{
	"id": "d7d88045-6f5b-4bec-9078-cdf3bd17a8f6",
	"created_at": "2026-04-06T00:10:40.593425Z",
	"updated_at": "2026-04-10T03:23:51.955387Z",
	"deleted_at": null,
	"sha1_hash": "939f9abd69d090ff0ff48213605ea746c148d19c",
	"title": "THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1634620,
	"plain_text": "THREAT ALERT: Aggressive Qakbot Campaign and the Black\r\nBasta Ransomware Group Targeting U.S. Companies\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 20:57:11 UTC\r\nThe Cybereason Global SOC (GSOC) team is investigating Qakbot infections observed in customer environments\r\nrelated to a potentially widespread ransomware campaign run by Black Basta. The campaign is primarily targeting\r\nU.S.-based companies. \r\nBlack Basta is a ransomware group that emerged in April 2022 and specifically targets organizations in the United\r\nStates, Canada, United Kingdom, Australia, and New Zealand. The group is known for using double-extortion\r\ntactics: they steal sensitive files and information from victims and later use it to extort victims by threatening to\r\npublish the data unless the victim pays the ransom.\r\nIn this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of\r\nentry and move laterally within an organization’s network. QakBot, also known as QBot or Pinkslipbot, is a\r\nbanking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and\r\ncredentials. Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the\r\nthreat actor to drop additional malware—namely, ransomware. \r\nIn this threat alert, the Cybereason team describes one attack scenario that started from a QBot infection, resulting\r\nin multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta\r\nransomware. To make the recovery more difficult, the threat actor also locked the victim out of the network by\r\ndisabling DNS services. We observed this tactic used on more than one victim. \r\nThe creation of this threat alert was motivated by the large number of organizations whose IT infrastructures were\r\nimpacted by this recent Qakbot campaign and by the aggressiveness of the threat actor behind it, often leading to\r\nransomware (Black Basta in our case, but it could lead to other ransomware strains).\r\nWhat is qakbot? KEY OBSERVATIONS\r\nThreat actor moves extremely fast: In the different cases of compromise we identified, the threat actor\r\nobtained domain administrator privileges in less than two hours and moved to ransomware deployment in\r\nless than 12 hours.\r\nHigh Severity: The Cybereason GSOC assesses the threat level as HIGH given the potentially widespread\r\ncampaign being run by Black Basta. \r\nWidespread QBot campaign targeting U.S.-based companies: Threat actors leveraging the QBot loader\r\ncasted a large net targeting mainly on U.S.-based companies and acted quickly on any spear phishing\r\nvictims they compromised. In the last two weeks, we observed more than 10 different customers affected by\r\nthis recent campaign.\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 1 of 20\n\nNetwork lockout: Among the many Qakbot infections we identified, two allowed the threat actor to deploy\r\nransomware and then lock the victim out of its network by disabling the victim’s DNS service, making the\r\nrecovery even more complex. \r\nBlack Basta deployment: One particularly fast compromise we observed led to the deployment of Black\r\nBasta ransomware.  This allowed us to tie a link between threat actors leveraging Qakbot and Black Basta\r\noperators.\r\nGiven all of these observations, we recommend that security and detection teams keep an eye out for this campaign,\r\nsince it can quickly lead to severe IT infrastructure damage.\r\nqakbot ANALYSIS\r\nThe Cybereason Managed Services team observed multiple infections of Black Basta using QakBot beginning on\r\nNovember 14, 2022. These QakBot infections began with a spam/phishing email containing malicious URL links.