{
	"id": "3bc19708-0141-48c5-9d72-ca4878aad30e",
	"created_at": "2026-04-06T00:07:57.53581Z",
	"updated_at": "2026-04-10T03:29:39.87967Z",
	"deleted_at": null,
	"sha1_hash": "af9596059e47b61cc1b33efd711de5ae383287d0",
	"title": "Qbot malware returns in campaign targeting hospitality industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1483831,
	"plain_text": "Qbot malware returns in campaign targeting hospitality industry\r\nBy Lawrence Abrams\r\nPublished: 2023-12-17 · Archived: 2026-04-05 15:43:48 UTC\r\nThe QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law\r\nenforcement over the summer.\r\nIn August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's servers and\r\nmapped out the botnet's infrastructure.\r\nAfter gaining access to the botnet's encryption keys used for malware communication, the FBI was able to hijack the\r\nbotnet to push a custom Windows DLL module to infected devices. This DLL executed a command that terminated the\r\nQakBot malware, effectively disrupting the botnet.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile a phishing service that was used to distribute the Qbot malware has seen activity since the disruption, there was no\r\ndistribution of the QakBot malware until this past Monday, when the new phishing campaign started.\r\nQakBot returns\r\nMicrosoft is now warning that QakBot is being distributed again in a phishing campaign pretending to be an email from an\r\nIRS employee.\r\nMicrosoft says it first observed the phishing attack on December 11th in a small campaign targeting the hospitality industry.\r\nAttached to the email is a PDF file pretending to be a guest list that says \"Document preview is not available,\" and then\r\nprompts the user to download the PDF to view it properly.\r\nHowever, when clicking on the download button, recipients will download an MSI that, when installed, launches the Qakbot\r\nmalware DLL into memory.\r\nMicrosoft says the DLL was generated on December 11th, the same day the phishing campaign started, and uses a campaign\r\ncode of 'tchk06' and command and control servers at 45.138.74.191:443 and 65.108.218.24:443.\r\n\"Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500,\" Microsoft tweeted,\r\nindicating the continued development of the malware.\r\nSecurity researchers Pim Trouerbach and Tommy Madjar have also confirmed that the Qakbot payload being distributed is\r\nnew, with some minor changes.\r\nTrouerbach told BleepingComputer that there are minor changes to the new QakBot DLL, including using AES to decrypt\r\nstrings rather than XOR in the previous version.\r\nFurthermore, Trouerbach believes the new version is still being developed as it contains some unusual bugs.\r\nAs Trouerbach tweeted, after Emotet was disrupted by law enforcement in 2021, the threat actors attempted to revive their\r\nbotnet with little success.\r\nWhile it is too soon to tell if Qbot will have trouble regaining its former size, admins and users need to be on the lookout for\r\nreply-chain phishing emails that are commonly used to distribute the malware.\r\nWhat is the Qbot malware\r\nQakBot, aka Qbot, started out as a banking trojan in 2008, with malware developers using it to steal banking credentials,\r\nwebsite cookies, and credit cards to commit financial fraud.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/\r\nPage 3 of 4\n\nOver time, the malware evolved into a malware delivery service, partnering with other threat actors to provide initial access\r\nto networks for conducting ransomware attacks, espionage, or data theft.\r\nQakbot is distributed through phishing campaigns that utilize a variety of lures, including reply-chain email attacks, which is\r\nwhen threat actors use a stolen email thread and then reply to it with their own message and an attached malicious\r\ndocument.\r\nThese emails typically include malicious documents as attachments or links to download malicious files that install the\r\nQakbot malware on a user's device.\r\nThese documents change between phishing campaigns and range from Word or Excel documents with malicious\r\nmacros, OneNote files with embedded files, to ISO attachments with executables and Windows shortcuts. Some of them are\r\nalso designed to exploit zero-day vulnerabilities in Windows.\r\nOnce installed, the malware will inject a DLL into a legitimate Windows process, such as wermgr.exe or AtBroker.exe, and\r\nquietly run in the background while deploying additional payloads.\r\nIn the past, Qakbot has partnered with multiple ransomware operations, including Conti, ProLock, Egregor, REvil,\r\nRansomExx, MegaCortex, and, most recently, Black Basta and BlackCat/ALPHV.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/"
	],
	"report_names": [
		"qbot-malware-returns-in-campaign-targeting-hospitality-industry"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434077,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af9596059e47b61cc1b33efd711de5ae383287d0.pdf",
		"text": "https://archive.orkl.eu/af9596059e47b61cc1b33efd711de5ae383287d0.txt",
		"img": "https://archive.orkl.eu/af9596059e47b61cc1b33efd711de5ae383287d0.jpg"
	}
}