{ "id": "58e93e68-0d02-454c-852a-15b3752b428d", "created_at": "2026-04-06T00:09:20.060614Z", "updated_at": "2026-04-10T03:31:13.420059Z", "deleted_at": null, "sha1_hash": "962cb5736ad203b348edaf4d9491e585b16ca4cf", "title": "New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2106705, "plain_text": "New Variant of QakBot Being Spread by HTML File Attached to\r\nPhishing Emails\r\nBy Xiaopeng Zhang\r\nPublished: 2022-07-19 · Archived: 2026-04-05 16:45:16 UTC\r\nFortinet’s FortiGuard Labs captured a phishing email as part of a phishing campaign spreading a new variant of\r\nQakBot. Also known as QBot, QuackBot, or Pinkslipbot, QakBot is an information stealer and banking Trojan\r\nthat has been captured and analyzed by security researchers since 2007.\r\nI performed a deep analysis on this phishing campaign and the new QakBot variant using the captured email. In\r\nthis analysis, you will learn how the attached HTML file leads to downloading and executing the new QakBot\r\nvariant, what actions it takes on the victim’s device, and how it sends the collected data from the victim’s device\r\nto its C2 server. \r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity level: Critical\r\nPhishing Email and the Attached HTML File\r\nFigure 1.1 shows the phishing email used by hackers to lure the recipient into opening the attached HTML file\r\n(ScannedDocs_1586212494.html). This phishing email has been marked as SPAM by Fortinet’s FortiMail.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 1 of 15\n\nFigure 1.1 – Display of the captured phishing email\r\nThe HTML file contains a piece of javascript code that is automatically executed once it is opened in a web\r\nbrowser by the recipient. It decodes a base64 string held by a local variable. It then calls a built-in function,\r\nnavigator.msSaveOrOpenBlob(), to save the base64 decoded data (a ZIP archive) to a local file named\r\n“ScannedDocs_1586212494.zip”. Figure 1.2 shows the defined variables with the base64 string and the ZIP file\r\nname.\r\nFigure 1.2 – The javascript snippet code inside the HTML file\r\nFigure 1.3 is a screenshot of a Microsoft Edge browser opening the HTML file. As you can see, the ZIP archive\r\nhas been automatically saved onto the victim’s device.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 2 of 15\n\nFigure 1.3 – The HTML file opened in the Microsoft Edge browser\r\nDownloading and executing QakBot\r\nNext, we’ll look at what’s inside the downloaded ZIP archive. It’s a Windows shortcut file –\r\n“ScannedDocs_1586212494.lnk”. As you may know, a Windows shortcut file can execute commands by putting\r\nthem into the Target field. Figure 2.1 shows a screenshot of this shortcut file and its properties. \r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 3 of 15\n\nFigure 2.1 – The Windows shortcut file and properties\r\nThe shortcut is disguised with a Microsoft Write icon to trick the victim into thinking it’s a safe text file so they\r\nwill open it. As for its properties, a group of commands in the target field will be executed by “cmd.exe”. When\r\nthe victim double clicks the file, the commands get executed.\r\nAccording to the commands found in Figure 2.1, it mainly runs “cURL” (Client URL) to download a file from\r\nURL 194[.]36[.]191[.]227/%random%.dat into local file “%ProgramData%\\Flop\\Tres.dod”. cURL is a popular\r\nLinux tool, but it has also been part of Windows as a default program since Windows 10.\r\nThe downloaded file (“Tres.dod”) is a DLL file. By my analysis, it is a sort of QakBot’s loader program. In this\r\ncase, “regsvr32” is in charge of executing it using the command “regsvr32 %ProgramData%\\Flop\\Tres.dod”.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 4 of 15\n\nFigure 2.2 – A view of the QakBot Loader Module’s Resource section\r\nThe QakBot Loader Module (Tres.dod) that runs in “regsvr32.exe” loads a binary block from its Resource section\r\nwith the name “AAA”, as shown in Figure 2.2. It proceeds to decrypt the binary block to get a fileless PE file and\r\na piece of dynamic code that is a kind of self-deployment function. It is then called by the Loader Module to\r\ndeploy the fileless PE file, which is the core module of QakBot, inside the “regsvr32” process. After the core\r\nmodule of QakBot is deployed, the last task of the self-deployment function is to call its entry point. Figure 2.3\r\nexplains how the self-deployment function calls the entry point of the QakBot core module.