\r\nQakbot was the primary method Black Basta used to maintain a presence on victims’ networks. \r\nThat said, we also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the\r\ndomain controller. Finally, ransomware was deployed and the attacker then disabled security mechanisms, such as\r\nEDR and antivirus programs. \r\nThis Threat Alert is broken down into three main parts: \r\nInfection Vector, related to QBot deployment and post-exploitation on the patient zero machine\r\nLateral Movement, related to the key machines the threat actor leveraged to complete the domain\r\ncompromise\r\nGlobal Ransomware Deployment, related to the large-scale deployment of the Black Basta ransomware,\r\nalong with attempts to deactivate security mechanisms\r\nThis attack diagram summarizes the actions carried out by Black Basta affiliates: \r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 2 of 20\n\nAttack Scenario Diagram\r\nInfection Vector\r\nQBot Deployment\r\nRecently, security researchers have observed aggressive QBot campaigns, and the Cybereason team was able to\r\nmap the identified activity to public CTI posts: \r\nSource: Twitter\r\n(https://twitter.com/Max_Mal_/status/1592577982912425984)\r\nUsing this source to infer the original phishing vector, we concluded that the attacker uses an IMG file (Disk Image\r\nFile, similar to the ISO format) as the initial compromise vector. We also identified other QBot infection vectors\r\nstarting from ISO files, depending on the campaign. Prior to Microsoft patch regarding MOTW (Mark of the web),\r\nfiles inside of these types of image files (ISO/IMG) were not marked properly with Mark of The Web, a system to\r\nallow Windows to flag a file with metadata such as download URL, and warn users prior to opening the file. After\r\nthis patch fixed the bug, the threat actors have moved to a zero day for MOTW that allows a user to bypass the\r\nMicrosoft security flags with a malformed signature inside the malicious files. \r\nAdditionally, QBot recently changed the way it is loading its malicious payload from JavaScript to VBS.\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 3 of 20\n\nThe malicious VBS file is delivered via an image file mounted to the D: drive. The regsvr32.exe process then\r\nexecutes another randomly named file from the same mount, in a randomly named folder–in this case\r\n“\\inducted\\aficionado.tmp”. The subsequent regsvr32.exe child process contains the Qbot module most commonly\r\nseen in recent attacks: fwpolicyiomgr.dll. \r\nThis file is named after a legitimate Windows file normally located in\r\n“C:\\Windows\\System32\\FWPolicyIOMgr.dll”, but crucially in the case of Qbot, it is loaded as floating code\r\nwithout an image file on disk.\r\nQBot full infection process tree, as seen from the Cybereason Defense Platform\r\nIn the example above: \r\nThe processes included in the process tree from wscript.exe to wermgr.exe are related to QBot.\r\nThe processes included in the process tree from wermgr.exe to getmac.exe are related to Cobalt Strike.\r\nThis diagram explains the infection vector:\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 4 of 20\n\nQBot Infection Process\r\nSubsequently, the fwpolicyiomgr.dll module is injected into the iexplore.exe process which connects to a multitude\r\nof Qbot C2 servers, many of which see no significant data sent/transferred. There are also connections to many\r\nlegitimate websites such as yahoo.com, xfinity.com, irs.gov, and more. For a full list of Qbot C2 servers, refer to\r\n“Associated IPs” below. \r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 5 of 20\n\nList of domain/IP addresses that iexplore.exe communicates with, including legitimate and QBot C2s\r\nThe iexplore.exe process executes Qbot discovery commands as follows:\r\nnet view\r\ncmd /c set\r\narp -a\r\nipconfig /all\r\nnslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.