{ "id": "2377e734-1ad7-4760-b506-a460c0935058", "created_at": "2026-04-06T00:13:28.273336Z", "updated_at": "2026-04-10T03:20:39.612435Z", "deleted_at": null, "sha1_hash": "8eb7ebfc342230a39553d8520cd897ff4b24a4ff", "title": "Qakbot Resurges, Spreads through VBS Files", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 638237, "plain_text": "Qakbot Resurges, Spreads through VBS Files\r\nArchived: 2026-04-05 23:47:32 UTC\r\nInsights and Analysis by Erika Mendoza, Ian Lagrazon, and Gilbert Sison\r\nAdditional Analysis by Miguel Ang, Monte De Jesus, Jesus Titular, Catherine Loveria\r\nThrough managed detection and response (MDR), we found that a lot of threats come from inbound emails. These messages\r\nusually contain phishing links, malicious attachments, or instructions. However, in our daily investigation of email metadata,\r\nwe often detect threats not just in inbound emails, but even in the users' own sent items folder. This involves an unwitting\r\nuser, a possibly compromised account, and harmful messages carrying threats. In one such incident, we have been able to\r\ncorrelate email compromise with the intent to spread Qakbot-related email messages.\r\nWe have seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered\r\nin 2007. Feedback from our sensors indicates that Qakbot detections increased overall. A notable rise in detections of a\r\nparticular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April.\r\nNote that we used a partial and inexhaustive list of indicators for this analysis.\r\nBackground of detections for all Qakbot variants\r\nFrom January to the third week of May this year, we had a total of 3,893 unique Qakbot detections. We’ve seen a spike in\r\nJanuary with over 1,400, which mellowed down in February and March. It climbed back in April with over 1,000. Data for\r\nMay is also quite high at 679, considering that the month has not ended yet.\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 1 of 9\n\nFigure 1. Unique Qakbot detections from January to May 2020\r\nAmong the specified and known industries, healthcare was the most affected with 256 unique detections from the same\r\nperiod, followed by manufacturing and government with 161 and 60, respectively. These three consistently appeared on the\r\ntop of the list in most months.\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 2 of 9\n\nFigure 2. Top industries for unique Qakbot detections from January to May 2020\r\nIn terms of the countries of affected users, Thailand had the most unique detections at 939, with most detected in January.\r\nChina followed closely with 908, while the US was third at 688. China and the US have been consistently in the top three\r\nfor all months. In January, Thailand had the highest number of unique detections while the United States was mostly\r\naffected in April. In May, we see a surge in number from Germany.\r\nFigure 3. Top countries for unique Qakbot detections from January to May 2020\r\nDetections for Backdoor.Win32.QBOT.SMTH Qakbot variant\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 3 of 9\n\nAfter inactivity since the beginning of this year, unique detections for Backdoor.Win32.QBOT.SMTH trickled in since April\r\n9. Among 434 unique detections, the highest came within the period of April 19-23. April 22 had the highest number at 91.\r\nFigure 4. Unique detections of the Qakbot variant from April 21 to May 16, 2020\r\nAmong users with specified and known industries, the rise had been observed mostly in the healthcare sector with 141\r\nunique detections.\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 4 of 9\n\nFigure 5. Industries with unique detections of the Qakbot variant\r\n233 or almost half of the recorded unique detections have been seen affecting users from the US. Australia and China follow\r\nwith 95 and 30, respectively. \r\nFigure 6. Top countries with unique detections of the Qakbot variant\r\nThe malware has been known to proliferate through network shares, removable drives, or software vulnerabilities. The\r\nrecent instances we have observed were spread through emails with malicious links. Clicking the link leads to the download\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 5 of 9\n\nof a zip containing a VBS file (detected as Trojan.VBS.QAKBOT.SM) that then downloads a malicious executable file\r\n(detected by Trend Micro as Backdoor.Win32.QBOT.SMTH).\r\nThe new samples are similar to older variants in terms of behavior and encryption. Like its earlier versions, it maintains\r\npersistence by creating an auto-run registry and scheduled task.\r\nProliferation and Behavior of the Qakbot Variant\r\nThis Qakbot variant spreads via emails with malicious links pointing to compromised websites hosting the Qakbot malware.\r\nThe emails look like old forwarded messages that pose as replies to relevant business-related email threads. Often, the\r\nsender’s name and email address don’t match.\r\nFigures 7-8. Sample emails with malicious links that lead to the download of Qakbot\r\nThe emails contain URLs that follow noticeable pattern, as seen below:\r\n{compromised website}/differ/ ...\r\n{compromised website}/docs_{3 characters}/{numbers} …\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 6 of 9\n\n{compromised website}/wp-content/plugins/advanced-ads-genesis/docs_{3 characters}/ …\r\n{compromised website}/wp-content/themes/calliope/docs_{3 characters}/ …\r\n{compromised website}/wp-content/themes/mapro/pump/ ...