\r\nFigure 2.3 – Self-deployment function about to call the entry point of QakBot\r\nProcess Hollowing\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 5 of 15\n\nMalware usually performs process hollowing to inject malicious code or modules into another process. It does this\r\nto evade being detected.\r\nDepending on the affected machine’s platform (32-bit or 64-bit) and installed anti-virus software, QakBot will\r\nselect a system process from a process list as the target process for performing process hollowing. This list\r\nincludes OneDriveSetup.exe, explorer.exe, mobsync.exe, msra.exe, and iexplore.exe for this variant.\r\nIn my testing environment, it picked “OneDriveSetup.exe”. QakBot then calls the API CreateProcessW() to start a\r\nnew process using the creation flag CREATE_SUSPENDED so it gets suspended at start. It can then modify its\r\nmemory data, like carrying the QakBot core module onto the newly-created “OneDriveSetup.exe” process by\r\ncalling API WriteProcessMemory(). Next, it modifies the code at the entry point of the new process to jump to the\r\ninjected core module. It eventually calls the API ResumeThread() to resume the new process, and QakBot is then\r\nexecuted in the target process.\r\nFigure 3.1 shows a process tree with all relevant processes from downloading QakBot Loader (“curl.exe”) to\r\n“OneDriveSetup.exe”.\r\nFigure 3.1 – Overview of the process tree for relevant processes\r\nAnti-analysis technique\r\nBefore analyzing QakBot’s core module, let’s go through some of the anti-analysis techniques that QakBot uses to\r\nprevent itself from being easily analyzed.\r\nConstant strings are encrypted\r\nConstant strings are useful information for researchers to analyze code. QakBot holds encrypted constant strings,\r\nwhich are only decrypted by a particular function before using. Figure 4.1 is an example of obtaining a constant\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 6 of 15\n\nstring, \"Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0\", through the function at 609DD8\r\nby string index 0xA8.\r\nFigure 4.1 – Example of one decrypted constant string by a function\r\nDynamically obtaining key Windows APIs\r\nMost Windows APIs are obtained during QakBot run-time. It is hard to guess which API is called until executing\r\nthe instruction. Below is an instance of calling the API CreateThread(), where dword_61F818 is a dynamically\r\nloaded function table, whose offset +74H is the function of CreateThread().\r\nxor ecx, ecx\r\nlea eax, [ebp+var_4]\r\npush eax\r\nmov eax, dword_61F818 ; Function table of Kernel32.dll\r\npush ecx\r\npush ecx\r\npush offset thread_fun\r\npush ecx\r\npush ecx\r\nmov [ebp+var_4], ecx\r\ncall dword ptr [eax+74h] ; =\u003e; CreateThread\r\nmov dword_61F83C, eax\r\ntest eax, eax\r\nDetecting Analysis Tools\r\nQakBot has a thread function that checks once per second to see if any analysis tool is running on the affected\r\nmachine. To do this, it predefines a process name list of some analysis tools, which of course, is a decrypted\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 7 of 15\n\nconstant string. Once any of them matches one of the running processes, it will affect QakBot’s workflow (say,\r\nnever connecting to a C2 server).\r\nHere is the predefined process name list:\r\nfrida-winjector-helper-32.exe, frida-winjector-helper-64.exe, tcpdump.exe,windump.exe, ethereal.exe,\r\nwireshark.exe, ettercap.exe;rtsniff.exe, packetcapture.exe, capturenet.exe, qak_proxy;dumpcap.exe, CFF\r\nExplorer.exe, not_rundll32.exe, ProcessHacker.exe, tcpview.exe, filemon.exe, procmon.exe;idaq64.exe,\r\nPETools.exe, ImportREC.exe, LordPE.exe, SysInspector.exe, proc_analyzer.exe, sysAnalyzer.exe,\r\nsniff_hit.exe, joeboxcontrol.exe, joeboxserver.exe, ResourceHacker.exe, x64dbg.exe, Fiddler.exe,\r\nsniff_hit.exe, sysAnalyzer.exe\r\nAccording to the above process list, I determined that the analysis tools include, but are not limited to:\r\nJoe Sandbox, TcpDump, WinPcap, Wireshark, Ettercap, PacketCapture, CaptureNet, CFF Explorer,\r\nProcessHacker, TcpView, FileMon, ProcMon, IDA pro, PETools, ImportREC, LordPE, SysInspector,\r\nSysAnalyzer, ResourceHacker, x64dbg, and Fiddler.\r\nQakBot’s Core Module Connects to C2 Server\r\nAs long as the QakBot core module is resumed in the target process (such as “OneDriveSetup.exe”), it starts using\r\nanother entry function other than the one in regsvr32.exe.\r\nAs per QakBot tradition, it uses many threads to perform its tasks. One is to collect information about the affected\r\ndevice and send it to its C2 server.\r\nThe core module has two binary data blocks in its Resource section, named “102” and “103”. The data of\r\nResource “103” is an RC4 encrypted configuration. After decryption, it is the string\r\n“10=obama189\\r\\n3=1655107308\\r\\n”. “obama189” is a QakBot ID of this variant, and “1655107308” is a Unix\r\nEpoch time.