{Domain}\r\nnet share\r\nroute print\r\nnetstat -nao\r\nnet localgroup\r\nwhoami /all\r\nAdditionally, iexplore.exe spawns another instance of Qbot through regsvr32.exe, which in that case failed to\r\nload:   \r\nRegsvr32.exe trying to load a DLL \r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 6 of 20\n\nThis activity, Regsvr32.exe trying to load a DLL, is most likely related to QBot persistence mechanisms. \r\nThe Wermgr.exe process then starts and loads the Qbot module fwpolicyiomgr.dll, along with two new floating\r\npayloads (plugin_payload54.dll and plugin_payload55.dll). It also connects to the C2 domain jesofidiwi[.]com. \r\nFull process tree as seen from the Cybereason Platform after QBot loading\r\nThe Jesofidiwi[.]com domain is the main domain used by the threat actor to persist on the network, and the\r\nCybereason team noticed that it is embedded in recent Bumblebee samples. \r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 7 of 20\n\nExtract from\r\nhttps://www.virustotal.com/gui/file/4a2e23d604d2d2774df43b5c539f9726c6033db55b483c49e4e84314265f6f6e/details\r\nAccording to the VirusTotal information, this C2address relates to Cobalt Strike, which we will confirm in the next\r\npart of this report. \r\nThe Wermgr.exe process injects into the getmac.exe process, a Windows binary used for getting MAC addresses\r\nand network adapter information. \r\nGetmac.exe loads a number of open source C# frameworks for stealing browser credentials, Kerberos interaction,\r\npassword management, compression libraries along with .NET namespaces, and more. \r\nLoading the frameworks helps the threat actors remain fileless to accomplish their goal in-memory. \r\nThe full list of loaded modules includes:\r\nsharpweb {FLOATING}\r\nsharpchromium {FLOATING}\r\npassvault {FLOATING}\r\nrubeus {FLOATING}\r\nprocesses {FLOATING}\r\ngoc {FLOATING}\r\ndnsclient {FLOATING}\r\ncommandline {FLOATING}\r\nnewtonsoft.json {FLOATING}\r\nabc {FLOATING}\r\nsystem.threading.tasks.dataflow {FLOATING}\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 8 of 20\n\nicsharpcode.sharpziplib {FLOATING}\r\nsystem.buffers {FLOATING}\r\nGetmac.exe with network scanning suspicions \r\nThe cmd.exe process is executed with various reconnaissance and clean-up commands based on what was\r\ndiscovered during the discovery phase, including users and machines that were later compromised:\r\nC:\\WINDOWS\\system32\\cmd.exe /C del *.txt\r\nC:\\WINDOWS\\system32\\cmd.exe /C del\r\nOTllMzNkZjMtZTZhMi00NzhkLTgyZjAtZjlkOTZmYTU4ODY0.bin\r\nC:\\WINDOWS\\system32\\cmd.exe /C net accounts /domain\r\nC:\\WINDOWS\\system32\\cmd.exe /C net group \"Domain Admins\" /do\r\nC:\\WINDOWS\\system32\\cmd.exe /C net group \"domain controllers\" /domain\r\nC:\\WINDOWS\\system32\\cmd.exe /C net user {user} /domain\r\nC:\\WINDOWS\\system32\\cmd.exe /C net user {user} /domain\r\nC:\\WINDOWS\\system32\\cmd.exe /C nltest /dclist:{domain}\r\nC:\\WINDOWS\\system32\\cmd.exe /C query user /server:{IP}\r\nPowerShell is used to query information against Active Directory Domain Services with the\r\nSystem.DirectoryServices.DirectorySearcher class. The results are then saved as ccccOUT.csv. \r\npowershell -nop -exec bypass -EncodedCommand $so = New-Object System.DirectoryServices.DirectorySearcher;\r\n$so.filter = \"(\u0026(samAccountType=805306369))\"; $so.FindAll() | Select -Property @{N='Name'; E=\r\n{$_.properties.samaccountname}},@{N='OS'; E={$_.properties.operatingsystem}},@{N='Descr'; E=\r\n{$_.properties.description}},@{N='LastTime'; E={; [datetime]::FromFileTime($_.properties.lastlogontimestamp -\r\nas [string]).ToString('yyyy-MM-dd HH:mm')}},@{N='IP'; E={$_.properties.ipv4address}},@{N='ManagedBy';\r\nE={$_.properties.managedby}},@{N='primarygroup'; E={$_.properties.primarygroup}} | Export-csv ccccOUT.csv\r\n-encoding utf8\r\ncredential Harvesting\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 9 of 20\n\nThe below esentutl.exe command is used to get the victim’s internet history data by combining separate log,\r\ndatabase, and system files to form a cohesive history for later use. The file that will contain the history data is\r\nWebCacheV01.dat.\r\nesentutl.exe /r V01 /l\"C:\\Users\\[REDACTED]\\AppData\\Local\\Microsoft\\Windows\\WebCache\" /s\"C:\\Users\\\r\n[REDACTED]\\AppData\\Local\\Microsoft\\Windows\\WebCache\" /d\"C:\\Users\\\r\n[REDACTED]\\AppData\\Local\\Microsoft\\Windows\\WebCache\"\r\nLateral Movement \r\nThe attackers were able to compromise a domain admin account, which was possibly used to drop a Cobalt Strike\r\npayload to several servers, including a domain controller, in the customer environment. \r\nThis was done by placing the Cobalt Strike payload in the public folder and executing it with the rundll32.exe\r\nSetVolume commands through remote services deployed from the initial machine.  \r\nC:\\Windows\\SysWOW64\\rundll32.exe C:\\users\\public\\cob_54.dll,SetVolume\r\nRundll32.exe Malop with services.exe parent\r\nGetmac.exe sending StartService Remote Procedure Call to one of the compromised servers\r\nOutgoing connection to the compromised server over port 135 (RPC).\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 10 of 20\n\nThe connection being received by the services.exe process on the compromised server\r\nA quick analysis of the DLL files shows that the application masquerades as the Rainmeter program: \r\nDLL File Property of cob_54.dll\r\nIn another case, we identified what seems to be the x86 version of this DLL, named cob_56.dll.\r\nFinally, affected rundll32.exe processes actively communicated with their C2 server, \r\ntevokaxol[.]com and jesofidiwi[.]com: \r\nCommunication from the rundll32.exe process to their C2 \r\nThis process is used to deploy more floating code into the getmac.exe process, as seen on patient zero: \r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 11 of 20\n\nRundll32.exe with the malicious Cobalt Strike modules, spawning getmac.exe as well as injecting code into the\r\nprocess\r\nGlobal Deployment of Black Basta \r\nThe final phase of the attack was to infect as many machines as possible, using the information and credentials\r\ngathered during the first two initial infection phases.\r\nThis chapter describes the different steps the threat actor took to globally deploy the Black Basta ransomware.\r\nIdentifying Security Mechanisms\r\nThe Cybereason team identified the threat actor looking for the EDR installed on the machine, through the\r\nwmic.exe executable.\r\nThe Cybereason team identified the threat actor manually spawning a cmd.exe process on one server, looking for\r\nthe presence of Cybereason EDR: \r\nProcess tree showing the threat actor launching cmd.exe then wmic.exe to identify the presence of Cybereason\r\nIt is likely the threat actor was looking for machines without a sensor to deploy additional malicious tools without\r\nbeing detected.\r\nSpreading through WMI\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 12 of 20\n\nThrough the investigation, the Cybereason team identified that the threat actor moved laterally on many machines\r\nthrough Windows Management Instrumentation (WMI): \r\nProcess created through remote WMI \r\nWMI is leveraged to execute the malicious commands and the ransomware [REDACTED].exe. (We redacted the\r\nfile name to maintain customer confidentiality.) \r\nThe threat actor deployed the ransomware through what we call a pivot machine, a machine that didn’t have a\r\nsensor. In that case, that machine was obsolete and had access to every other machine in the network. \r\nThe Cybereason team identified many connections to TCP port 135 from this pivot machine, designed to map the\r\ninternal network for potential targets. \r\nAttempts to Disable Security Mechanisms\r\nAt this point, the threat actor was targeting most of the machines it could reach and made its first attempts to\r\ndisable the EDR sensor and antivirus software using two scripts, av.bat and av1.bat.\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 13 of 20\n\nProcess tree showing a remote WMI call to launch 2 bat files, av.bat and av1.bat\r\nAs seen on the capture above, the script calls the msiexec.exe, trying to uninstall the corresponding package of the\r\nEDR/antivirus.\r\nData Encryption: Black Basta \r\nThis threat alert mostly focuses on the deployment of the ransomware, rather than on the analysis of the\r\nransomware binary itself, which explains the short size of this subchapter.\r\nCreating the Ransom Note\r\nBlack Basta generates the ransom note file, named readme.txt, in each folder Black Basta reaches on the machine.