\r\n{compromised website}/wp-content/uploads/2020/04/evolving/ …\r\nClicking the link will download a zip file. Like the URLs, the file names follow a particular pattern:\r\n{numbers}.zip\r\nBuy-Sell Agreement_{numbers}_{date}.zip\r\nJudgement_{date}_{numbers}.zip\r\nThe more recent spam mails this month use this file name pattern instead:\r\nEmploymentVerification_{numbers}_{date}.zip\r\nLoanAgreement_{numbers}_{date}.zip\r\nIn one sample we analyzed, the zip file contains a VBS file named NUM_56960.vbs. The size of the file is around 30MB.\r\nThe large file size helps it evade detection, as file scanners usually skip scanning huge files for performance reasons. This\r\nVBS file then downloads the malicious executable file PaintHelper.exe.\r\nQakbot has anti-analysis and anti-virtual machine checks. It will not continue to execute if any of the following exists in the\r\nsystem:\r\nAnalysis Tools\r\nAvastSvc.exe\r\navgcsrva.exe\r\navgsvcx.exe\r\navp.exe\r\nbdagent.exe\r\nByteFence.exe\r\nccSvcHst.exe\r\ncmdagent.exe\r\ncoreServiceShell.exe\r\negui.exe\r\nekrn.exe\r\nfmon.exe\r\nfshoster32.exe\r\nisesrv.exe\r\nmbamgui.exe\r\nMBAMService.exe\r\nmcshield.exe\r\nMsMpEng.exe\r\nNTRTScan.exe\r\nPccNTMon.exe\r\nSAVAdminService.exe\r\nSavService.exe\r\nvgcsrvx.exe\r\nvkise.exe\r\nvsserv.exe\r\nvsservppl.exe\r\nwindump.exe\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 7 of 9\n\nWRSA.exe\r\nSandbox\r\nCWSandbox\r\nQEMU\r\nSbieDll.dll\r\nVBox\r\nVmtoolsd.exe\r\nVMWare\r\nOnce it continues, it creates a folder for its components in %AppData%\\Microsoft\\{random name}\\. It then proceeds by\r\ncopying itself to %AppData%\\Microsoft\\{random name}\\{random}.exe then creates a corresponding auto-run.\r\n        HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n        {random} = %APPDATA%\\Microsoft\\{random name}\\{random}.exe\r\n It also creates a scheduled task through the following:\r\n\"C:\\Windows\\system32\\schtasks.exe\" /create /tn {8BAD047B-4889-4161-9D32-63F25CBFC779}  /tr \"\"{Malware\r\nPath}\\{malware name}\"\" /sc HOURLY /mo 5 /F\r\nCopies of the malware are also placed in other locations:\r\n%ProgramData%\\{random}.exe\r\n%TEMP%\\{random}.exe\r\n%User%\\{random.exe}\r\nAfter installation, Qakbot injects itself into any of the following processes to remain memory resident.\r\nexplorer.exe\r\nIexplore.exe\r\nMobsync.exe\r\nIt has both domain generation algorithms (DGA) and a couple of hardcoded C\u0026C servers. The DGA routine works by trying\r\nto access random IP and port combinations and continues into a POST command once it makes a successful connection.\r\nIts code also suggests a PowerShell routine that allows it to download other components, as also seen in older variants. This\r\nmeans that its routines (other than installation) are loaded through another component, usually downloaded from the C\u0026C\r\nserver.\r\nLike other malware types, Qakbot is periodically updated, giving it improved propagation techniques in 2011 and a\r\nresurgence in 2016. It has also been seen to include Simple Mail Transfer Protocol (SMTP) activities and use Mimikatz.\r\nRecently, Qakbot has been seen teaming up with ProLock ransomware.\r\nRecommendations\r\nThe constant resurgence of new, more sophisticated variants of known malware, as well as the emergence of entirely\r\nunknown threats, demands solutions with advanced detection and response capabilities.\r\nFrom their end, users can protect themselves from the new Qakbot samples and other threats spread through emails by\r\nfollowing some of these best practices: \r\nAvoid downloading attachments or clicking on embedded links from emails before verifying the sender and the\r\ncontent.\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 8 of 9\n\nHover the pointer above embedded links to show the link’s target.\r\nCheck the identity of the sender. Unfamiliar email addresses, mismatched email and sender name, and spoofed\r\ncompany emails are some of the signs that the sender has malicious intent.\r\nIf the email claims to come from a legitimate company, check if they sent it before taking any action.\r\nUsers can also protect systems through managed detection and response (MDR), which utilizes advanced artificial\r\nintelligence to correlate and prioritize threats, determining if they are part of a larger attack. It can detect threats before they\r\nare executed, thus preventing further compromise.\r\nIndicators of Compromise\r\nURL\r\nhxxps://besthack[.]co/differ/50160153/50160153[.]zip\r\nhxxps://besthack[.]co/differ/886927[.]zip\r\nFile Name SHA-256\r\nTrend Micro\r\nPattern Detection\r\nNUM_56960.vbs 166442aca7750b45d10cdbdb372dd336a730a3033933a2a0b142d91462017fd2 Trojan.VBS.QAKBOT.SM\r\nPainthelper.exe b8b7b5df48840b90393a702c994c6fb47b7e40cfe3552533693149d9537eaef5 Backdoor.Win32.QBOT.SM\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nhttps://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" ], "report_names": [ "qakbot-resurges-spreads-through-vbs-files" ], "threat_actors": [], "ts_created_at": 1775434408, "ts_updated_at": 1775791239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8eb7ebfc342230a39553d8520cd897ff4b24a4ff.pdf", "text": "https://archive.orkl.eu/8eb7ebfc342230a39553d8520cd897ff4b24a4ff.txt", "img": "https://archive.orkl.eu/8eb7ebfc342230a39553d8520cd897ff4b24a4ff.jpg" } }