{
	"id": "7e7fab7f-c323-4fc5-a6b2-d31efd630e33",
	"created_at": "2026-04-06T03:36:33.793783Z",
	"updated_at": "2026-04-10T03:33:30.449094Z",
	"deleted_at": null,
	"sha1_hash": "a875345385f7906cc59ec1a0e283337d969a9cd2",
	"title": "Qbot - Red Canary Threat Detection Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58290,
	"plain_text": "Qbot - Red Canary Threat Detection Report\r\nArchived: 2026-04-06 03:13:56 UTC\r\nEditor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been\r\nupdated since 2024. \r\nAlso known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing\r\nuser data and banking credentials, Qbot’s functionality has expanded to incorporate features such as\r\nreconnaissance, follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis\r\ncapabilities. Qbot is typically delivered via an email-based distribution model.\r\nOver the years, various groups have distributed Qbot. The Proofpoint-named groups TA570 and TA577 are\r\nhistorically two of the most active Qbot malware affiliates. TA570 is sometimes referred to as the “presidents”\r\naffiliate, because of the use of U.S. presidents’ names in its malware configuration, for example, a campaign\r\nidentifier like obama225 . TA577 is also informally known as the “letters” affiliate based on the use of campaign\r\nIDs including letters such as AA , BB , or TR . While Red Canary can not validate with high confidence that a\r\nspecific group is present in an environment without obtaining a copy of the malware containing the campaign\r\nidentifier, we did observe threats with similar naming schemes to both TA570 and TA577 in our customers’\r\nenvironments in 2023.\r\nQbot is usually deployed as just one stage of an adversary’s playbook, with follow-on activity tied to the\r\nobjectives of the affiliate group deploying it. While Red Canary does not observe a lot of post-Qbot activity, we\r\nknow various ransomware affiliates have used it as an initial access vector.\r\nThe story of Qbot in 2023 can be told in three acts: early-year activity, infrastructure takedown by the FBI, and\r\nfinally, Qbot affiliates pivoting to deliver alternative malware.\r\nAct I: The year begins\r\nQbot began 2023 quietly, observing its traditional lull during the orthodox holidays, but by March it had quickly\r\nreasserted itself as the most prevalent threat facing Red Canary customers. In 2023, Qbot affiliates continued to\r\nexperiment with a variety of file types to deliver malicious payloads during their campaigns, likely in an ongoing\r\nresponse to security controls implemented by Microsoft in 2022. Examples of different delivery approaches\r\ninclude:\r\nhttps://redcanary.com/threat-detection-report/threats/qbot/\r\nPage 1 of 3\n\nEarly 2023 brought Qbot in the form of malicious OneNote files that tricked users into executing an\r\nembedded malicious HTML Application (HTA) file. OneNote files were, at the time, not protected by\r\nMicrosoft’s Mark-of-the-Web (MOTW) feature. Red Canary and other security researchers observed\r\nOneNote abuse until mid-February.\r\nIn March 2023, multiple Red Canary customers received phishing emails with ZIP files containing\r\nmalicious PDF, HTML, WSF, and JS files. Upon opening the files, victims unknowingly executed\r\nmalicious JavaScript which led to further PowerShell commands that downloaded and executed the Qbot\r\nDLL payload.\r\nIn May 2023, Qbot operators began modifying the file extensions of their malware. Red Canary observed\r\nattempted or successful execution of Qbot with filename extensions such as\r\ndirectexaminationSuperarbitrary and englishedDuctal , similar to some 2022 campaigns. Qbot also\r\nmasqueraded as PNG, DAT, or JPG files.\r\nStarting in July, Qbot detections decreased dramatically—in line with the extended summer vacation that Red\r\nCanary and other cybersecurity researchers have previously observed. In years past, Qbot would return after their\r\ntwo-to-three month hiatus with a new wave of infections in September. This year, however, would prove to be\r\ndifferent.\r\nAct II: The takedown\r\nOn August 29, 2023, the United States Justice Department announced their participation in an operation to take\r\ndown Qbot C2 infrastructure and remove infections from victim endpoints. The “Operation Duck Hunt” team,\r\nmade up of multinational law enforcement and industry professionals, reported that it uninstalled the malware\r\nfrom more than 700,000 systems comprising the Qbot botnet and seized extorted funds held as cryptocurrency by\r\nthe operators. The takedown was successful. Not only did it thwart Qbot activity, it also delivered a significant\r\nblow to delivery affiliates that heavily leveraged Qbot, including TA577. Weeks passed with no signs of new Qbot\r\nor TA577 activity.