{ "id": "c50a8ed9-d472-4bf1-b261-81a7cf9038f2", "created_at": "2026-04-06T00:18:33.145498Z", "updated_at": "2026-04-10T13:12:41.063109Z", "deleted_at": null, "sha1_hash": "9491000be768a07c0952e4f4c91c51722dc6dfae", "title": "Qbot steals your email threads again to infect other victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2195289, "plain_text": "Qbot steals your email threads again to infect other victims\r\nBy Lawrence Abrams\r\nPublished: 2020-08-27 · Archived: 2026-04-05 12:50:43 UTC\r\nThe Qbot trojan is again stealing reply-chain emails that can be used to camouflage malware-riddled emails as parts of\r\nprevious conversations in future malicious spam campaigns.\r\nQbot (also known as QakBot) is a banking and information-stealing malware that has been actively infecting victims for\r\nmore than ten years.\r\nWhen installed, Qbot will attempt to steal its victims' stored passwords, cookies, credit cards, emails, and online banking\r\ncredentials.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThis trojan is also known to download and install other malware onto compromised computers, including ProLock\r\nRansomware payloads.\r\nSince July 2020, Qbot has been a malware of choice for the notorious Emotet botnet and has seen a surge of new infections.\r\nQbot steals victim's emails for future malspam campaigns\r\nIn 2019, we reported that QBot had started to steal victims' email threads, using them as part of a context-aware phishing\r\ncampaign during late March 2019.\r\nAccording to a new report by Check Point, QBot continues to employ a tactic previously used by the Gozi ISFB banking\r\ntrojan, the URSNIF information-stealing trojan, and the Emotet trojan [1, 2, 3]: the stealing of full email threads to use in\r\nreply-chain, or 'hijacked email thread' attacks.\r\nA reply-chain phishing attack is when threat actors use a stolen email thread and then reply to it with their own message and\r\nan attached malicious document.\r\nAfter infecting victims, one of the malicious activities conducted by Qbot is to steal emails from a user's Outlook client.\r\nThese stolen emails are then uploaded to the Qbot threat actors servers to be used in future spam campaigns targeting other\r\npotential victims.\r\nReply-chain phishing email (Check Point)\r\nThis type of attack makes the phishing campaign more believable, especially when it is used against those in the original\r\nthread.\r\nCheck Point has observed that these reply-chain attacks contain ZIP attachments with malicious VBS scripts\r\nenclosed. When executed, these VBS scripts will download the Qbot malware on the system and infect the user.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/\r\nPage 3 of 5\n\n\"During our tracking of the malspam campaign, we have seen hundreds of different URLs for malicious ZIP dropping when\r\nmost of them were compromised WordPress sites,\" Check Point researchers explain.\r\nUsing a victim's stolen email against other recipients creates a perpetuating cycle of new victims being used against others to\r\nspread the malware.\r\nSince this email thread stealing module has been added, Check Point’s researchers have spotted targeted, hijacked email\r\nthreads being used in ongoing campaigns with subjects related to tax payment reminders, the Covid-19 pandemic, and job\r\noffers.\r\nInfection chain (Check Point)\r\nMalware used in highly-targeted campaigns\r\nQbot's authors have also added unusual capabilities at one point or another, as well as a clever way for the malware to\r\nassemble itself from two encrypted halves to evade detection when being delivered onto a target's system.\r\nThe malware is also known for infecting other devices on the same network using network share exploits and as well as\r\nhighly aggressive brute-force attacks that target Active Directory admin accounts.\r\nEven though it has been active for over a decade, this banking trojan was mostly used in highly targeted attacks on\r\nenterprise entities that could provide a higher return on investment.\r\nAs proof of this, Qbot attacks have been quite infrequent over time, with researchers spotting one in October 2014, one\r\nin April 2016, as well as another one during mid-May 2017. Qbot came back last year, being dropped as a first stage or as a\r\nsecond stage payload by the Emotet gang.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/" ], "report_names": [ "qbot-steals-your-email-threads-again-to-infect-other-victims" ], "threat_actors": [], "ts_created_at": 1775434713, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9491000be768a07c0952e4f4c91c51722dc6dfae.pdf", "text": "https://archive.orkl.eu/9491000be768a07c0952e4f4c91c51722dc6dfae.txt", "img": "https://archive.orkl.eu/9491000be768a07c0952e4f4c91c51722dc6dfae.jpg" } }