement.\r\nnet view\r\nDescription: This command displays a list of domains, computers, or resources that are being shared by the\r\nspecified computer. Used without parameters, net view displays a list of computers in your current domain.\r\ncmd /c set\r\nDescription: This command displays the system environment variables.\r\narp -a\r\nDescription: This command displays entries in the ARP (Address Resolution Protocol) table.\r\nnslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.\u003cdomain_fqdn\u003e\r\nDescription: This command displays SRV service location records specifically the domain controllers on the\r\ndomain.\r\nipconfig /all\r\nDescription: This command displays all current TCP/IP network configurations.\r\nnet share\r\nDescription: This command displays information about all the resources that are shared on the local computer.\r\nroute print\r\nDescription: This command displays the entries in the local IP routing table.\r\nnetstat -nao\r\nDescription: This command displays active TCP connections, ports on which the computer is listening,\r\nEthernet statistics, the IP routing table, IPv4 statistics\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 21 of 31\n\nnet localgroup\r\nDescription: This command displays the name of the server and the names of local groups on the computer.\r\nwhoami /all\r\nDescription: This command displays user, group, and privileges information for the user who is currently\r\nlogged on to the local system.\r\nCredential Access and Collection (Web-Browser)\r\nOne of the Qakbot capabilities is information stealing. It steals sensitive information from Internet Explorer and Microsoft\r\nEdge by executing the esentutl.exe command line:\r\nesentutl.exe /r V01 /l”C:\\\\Users\\\\{User}\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache” /s”C:\\\\Users\\\\\r\n{User}\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache” /d”C:\\\\Users\\\\\r\n{User}\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache”\r\nThe injected Qakbot process performed the Web-Browser collection by receiving from the C2 server a cookie grabber\r\nmodule that allows it to access web-browsers credentials and data. This data is stored on the disk:\r\nThe cookie-stealing module contains the following strings:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 22 of 31\n\nThe credential stealing and keylogging module contains the following strings:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 23 of 31\n\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 24 of 31\n\nQakbot botnet; Command and Control\r\nQakbot injected process communicates (over HTTPS POST request with the victim fingerprinting data) with the C2 servers.\r\nTheir IP addresses are stored in a hardcoded list in the configuration that resides in the registry.\r\nOnce the Qakbot communication is established, the C2 will send additional modules to the injected Qakbot process.\r\nThe following fingerprinting data is sent to the C2 server:\r\nOS information\r\nCPU information\r\nComputer name\r\nUsername\r\nAD Domain\r\nRunning processes\r\nIn addition, all the discovery outputs are also sent to the C2 server.\r\nThe Qakbot botnet IDs: Obama, BB, etc., are located inside the injected process memory. Here’s an example from an\r\ninjected Explorer.exe process:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 25 of 31\n\nAnother example of the C2 connection data from the injected process memory. The “POST /t5 HTTP/1.1” (“POST /t4\r\nHTTP/1.1” in previous campaigns) is indicative of the Qakbot C2 server HTTP request:\r\nThe C2 server (41[.]111[.]118[.]56) detections by VirusTotal:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 26 of 31\n\nHere’s a list of active Qakbot C2 servers could be monitored via https://feodotracker.abuse.ch/browse/qakbot/.\r\nCobalt Strike Infection\r\nAfter all the above actions (defense evasion, discovery, credential access, collection, and the C2 communication) we saw\r\nthat in one of our incident responses (IR) that the Qakbot infection leads to a Cobalt Strike.\r\nThe Qakbot injected process (in the IR case: OneDriveSetup.exe) injected into a different process – a Cobalt Strike DLL\r\nbeacon – 45 minutes after the initial infection. The injection created a new remote thread in the targeted Rundll32.exe\r\nprocess. The MZAR header (reflective loader):\r\nIn addition, the Cobalt Strike beacon was injected into the “C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup”\r\nprocess which executes another instance of rundll32.exe:\r\nOne of the actions that the threat actors executed is a fileless .NET Mimikatz. This is the Mimikatz executed inside the\r\ninjected process (rundll32.exe) memory:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 27 of 31\n\nMimikatz functionality allows the threat actors to dump passwords and NTLM hashes from memory, collect Kerberos\r\ntickets and run “Pass the Hash.” With this functionality, the threat actors perform lateral movement and privilege escalation.