{
	"id": "24ceb8ce-8c5d-4fc3-8353-7008749373b1",
	"created_at": "2026-04-06T00:06:36.011974Z",
	"updated_at": "2026-04-10T03:21:17.60288Z",
	"deleted_at": null,
	"sha1_hash": "b629622cd74b77ce052cb58ab7f3d880ca4acefa",
	"title": "Emotet botnet is now heavily spreading QakBot malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 643664,
	"plain_text": "Emotet botnet is now heavily spreading QakBot malware\r\nBy Ionut Ilascu\r\nPublished: 2020-07-21 · Archived: 2026-04-05 14:39:01 UTC\r\nResearchers tracking Emotet botnet noticed that the malware started to push QakBot banking trojan at an unusually high\r\nrate, replacing the longtime TrickBot payload.\r\nLast week, Emotet came back to life after a break of more than five months. Starting yesterday, the malspam operation\r\nbriefly began installing TrickBot on compromised Windows systems again.\r\nThings changed today when researchers noticed that Emotet was dropping QakBot. A string in the malware indicates that\r\nthis trojan is now the partner of choice for Emotet botnet.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nFull distribution\r\nA group of researchers and system administrators united under the name Cryptolaemus to fight Emotet operations, saw\r\ntoday that the threat actor replaced TrickBot distribution across all epochs.\r\nAn Emotet epoch is a subgroup of the botnet running on a distinct infrastructure. Currently, there are three of them, each\r\nwith separate command and control servers, distribution methods, and payloads.\r\nSpeaking to BleepingComputer, Cryptolaemus said that they saw QakBot distributed all across Emotet botnet, TrickBot\r\nbeing completely absent.\r\nSecurity researcher Bom caught a QakBot (QBot) malware sample and fed it to the Any.Run interactive analysis tool. The\r\nresults are available at this link. A list with the addresses for the command and control servers (C2) is available here.\r\nAdditional analysis from cybercrime intelligence company Intel 471 revealed that the string for identifying this QBot\r\ncampaign is “partner01,” suggesting a strong connection between Emotet and these threat actors.\r\nHowever, speculating on a fallout between Emotet and TrickBot is premature as the relation between the operators of these\r\ntreats two is not exclusive. Cryptolaemus said that a change in the delivered payload has happened in the past and that the\r\noriginal duo is very likely to resume activity.\r\nBut this does not occur too often, though. For instance, Emotet was seen delivering QakBot last year.\r\nTrickBot and QakBot are the preferred partners for Emotet. All three actors are part of the same Russian-speaking\r\ncommunity and have been interacting for a long time.\r\nIt is unclear what QakBot drops on infected systems but some victims may get ransomware as a special delivery, ProLock in\r\nparticular.\r\nFor updates on indicators of compromise and C2 addresses used in Emotet campaigns, you can follow the Cryptolaemus\r\nTwitter profile.\r\nEven if there is a different payload, Emotet still relies on emails for malware distribution, with the threat delivered via a\r\nmalicious document.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/"
	],
	"report_names": [
		"emotet-botnet-is-now-heavily-spreading-qakbot-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b629622cd74b77ce052cb58ab7f3d880ca4acefa.pdf",
		"text": "https://archive.orkl.eu/b629622cd74b77ce052cb58ab7f3d880ca4acefa.txt",
		"img": "https://archive.orkl.eu/b629622cd74b77ce052cb58ab7f3d880ca4acefa.jpg"
	}
}