\r\nThe image below shows what the content of the file looks like: \r\nPreview from the dropped ransom note\r\nThe embedded TOR address links clearly to Black Basta, on the analyzed sample: \r\nhxxps://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion\r\nEncrypting the Files\r\nAfter creating the ransom note, the actual file encryption process ignites. Black Basta encrypts the files on the\r\nmachine and adds a random extension to each file.\r\nOn top of that, Black Basta replaces the desktop wallpaper and avoids some specific folders like C:\\Windows or the\r\nRecycle Bin.\r\nVolume Shadow Copy Deletion\r\nIn order to delete the machine’s shadow copies, Black Basta executes the process vssadmin.exe with the command\r\nline :Vssadmin delete shadows /all /quiet\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 14 of 20\n\nAs seen in the process tree below, the process [REDACTED].exe spawns a cmd.exe process right after the launch\r\nbegins.\r\nCybereason process tree showing [REDACTED].exe launching cmd.exe which calls vssadmin.exe\r\nOn the observed machine, encryption did not have time to trigger because the process was prevented immediately\r\nafter its launch.\r\nCYBEREASON RECOMMENDATIONS\r\nThe Cybereason Defense Platform can detect and prevent Qakbot post-exploitations and Black Basta impact.\r\nCybereason recommends the following actions:\r\nEnhance Cybereason sensor policies: Set the Cybereason Anti-Ransomware protection mode to\r\nPrevent. More information for Cybereason customers can be found on the NEST.\r\nEnable Variant Payload Protection (VPP) in your Cybereason sensor policy: Upgrade to a version that\r\nhas VPP and enable it, as this will completely prevent Black Basta ransomware execution. VPP is supported\r\nin version 21.2.100 and above  (Beta, and disabled by default) and 22.1.183 and above (GA, and enabled by\r\ndefault). More information can be found on the NEST.\r\nBlock compromised users: Block users whose machines were involved in the attack, in order to stop or at\r\nleast slow down attacker propagation over the network.\r\nIdentify and block malicious network connections: Identify network flows toward malicious IPs or\r\ndomains identified in the reports and block connections to stop the attacker from controlling the\r\ncompromised machines. \r\nReset Active Directory access: If Domain Controllers (DCs) were accessed by the attacker and potentially\r\nall accounts have been stolen, it is recommended that, when rebuilding the network, all AD accesses are\r\nreset. Important note: krbtgt account needs to be reset twice and in a timely fashion.\r\nEngage Incident Response: It is important to investigate the actions of the attacker thoroughly to ensure\r\nyou’ve not missed any activity and you’ve patched everything that needs to be patched.\r\nCleanse compromised machines: Isolate and re-image all infected machines, to limit the risk of a second\r\ncompromise or the attacker getting subsequent access to the network.\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 15 of 20\n\nHunt proactively: Use the Investigation screen in the Cybereason Defense Platform and the queries in the\r\nHunting Queries section of the NEST version of this article to search for assets that have potentially been\r\nexploited. Based on the search results, take further remediation actions, such as isolating the infected\r\nmachines, and deleting the payload file.\r\nAdd IOCs: Add the aforementioned IoCs to the custom reputation with “Block and Prevent.”\r\nDisable disk image file auto-mounting: To prevent this infection technique from succeeding, consider\r\ndisabling auto-mounting of disk image files (primarily .iso, .img, .vhd, and .vhdx) globally through GPOs.\r\nThis can be achieved by modifying the registry values related to the Windows Explorer file\r\nassociations in order to disable the automatic Explorer \"Mount and Burn\" dialog for these file\r\nextensions. (This will not deactivate the mount functionality itself.)