\r\nHuman-operated ransomware\r\nWe observed that at this point of the infection (Cobalt Strike execution), the attack switched to Human-operated\r\nransomware. It is an active attack performed by ransomware cybercriminals with a “hands-on keyboard.” Threat actors take\r\nadvantage of the domain to deploy ransomware.\r\nWe have investigated several Qakbot infections and based on that, we have observed a collaboration with CONTI and Black\r\nBasta ransomware groups.\r\nThis makes sense based on the Threat Intelligence reports that link these two ransomware groups (Black Basta is an offshoot\r\nof CONTI). Black Basta ransomware was first seen at the beginning of 2022.\r\nBlack Basta ransomware technical info:\r\nRansomware encryption algorithms: ChaCha20 and RSA-4096\r\nRansomware skips the following files/directories:\r\n$Recycle.Bin\r\nreadme.txt\r\nWindows\r\nreadme.txt\r\nRansomware extension: .basta\r\nRansomware note: readme.txt\r\nRansomware replaces the desktop wallpaper with your image\r\nRansomware inhibits system recovery commands:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 28 of 31\n\nC:\\Windows\\SysNative\\vssadmin.exe delete shadows /all /quiet\r\ncmd.exe /c “C:\\Windows\\SysNative\\vssadmin.exe delete shadows /all /quiet”\r\nC:\\Windows\\SysNative\\bcdedit /set safeboot networkChanges\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 29 of 31\n\nRelated Black Basta ransomware sample that was detected in one of the IR cases.\r\nMD5: 0c69e91c2f54978ae3103b26686b2610\r\nSHA-256: a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96\r\nSSDEEP:\r\n12288:9yufBWp/QcYqt+QxxbxgU532BjZak//A6/NLaBCfwYkijMsZ2rEIaOtZBQipEen7:9yufBWpW3/k6M7tZBLpEelW3\r\nImphash:23f9df8e3fa0bbe313771c0a01ac6eae\r\nTTPs: Tactics, Techniques, and Procedures, MITRE\r\nNow that we’ve covered the execution details, I am going to share the TTPs with you.\r\nTA0001 Initial Access:\r\n1566.001 Phishing: Spear phishing Attachment\r\nT1566.001 Phishing: Spear phishing Attachment\r\nTA0002 Execution:\r\nT1204.001 User Execution: Malicious Link\r\nT1204.002 User Execution: Malicious Link\r\nT1059.005 Command and Scripting Interpreter: Visual Basic Script\r\nT1059.007 Command and Scripting Interpreter: JavaScript\r\nT1027 Obfuscated Files or Information\r\nTA0003 Persistence:\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1053.005 Scheduled Task\r\nT1543.003 Create or Modify System Process: Windows Service\r\nT1574.001 Hijack Execution Flow: DLL Search Order Hijacking\r\nTA0005 Defense Evasion:\r\nT1027.006 Obfuscated Files or Information: HTML Smuggling\r\nT1218.011 Signed Binary Proxy Execution: Rundll32\r\nT1218.010 System Binary Proxy Execution: Regsvr32\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1027.005 Obfuscated Files or Information: Indicator Removal from Tools\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nT1112 Modify Registry\r\nT1055.012 Process Injection: Process Hollowing\r\nT1562.009 Impair Defenses: Safe Boot Mode\r\nT1622 Debugger Evasion\r\nTA0006 Credential Access:\r\nT1555.003 Credentials from Password Stores: Credentials from Web Browsers\r\nT1003 OS Credential Dumping\r\nTA0007 Discovery:\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 30 of 31\n\nT1057 Process Discovery\r\nT1018 Remote System Discovery\r\nT1482 Domain Trust Discovery\r\nT1135 Network Share Discovery\r\nT1069.001 Permission Groups Discovery: Local Groups\r\nT1082 System Information Discovery\r\nT1016 System Network Configuration Discovery\r\nT1049 System Network Connections Discovery\r\nT1033 System Owner/User Discovery\r\nT1010 Application Window Discovery\r\nTA0009 Collection:\r\nT1005 Data from Local System\r\nTA0011 Command and Control:\r\nT1573 Encrypted Channel\r\nT1071 Application Layer Protocol\r\nT1041 Exfiltration Over C2 Channel\r\nTA0040 Impact:\r\nT1486 Data Encrypted for Impact\r\nT1490 Inhibit System Recovery\r\nWe will continue to share threat alerts in real time so keep an eye on our social channels. You can also find our monthly\r\nransomware reports here.\r\nStay safe!\r\nSource: https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nhttps://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/\r\nPage 31 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/"
	],
	"report_names": [
		"orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434233,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75cf431cccabd159d3b6473070faca535cd3d44a.pdf",
		"text": "https://archive.orkl.eu/75cf431cccabd159d3b6473070faca535cd3d44a.txt",
		"img": "https://archive.orkl.eu/75cf431cccabd159d3b6473070faca535cd3d44a.jpg"
	}
}