\r\nAct III: Return of the affiliate\r\nOn September 22, 2023, Deutsche Telekom CERT’s CTI team shared details of a new TA577 phishing campaign\r\ndelivering DarkGate as their new payload of choice. TA577 also elected to use IcedID and PikaBot to replace\r\nQbot in this new campaign, which continued until the end of December 2023.\r\nDarkGate\r\nDarkGate is a loader offered on popular cybercrime forums as malware-as-a-service (MaaS). The DarkGate\r\nmalware family has been active since at least 2018. It was historically delivered via email phishing campaigns, but\r\nas of August 2023 it has also been distributed via Microsoft Teams phishing messages. It includes built-in defense\r\nevasion, command \u0026 control (C2), and persistence capabilities. It also has the ability to download and execute\r\nadditional payloads, making it an appealing replacement for Qbot.\r\nTA577 was not the only threat to leverage DarkGate this year; Red Canary observed several different campaigns\r\nby different groups using DarkGate as their primary payload in 2023.\r\nhttps://redcanary.com/threat-detection-report/threats/qbot/\r\nPage 2 of 3\n\nPikaBot\r\nPikabot is a malware family that was first discovered in early 2023. It is modular malware, consisting of loader\r\nand core module components. Pikabot enables unauthorized remote access to a system and it has been observed\r\ndropping malware like Cobalt Strike as a follow-on payload. The Pikabot code base is similar to another malware\r\nfamily named Matanbuchus.\r\nIcedID\r\nIcedID, also known as BokBot, is a crimeware-as-a-service banking trojan. You can learn more about IcedID here.\r\nEpilogue\r\nIt remains to be seen what a Qbot return might look like. On December 15, 2023, Microsoft reported new Qbot\r\nactivity, the first new infections publicly reported since the takedown in August. The campaign was low-volume\r\nand of limited scope, targeting the hospitality industry. As of late January 2024, Qbot’s old affiliate networks are\r\nonce again showing signs of life, following their old patterns of ramping up activities after a holiday break. While\r\nthe takedown disrupted the Qbot malware, it is important to distinguish Qbot the tool from the adversaries who\r\nuse it. You can think of the takedown like a government raid that seizes a warring faction’s largest weapons cache;\r\na blow to be sure, but while the adversaries are still at large you can bet they will retool and rearm themselves.\r\nOnly time will tell what their new weapon of choice will be and how it will be used.\r\nSource: https://redcanary.com/threat-detection-report/threats/qbot/\r\nhttps://redcanary.com/threat-detection-report/threats/qbot/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://redcanary.com/threat-detection-report/threats/qbot/"
	],
	"report_names": [
		"qbot"
	],
	"threat_actors": [
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "96d5b301-0872-444c-ba32-eecf7a9241c0",
			"created_at": "2023-02-15T02:01:49.560566Z",
			"updated_at": "2026-04-10T02:00:03.347926Z",
			"deleted_at": null,
			"main_name": "TA570",
			"aliases": [
				"DEV-0450"
			],
			"source_name": "MISPGALAXY:TA570",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f83fef-38ee-4228-9d27-dde8afece1cb",
			"created_at": "2023-02-15T02:01:49.569611Z",
			"updated_at": "2026-04-10T02:00:03.351659Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"Hive0118"
			],
			"source_name": "MISPGALAXY:TA577",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "22d450bb-fc7a-42af-9430-08887f0abf9f",
			"created_at": "2024-11-01T02:00:52.560354Z",
			"updated_at": "2026-04-10T02:00:05.276856Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"TA577"
			],
			"source_name": "MITRE:TA577",
			"tools": [
				"Pikabot",
				"QakBot",
				"Latrodectus"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775446593,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a875345385f7906cc59ec1a0e283337d969a9cd2.pdf",
		"text": "https://archive.orkl.eu/a875345385f7906cc59ec1a0e283337d969a9cd2.txt",
		"img": "https://archive.orkl.eu/a875345385f7906cc59ec1a0e283337d969a9cd2.jpg"
	}
}