{
	"id": "dfa0a57b-7da2-4dbe-837f-124ab592840d",
	"created_at": "2026-04-06T02:11:36.584786Z",
	"updated_at": "2026-04-10T03:20:17.775197Z",
	"deleted_at": null,
	"sha1_hash": "a7c50f9f98608b2a2ab568eb6a5fcc4ba652ab74",
	"title": "QBot phishing uses Windows Calculator DLL hijacking to infect devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1704014,
	"plain_text": "QBot phishing uses Windows Calculator DLL hijacking to infect devices\r\nBy Bill Toulas\r\nPublished: 2022-07-24 · Archived: 2026-04-06 01:37:09 UTC\r\nThe operators of the QBot malware have been using a DLL hijacking flaw in Windows Calculator to infect computers,\r\nwhich also helps evade detection by security software.\r\nDLL hijacking is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are handled in\r\nWindows. It consists of creating a malicious version of a legitimate DLL required by the program, and placing it early in the\r\nsearch order used to find a required DLL.  This folder is commonly the same folder as the executable.\r\nWhen the executable is launched, it will find the malicious version with the same name in the same folder, loading that\r\ninstead and infecting the computer.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nQBot, also known as Qakbot is a Windows malware strain that started as a banking trojan but evolved into a malware\r\ndropper, and is used by ransomware gangs in the early stages of the attack to drop Cobalt Strike beacons.\r\nSecurity researcher ProxyLife recently discovered that Qakbot, has been abusing the the Windows 7 Calculator app for DLL\r\nhijacking attacks since at least July 11. The method continues to be used in malspam campaigns.\r\nNew QBot infection chain\r\nTo help defenders protect against this threat, ProxyLife and researchers at Cyble documented the latest QBot infection chain.\r\nThe emails used in the latest campaign carry an HTML file attachment that downloads a password-protected ZIP archive\r\nwith an ISO file inside.\r\nThe password for opening the ZIP file is shown in the HTML file, and the reason for locking the archive is to evade\r\nantivirus detection.\r\nHTML attachment on QBot spam emails\r\nThe ISO contains a .LNK file, a copy of 'calc.exe' (Windows Calculator), and two DLL files, namely WindowsCodecs.dll\r\nand a payload named 7533.dll.\r\nZIP archive contents\r\nWhen the user mounts the ISO file, it only displays the .LNK file, which is masqueraded to look like a PDF holding\r\nimportant information or a file that opens with Microsoft Edge browser.\r\nHowever, the shortcut points to the Calculator app in Windows, as seen in the properties dialog for the files.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/\r\nPage 3 of 5\n\nProperties of the PDF file that triggers the infection\r\nClicking the shortcut triggers the infection by executing the Calc.exe through the Command Prompt.\r\nWhen loaded, the Windows 7 Calculator automatically searches for and attempts to load the legitimate WindowsCodecs\r\nDLL file. However, it does not check for the DLL in certain hard coded paths, and will load any DLL with the same name if\r\nplaced in the same folder as the Calc.exe executable.\r\nThe threat actors take advantage of this flaw by creating their own malicious WindowsCodecs.dll file that launches the other\r\n[numbered].dll file, which is the QBot malware.\r\nBy installing QBot through a trusted program like the Windows Calculator, some security software may not detect the\r\nmalware when it is loaded, allowing the threat actors to evade detection.\r\nIt should be noted, that this DLL hijacking flaw no longer works in Windows 10 Calc.exe and later, which is why the threat\r\nactors bundle the Windows 7 version.\r\nQBot has been around for more than a decade, with origins going as far back as 2009 [1, 2, 3, 4]. While campaigns\r\ndelivering it are not frequent, it was observed being distributed by Emotet botnet in the past to drop ransomware payloads.\r\nAmong the ransomware families that QBot delivered are RansomExx, Maze, ProLock, and Egregor. More recently, the\r\nmalware dropped Black Basta ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/"
	],
	"report_names": [
		"qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775441496,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7c50f9f98608b2a2ab568eb6a5fcc4ba652ab74.pdf",
		"text": "https://archive.orkl.eu/a7c50f9f98608b2a2ab568eb6a5fcc4ba652ab74.txt",
		"img": "https://archive.orkl.eu/a7c50f9f98608b2a2ab568eb6a5fcc4ba652ab74.jpg"
	}
}