{
	"id": "18f3f4f5-7e20-4e14-b27c-518c4666e63c",
	"created_at": "2026-04-06T00:19:44.458102Z",
	"updated_at": "2026-04-10T13:11:31.066408Z",
	"deleted_at": null,
	"sha1_hash": "8a30e6355fc727e7e97a5a37b67647797c835995",
	"title": "Qbot Banking Trojan Still Up to Its Old Tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40474,
	"plain_text": "Qbot Banking Trojan Still Up to Its Old Tricks\r\nBy Authors \u0026 ContributorsDoron Voolf (Author)Malware Analyst, F5About DoroncloseAll Articles\r\nArchived: 2026-04-05 16:17:49 UTC\r\nThere is no cease-fire in the continuing battle against malware. Qbot, a banking trojan malware active since 2008,\r\nis back in business with new functions and new stealth capabilities. In the past 12 years, this malware has gone by\r\na handful of names, including Qakbot and Pinkslipbot.\r\nDespite all the variations and evolutions, Qbot’s main goal has remained the same: collect browsing activity and\r\nsteal bank account credentials and other financial information. Attackers usually infect victims using phishing\r\ntechniques to lure victims to websites that use exploits to inject Qbot via a dropper. It does this through a\r\ncombination of techniques that subvert the victim’s web sessions, including keylogging, credential theft, cookie\r\nexfiltration, and process hooking.\r\nPreviously, Qbot also used worm self-replication techniques to copy itself over shared drives and removable\r\nmedia. Qbot is still Windows-based, but this latest version adds both detection and research-evasion techniques. It\r\nhas a new packing layer that scrambles and hides the code from scanners and signature-based tools. It also\r\nincludes anti-virtual machine techniques, which helps it resist forensic examination. However, that didn’t deter us\r\nanalyzing its new capabilities and documenting the infection flow.\r\nQbot’s Infection Process\r\nHere’s how the new Qbot infection typically occurs on a targeted computer:\r\nQbot is loaded into the running explorer.exe memory from an executable introduced via phishing, an exploit’s\r\ndropper, or an open file share.\r\nQbot copies itself into the application folder’s default location, as defined in the %APPDATA% registry key.\r\nQbot creates a copy of itself in the specific registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun\r\nto run when the system reboots.\r\nQbot drops a .dat file with a log of the system information and the botnet name.\r\nQbot executes its copy from the %APPDATA% folder and, to cover its tracks, replaces the originally infected file\r\nwith a legitimate one.\r\nLastly, Qbot creates an instance of explorer.exeand injects itself into it. The attackers then use the always-running\r\nexplorer.exe process to update Qbot from their external command-and-control server.\r\nQbot Web Banking Target List\r\nhttps://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks\r\nPage 1 of 2\n\nOur latest analysis of several sample of the malware from this year showed that Qbot’s focus is on banks in the\r\nUnited States. This appears to be a dedicated campaign with a browser hijack, or redirection, as the main attack\r\nmethod when the machine is infected. As Qbot watches a victim’s web traffic, it looks for specific financial\r\nservices from which to harvest credentials. We found specific strings within Qbot that targeted financial\r\ninstitutions, as shown in Table 1.\r\nTable 1. Financial institutions Qbot targets.\r\nRegional Targeting by Qbot\r\nAnalysis of the latest Qbot campaign shows that it is mainly focused on the United States (see Figure 1), targeting\r\napproximately 36 U.S. financial institutions and two banks in Canada and the Netherlands; the rest of the list\r\ncontains generic URL targets that might be added as a second stage in the fraud action.\r\nConclusion\r\nQbot has been around for a dozen years with pretty much the same functionality. The targets changed and features\r\nwere added, but it’s still primarily about keylogging and, secondarily, about extracting a victim’s personal data. As\r\nQbot waxes and wanes in popularity with attackers, it is hard to gauge its overall impact on a global scale.\r\nHowever, it is still a viable threat for defenders to be aware of.\r\nRecommendations\r\nUse updated antivirus software: Antivirus software is still a powerful tool for detecting and stopping\r\nmalware infections. Configure it to update its signatures without intervention and to alert you when it stops\r\nfunctioning.\r\nApply critical patches: Apply critical patches for vulnerabilities with published, weaponized exploits for\r\napplications that touch the Internet, such as browsers and mail clients.\r\nInspect encrypted traffic: Most malware and phishing sites are buried within encrypted SSL/TLS\r\nsessions, often using legitimate certificates. Decrypt, inspect, and sanitize this traffic.\r\nProvide meaningful security awareness training: Make it easy for users to report suspicious behavior.\r\nThe F5 Labs 2018 Phishing and Fraud Report (/content/f5-labs-v2/en/labs/articles/threat-intelligence/2018-\r\nphishing-and-fraud-report--attacks-peak-during-the-holidays.html) showed that training employees to\r\nrecognize phishing attempts can reduce click-through rates on malicious emails, links, and attachments\r\nfrom 33% to 13%.\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks\r\nhttps://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks"
	],
	"report_names": [
		"qbot-banking-trojan-still-up-to-its-old-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434784,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8a30e6355fc727e7e97a5a37b67647797c835995.pdf",
		"text": "https://archive.orkl.eu/8a30e6355fc727e7e97a5a37b67647797c835995.txt",
		"img": "https://archive.orkl.eu/8a30e6355fc727e7e97a5a37b67647797c835995.jpg"
	}
}