\r\nQAKBOT Black Basta IOCs\r\nWe recommend blocking the following domains and IP addresses using your network infrastructure: \r\nAssociated Domains:\r\njesofidiwi[.]com (Cobalt Strike C2)\r\ndimingol[.]com (Cobalt Strike-related domain used for DNS exfiltration)\r\ntevokaxol[.]com (Cobalt Strike C2)\r\nvopaxafi[.]com  (Cobalt Strike C2)\r\nAssociated IPs: \r\n108.177.235.29 \r\n144.202.42.216\r\n108.62.118.197 \r\nQakbot C2 addresses\r\nServer address Port Number\r\n94.70.37.145 2222\r\n172.90.139.138 2222\r\n70.50.3.214 2222\r\n90.89.95.158 2222\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 16 of 20\n\n200.93.14.206 2222\r\n142.161.27.232 2222\r\n82.127.174.33 2222\r\n92.207.132.174 2222\r\n92.189.214.236 2222\r\n24.64.114.59 2222\r\n82.31.37.241 443\r\n87.223.80.45 443\r\n76.9.168.249 443\r\n174.115.87.57 443\r\n82.41.186.124 443\r\n131.106.168.223 443\r\n75.98.154.19 443\r\n170.253.25.35 443\r\n86.133.237.3 443\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 17 of 20\n\n73.88.173.113 443\r\n84.209.52.11 443\r\n180.151.104.143 443\r\n105.184.161.242 443\r\n24.49.232.96 443\r\n157.231.42.190 443\r\n75.143.236.149 443\r\n70.64.77.115 443\r\n137.186.193.226 3389\r\n91.165.188.74 50000\r\nAdd the following hashes to the blocklist in your Cybereason environment:\r\nAssociated Hashes (SHA1): \r\n75b2593da627472b1c990f244e24d4e971c939e7 (aficionado.tmp)\r\n3a852c006085d0ce8a18063e17f525e950bb914c (cob_54.dll)\r\n4202bf2408750589e36750d077746266176ac239 (cob_56.dll)\r\nHunt for the following files (those are also mentioned in the Hunting Queries chapter):\r\nAssociated file names: \r\nAficionado.tmp (Qbot loader)\r\nfwpolicyiomgr.dll (Qbot module)\r\nplugin_payload54.dll\r\nPlugin_payload55.dll\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 18 of 20\n\ncob_54.dll\r\nThese indicators can be used for threat hunting purposes.\r\nABOUT THE RESEARCHERS \r\nLoïc Castel, IR Security Analyst, Cybereason IR Team\r\n Loïc Castel is a Security Analyst with the Cybereason IR team. Loïc analyses and researches critical incidents and\r\ncybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as\r\nLead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident response, but is also\r\ninterested in offensive aspects such as vulnerability research.\r\nJoakim Kandefelt, Blue Team Security Analyst, Cybereason Blue Team\r\n Joakim Kandefelt is a Blue Team Investigator with the Cybereason Global SOC team. He has been with\r\nCybereason for more than 5 years, starting as an analyst within the APAC GSOC specializing in Reverse\r\nEngineering and Threat Hunting, and venturing into CTI and IR. As part of his current, more advanced role, he\r\nenjoys leveraging IR methodology to detect Red Team TTPs and working to ensure customers are safe. He\r\nmaintains his passion for Reverse Engineering and Threat Hunting.\r\nDanielle Frankel, GSOC AMER Security Services Account Manager, Cybereason Global SOC\r\nDanielle Frankel is a Security Services Assurance Manager (SSAM) for the Cybereason Global SOC. As a SSAM,\r\nshe serves as a focal point for services related escalations with exceptional business impact, working with\r\ncustomers and internal teams to resolve the issues. Previously, Danielle worked as a Customer Success Manager\r\nand as a Tier 1 SOC Analyst at Cybereason. Danielle is passionate about cybersecurity, and  earned her Masters\r\nDegree in Counterterrorism and Cyber Security at Reichman University (IDC Herzeliya).\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 19 of 20\n\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every\r\ncontinent. Led by cybersecurity experts with experience working for government, the military and multiple industry\r\nverticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to\r\nsupport our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-comp\r\nanies\r\nhttps://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies"
	],
	"report_names": [
		"threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434240,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/939f9abd69d090ff0ff48213605ea746c148d19c.pdf",
		"text": "https://archive.orkl.eu/939f9abd69d090ff0ff48213605ea746c148d19c.txt",
		"img": "https://archive.orkl.eu/939f9abd69d090ff0ff48213605ea746c148d19c.jpg"
	}
}