{
	"id": "3912d344-3ba1-409f-83c8-79d3d1fbd875",
	"created_at": "2026-04-06T00:21:39.713803Z",
	"updated_at": "2026-04-10T13:13:05.406692Z",
	"deleted_at": null,
	"sha1_hash": "b1c9c203625e6cddfd9670eaea202b36c6f653e0",
	"title": "Identification and Disruption of QakBot Infrastructure | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213793,
	"plain_text": "Identification and Disruption of QakBot Infrastructure | CISA\r\nPublished: 2023-08-30 · Archived: 2026-04-05 22:31:33 UTC\r\nSUMMARY\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are\r\nreleasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise\r\n(IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners\r\nexecuted a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting\r\nQakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and\r\nQakBot command and control (C2) servers. The FBI is working closely with industry partners to share\r\ninformation about the malware to maximize detection, remediation, and prevention measures for network\r\ndefenders.\r\nCISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce\r\nthe likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and\r\nmalware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed\r\nmalware or ransomware on victim computers. If potential compromise is detected, administrators should apply the\r\nincident response recommendations included in this CSA and report key findings to a local FBI Field Office or\r\nCISA at cisa.gov/report.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTECHNICAL DETAILS\r\nOverview\r\nQakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware\r\ninfections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include\r\nransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008,\r\nQakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal\r\necosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise;\r\nin most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the\r\nmalware, which would reside in memory once on the victim network.\r\nSince its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware\r\nvariant that provides threat actors with a wide range of capabilities, to include performing reconnaissance,\r\nengaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including\r\nransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 1 of 9\n\nmodular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further\r\nthe goals of the threat actor who delivered QakBot.\r\nQakBot and affiliated variants have targeted the United States and other global infrastructures, including the\r\nFinancial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure\r\nSubsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section\r\nof this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced\r\nransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed\r\nmalware or ransomware on victim computers. If a potential compromise is detected, administrators should apply\r\nthe incident response recommendations included in this CSA and report key findings to CISA and FBI.\r\nQakBot Infrastructure\r\nQakBot’s modular structure allows for various malicious features, including process and web injection, victim\r\nnetwork enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1 ],\r\nBrute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2 ]\r\n, ProLock[3 ], Egregor[4 ], REvil[5 ], MegaCortex[6 ], Black\r\nBasta[7 ], Royal[8 ], and PwndLocker.\r\nHistorically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and\r\nmalicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not\r\ncooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows\r\nwere infected with QakBot—the botnet was controlled through three tiers of C2 servers.\r\nFigure 1: QakBot’s Tiered C2 Servers\r\nThe first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are\r\npromoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate\r\nwith the victim computers to relay commands and communications between the upstream C2 servers and the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 2 of 9\n\ninfected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active\r\nthat same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection\r\nby network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay\r\ncommunications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server\r\ncontrols all of the bots.\r\nIndicators of Compromise\r\nFBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot\r\ninfections:\r\n1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and\r\nset it back up before computer restart:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003crandom_string\u003e\r\n2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\\u003crandom_string\u003e\\\r\n3. QakBot will write an encrypted registry configuration detailing information about the bot to the following\r\nregistry key: HKEY_CURRENT_USER\\Software\\Microsoft\\\u003crandom_string\u003e\r\nIn addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are\r\nencouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or\r\nfollow-on malware infection.