\r\nThe “102” Resource data is an RC4 encrypted C2 server list.\r\n“\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe” is a constant string that generates an Rc4 key buffer to\r\ndecrypt the C2 server data.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 8 of 15\n\nFigure 5.1 – Screenshot of partially decrypted “102” Resource\r\nThe top section of Figure 5.1 shows it was about to call the API FindResourceW with the Resource name “102”,\r\nwhile the bottom section is a partial list of the decrypted binary IP and Port of the C2 server. There are 123 IP and\r\nPort pairs inside this variant.\r\nQakBot goes through all listed C2 servers, one by one, until a connection is established. It then sends the victim\r\nregistry packet (the first packet) to that C2 server to register the victim. The plain text of the registry packet is:\r\n “{\\”2\\”:\\”hrzpxm292261\\”,\\”8\\”:9,\\”1\\”:18}”\r\nThe keys are string numbers, like “2”, “8”, and “1”. The value of “2” is “hrzpxm292261” (the victim’s ID) that\r\nwas generated using hardware information, the value of key “8” specifies the packet type (it’s 9 for this packet),\r\nand “1”’s value is 18, which is the QakBot version.\r\nThe packet is RC4 encrypted and then encoded as a string using a base64 algorithm. All the packets between\r\nQakBot and the C2 server are sealed in a JSON structure.\r\nIt then sends the data to its C2 server using the HTTP Post method with URL “/t4” and the base64 encoded\r\nregistry data as the body and being transported over SSL protocol. Figure 5.2 shows a screenshot of an analysis\r\ntool with the sent packet on the left and response data on the right.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 9 of 15\n\nFigure 5.2 – The view of the registry packet in an analysis tool\r\nIt takes the reverse path to restore the response data to plain text, which is base64 decoding and RC4 decryption.\r\n“{\\”8\\”:5,\\”16\\”:3257495567,\\”39\\”:\\”vLLO\\”,\\”38\\”:1}” is the plain text for this case, which will set or update the\r\nvalue of some local variables.\r\nSending Sensitive Data to the C2 Server\r\nQakBot collects sensitive data from the victim’s device and sends it to its C2 server. Similarly, the hacker could\r\ntransfer corresponding sub-modules to the QakBot client to be executed on the victim’s device.\r\nQakBot leverages Windows APIs, Windows commands, and WMI Query Language (WQL) to obtain the\r\ninformation. Below are the details.\r\nWindow APIs\r\nAPI Function Description\r\nGetVersionEx()\r\nWindows edition information, including build number, such as\r\n“10.0.1.19043.0.0.0100” for my testing system running Windows 10.\r\nGetComputerNameW() Computer name, like “DESKTOP-P952NC4”.\r\nGetSystemMetrics() Obtain screen size (width and height).\r\nNetGetJoinInformation() Retrieve the AD Domain, like “WORKGROUP”.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 10 of 15\n\nLookupAccountSidW() The User name.\r\nGetSystemInfo() Processor Architecture.\r\nCreateToolhelp32Snapshot(),\r\nProcess32FirstW(),\r\nProcess32NextW()\r\nObtain running process information.\r\nGetModuleFileNameW() The full path of QakBot and the full path of the target process.\r\nCreatProcessW() Execute Windows commands.\r\nWMI Object Query\r\nQuery String Description\r\nSELECT * FROM Win32_OperatingSystem OS information.\r\nSELECT * FROM AntiVirusProduct\r\nObtain the installed AntiVirus software, like\r\nMicrosoft Defender or FortiClient.\r\nSELECT * FROM Win32_Processor CPU processor information.\r\nSELECT * FROM Win32_ComputerSystem\r\nSystem environment information, like Model,\r\nDomain, Manufacturer, etc.\r\nSELECT * FROM Win32_Bios Device’s BIOS information.\r\nSELECT * FROM Win32_DiskDrive\r\nHard disk information, like Partitions, Size, and\r\nModel.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 11 of 15\n\nSELECT * FROM Win32_PhysicalMemory\r\nPhysical RAM sticks’ detailed information, such as\r\ncapacity, clock speed, and channel.\r\nSELECT Caption,Description,Vendor,Version,\r\nInstallDate,InstallSource,PackageName FROM\r\nWin32_Product\r\nInstalled software information.\r\nSELECT Caption,Description,DeviceID,\r\nManufacturer,Name,PNPDeviceID,Service,\r\nStatus\r\nFROM Win32_PnPEntity\r\nProperties of Plug and Play devices, like Keyboard,\r\nMouse, CD-ROM, Network adapter, and more.\r\nWindows Commands\r\nCommands Description\r\n\"ipconfig /all\" All TCP/IP network configuration values.\r\n\"nslookup -querytype=ALL -timeout=12\r\n_ldap._tcp.dc._msdcs.