\r\nDisclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed\r\nIP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been\r\nhistorically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by\r\norganizations prior to taking action, such as blocking.\r\nTable 1: IPs Affiliated with QakBot Infections\r\nIP Address First Seen\r\n85.14.243[.]111 April 2020\r\n51.38.62[.]181 April 2021\r\n51.38.62[.]182 December 2021\r\n185.4.67[.]6 April 2022\r\n62.141.42[.]36 April 2022\r\n87.117.247[.]41 May 2022\r\n89.163.212[.]111 May 2022\r\n193.29.187[.]57 May 2022\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 3 of 9\n\nIP Address First Seen\r\n193.201.9[.]93 June 2022\r\n94.198.50[.]147 August 2022\r\n94.198.50[.]210 August 2022\r\n188.127.243[.]130 September 2022\r\n188.127.243[.]133 September 2022\r\n94.198.51[.]202 October 2022\r\n188.127.242[.]119 November 2022\r\n188.127.242[.]178 November 2022\r\n87.117.247[.]41 December 2022\r\n190.2.143[.]38 December 2022\r\n51.161.202[.]232 January 2023\r\n51.195.49[.]228 January 2023\r\n188.127.243[.]148 January 2023\r\n23.236.181[.]102 Unknown\r\n45.84.224[.]23 Unknown\r\n46.151.30[.]109 Unknown\r\n94.103.85[.]86 Unknown\r\n94.198.53[.]17 Unknown\r\n95.211.95[.]14 Unknown\r\n95.211.172[.]6 Unknown\r\n95.211.172[.]7 Unknown\r\n95.211.172[.]86 Unknown\r\n95.211.172[.]108 Unknown\r\n95.211.172[.]109 Unknown\r\n95.211.198[.]177 Unknown\r\n95.211.250[.]97 Unknown\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 4 of 9\n\nIP Address First Seen\r\n95.211.250[.]98 Unknown\r\n95.211.250[.]117 Unknown\r\n185.81.114[.]188 Unknown\r\n188.127.243[.]145 Unknown\r\n188.127.243[.]147 Unknown\r\n188.127.243[.]193 Unknown\r\n188.241.58[.]140 Unknown\r\n193.29.187[.]41 Unknown\r\nOrganizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of\r\nHealth \u0026 Human Services Cybersecurity Program for additional information.\r\nMITRE ATT\u0026CK TECHNIQUES\r\nFor detailed associated software descriptions, tactics used, and groups that have been observed using this\r\nsoftware, see MITRE ATT\u0026CK’s page on QakBot.[9 ]\r\nMITIGATIONS\r\nNote: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller:\r\n7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117\r\nCISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of\r\nthe QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note:\r\nThese mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and\r\nthe National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and\r\nprotections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on\r\nexisting cybersecurity frameworks and guidance to protect against the most common and impactful threats and\r\nTTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including\r\nadditional recommended baseline protections.\r\nBest Practice Mitigation Recommendations\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud)\r\n[CPG 2.O, 2.R, 5.A].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 5 of 9\n\nRequire all accounts with password logins (e.g., service accounts, admin accounts, and domain admin\r\naccounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B].\r\nThis includes:\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length;\r\nStore passwords in hashed format using industry-recognized password managers;\r\nAdd password user “salts” to shared login credentials;\r\nAvoid reusing passwords;\r\nImplement multiple failed login attempt account lockouts;\r\nDisable password “hints”;\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent\r\npassword resets. Frequent password resets are more likely to result in users developing password\r\n“patterns” cyber criminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nUse phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote\r\naccess and access to any sensitive data repositories. Implement phishing-resistant MFA for as many\r\nservices as possible—particularly for webmail and VPNs—for accounts that access critical systems and\r\nprivileged accounts that manage backups. MFA should also be used for remote logins. For additional\r\nguidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant\r\nMFA Factsheet.\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nPrioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a\r\nrange of services at no cost, including scanning and testing to help organizations reduce exposure to threats\r\nvia mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on\r\norganizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the\r\nsubject line, “Requesting Cyber Hygiene Services” to get started.\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict\r\nadversary lateral movement [CPG 2.F].\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated malware\r\nwith a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and\r\nreports all network traffic, including lateral movement activity on a network. Endpoint detection and\r\nresponse (EDR) tools are particularly useful for detecting lateral connections as they have insight into\r\ncommon and uncommon network connections for each host [CPG 3.A].\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized\r\naccounts.\r\nAudit user accounts with administrative privileges and configure access controls according to the\r\nprinciple of least privilege [CPG 2.D, 2.E].\r\nDisable unused ports [CPG 2.V, 2.W, 2X].\r\nConsider adding an email banner to emails received from outside your organization.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 6 of 9\n\nDisable hyperlinks in received emails.\r\nImplement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the\r\nprinciple of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy\r\nis set in place to automatically disable admin accounts at the Active Directory level when the account is not\r\nin direct need. Individual users may submit their requests through an automated process that grants them\r\naccess to a specified system for a set timeframe when they need to support the completion of a certain task\r\n[CPG 2.E].\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral\r\nmovement often depend on software utilities running from the command line. If threat actors are not able\r\nto run these tools, they will have difficulty escalating privileges and/or moving laterally.\r\nPerform regular secure system backups and create known good copies of all device configurations for\r\nrepairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG\r\n2.R].\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure.\r\nRansomware Guidance\r\nCISA.gov/stopransomware is a whole-of-government resource that serves as one central location for\r\nransomware resources and alerts.\r\nCISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center\r\n(MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have\r\naccelerated their tactics and techniques since its initial release in 2020.\r\nCISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware\r\nReadiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a\r\nstep-by-step process to evaluate cybersecurity practices on their networks.\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your\r\norganization's security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nframework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to\r\nassess how they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see MITRE ATT\u0026CK’s page on QakBot).[9 ]\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 7 of 9\n\nCISA and FBI recommend continually testing your security program, at scale, in a production environment to\r\nensure optimal performance against the MITRE ATT\u0026CK techniques.\r\nREPORTING\r\nFBI is seeking any information that can be shared, to include boundary logs showing communication to and from\r\nforeign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet\r\ninformation, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying\r\nransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden\r\nadversaries to target additional organizations, encourage other criminal actors to engage in the distribution of\r\nransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the\r\nransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at\r\ncisa.gov/report.\r\nRESOURCES\r\nHHS: Qbot/QakBot Malware\r\nCISA: CPGs\r\nNIST: 800-63B Digital Identity Guidelines\r\nCISA: MFA\r\nCISA: Implementing Phishing-Resistant MFA\r\nCISA: Known Exploited Vulnerabilities Catalog\r\nCISA: Cyber Hygiene\r\nCISA: Zero Trust\r\nCISA: #StopRansomware\r\nCISA: #StopRansomware Guide\r\nCISA: CSET Tool Sets Sights on Ransomware Threat\r\nREFERENCES\r\n1. MITRE: Cobalt Strike\r\n2. MITRE: Conti\r\n3. MITRE: ProLock\r\n4. MITRE: Egregor\r\n5. MITRE: REvil\r\n6. MITRE: MegaCortex\r\n7. MITRE: Black Basta\r\n8. MITRE: Royal\r\n9. MITRE: QakBot\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. CISA and FBI do not\r\nendorse any commercial entity, product, company, or service, including any entities, products, or services linked\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 8 of 9\n\nwithin this document. Any reference to specific commercial entities, products, processes, or services by service\r\nmark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or\r\nfavoring by CISA and FBI.\r\nVERSION HISTORY\r\nAugust 30, 2023: Initial version.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a"
	],
	"report_names": [
		"aa23-242a"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "96d5b301-0872-444c-ba32-eecf7a9241c0",
			"created_at": "2023-02-15T02:01:49.560566Z",
			"updated_at": "2026-04-10T02:00:03.347926Z",
			"deleted_at": null,
			"main_name": "TA570",
			"aliases": [
				"DEV-0450"
			],
			"source_name": "MISPGALAXY:TA570",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434899,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1c9c203625e6cddfd9670eaea202b36c6f653e0.pdf",
		"text": "https://archive.orkl.eu/b1c9c203625e6cddfd9670eaea202b36c6f653e0.txt",
		"img": "https://archive.orkl.eu/b1c9c203625e6cddfd9670eaea202b36c6f653e0.jpg"
	}
}