%s\"\r\nQuery SRV records for the domain from the main DNS\r\nserver of the victim’s device.\r\n\"nltest /domain_trusts /all_trusts\" Enumerating domain trusts.\r\n\"net share\" Shared resources and names.\r\n\"route print\" Active routes’ tables.\r\n\"netstat -nao\" Active connections in the victim’s device.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 12 of 15\n\n\"net localgroup\" Local groups information.\r\n\"qwinsta\" Active sessions on the victim’s device.\r\n\"arp -a\"      Information about ARP entries.\r\n\"net view /all\" Display all the shares on a remote computer.\r\nOnce QakBot has collected all the information shown in the above tables, it seals the information inside a packet\r\nwith packet type “8”:4. Figure 6.1 shows the JSON data of this packet, which was about to call the RC4\r\nencryption function.\r\nFigure 6.1 – Plain text of packet “8”:4 with sensitive information\r\nAlthough this QakBot successfully established connections with its C2 server, I have not received any sub-modules. I’m still monitoring the communication and will update this analysis if I get something interesting.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 13 of 15\n\nConclusion\r\nAccording to this analysis, I proved that an attached HTML file is no safer than any other risky files (like MS\r\nWord, MS Excel, PDF, and so on). You have to be extra cautious when receiving emails with attachments.\r\nI then explained how the HTML file drops a ZIP archive through a piece of auto-execution JavaScript code. Later,\r\nI focused on how a disguised Windows shortcut file downloads the loader module of QakBot.\r\nYou also learned what the loader module does to decrypt and deploy the core module of QakBot in a picked target\r\nprocess (“OneDriveSetup.exe” for this time).\r\nAnd finally, we walked through QakBot starting threads to connect to its C2 server using an IP address and port\r\npair chosen from a C2 server list that had been decrypted from its Resource “102”, as well as what sensitive data it\r\nretrieved from the victim’s device and then submitted to its C2 server..\r\nFortinet Protections\r\nFortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus,\r\nFortiMail, FortiClient, and FortiEDR services, as follows:\r\nThe phishing email was detected as \"SPAM\" by the FortiMail service.\r\nThe URL to download QakBot and its C2 servers has been rated as \"Malicious Websites\" by the FortiGuard Web\r\nFiltering service.\r\nThe HTML file attached to the phishing email and the downloaded QakBot Loader module are detected as\r\n\"JS/Agent.BLOB!tr\" and \"W32/Qbot.D!tr\" and are blocked by the FortiGuard Antivirus service.\r\nFortiEDR detects the involved file as malicious based on its behavior.\r\nIn addition to these protections, we suggest that organizations have their end users also go through the FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end\r\nusers learn how to identify and protect themselves from phishing attacks.\r\nIOCs\r\nURLs:\r\n194[.]36[.]191[.]227/%random%.dat\r\nClick here for the complete C2 server list\r\nSample SHA-256 Involved in the Campaign:\r\n[Attached HTML file]\r\nFE1043A63E6F0A6FAA762771FF0C82F253E979E6E3F4ADD1C26A7BD0C4B2E14C\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 14 of 15\n\n[Loader module of QakBot]\r\n9C3D3CD9B0FCB39117692600A7296B68DDDF2995C6D302BC9D9C8B786780BA19\r\n  [ScannedDocs_1586212494.lnk]\r\n          F5B6619E92D7C4698733D9514DF62AFACA99883DFAC8B9EE32A07D087F2800BF\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails\r\nPage 15 of 15\n\n\"net view /all\" Once QakBot has collected all the information shown Display all in the above tables, the shares on a remote it seals the computer. information inside a packet\nwith packet type “8”:4. Figure 6.1 shows the JSON data of this packet, which was about to call the RC4\nencryption function. \nFigure 6.1- Plain text of packet “8”:4 with sensitive information \nAlthough this QakBot successfully established connections with its C2 server, I have not received any sub\u0002\nmodules. I’m still monitoring the communication and will update this analysis if I get something interesting.\n Page 13 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails" ], "report_names": [ "new-variant-of-qakbot-spread-by-phishing-emails" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434160, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/962cb5736ad203b348edaf4d9491e585b16ca4cf.pdf", "text": "https://archive.orkl.eu/962cb5736ad203b348edaf4d9491e585b16ca4cf.txt", "img": "https://archive.orkl.eu/962cb5736ad203b348edaf4d9491e585b16ca4cf.jpg" } }