{
	"id": "efdd072e-2c28-47ad-ad15-28bdfcc81d88",
	"created_at": "2026-04-06T00:09:51.624016Z",
	"updated_at": "2026-04-10T13:12:55.682308Z",
	"deleted_at": null,
	"sha1_hash": "bc423417741e274163162fb880084872adfaf1ef",
	"title": "QAKBOT Loader Returns With New Techniques and Tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 463865,
	"plain_text": "QAKBOT Loader Returns With New Techniques and Tools\r\nBy Ian Kenefick, Vladimir Kropotov ( words)\r\nPublished: 2021-11-13 · Archived: 2026-04-05 20:39:23 UTC\r\nMalware\r\nQAKBOT operators resumed email spam operations towards the end of September after an almost three-month\r\nhiatus. QAKBOT detection has become a precursor to many critical and widespread ransomware attacks. Our\r\nreport shares some insight into the new techniques and tools this threat is using.\r\nBy: Ian Kenefick, Vladimir Kropotov Nov 13, 2021 Read time: 3 min (770 words)\r\nSave to Folio\r\nQAKBOTopen on a new tab is a prevalent information-stealing malware that was first discovered in 2007. In\r\nrecent years, its detection has become a precursor to many critical and widespread ransomware attacks. It has been\r\nidentified as a key \"malware installation-as-a-service\" botnet that enables many of today’s campaigns. \r\nToward the end of September 2021, we noted that QAKBOT operators resumed email spam operations after an\r\nalmost three-month hiatus. Specifically, we saw that the malware distributor “TR” was sending malicious spam\r\nleading victims to SquirrelWaffle (another malware loader) and QAKBOT. In early October, the same “TR”\r\ndistributoropen on a new tab was reportedly conducting brute-force attacks on Internet Message Access Protocol\r\n(IMAP) services, and there is also speculation from security researchersopen on a new tab that “TR” uses\r\nProxyLogon to acquire credentials for the attacks.  \r\nThe actors using QAKBOT are leveraging hijacked email threadsopen on a new tab in their spam runs, a highly\r\neffective tactic that was used by groups such as Emotet in the past (hijacking an email thread means reviving an\r\nold thread with replies containing malware). Compromising IMAP services and email service providers (ESPs), or\r\nhijacking email threads allows attackers to leverage the trust a potential victim has in people they have\r\ncorresponded with before, and it also allows for the impersonation of a compromised organization. Indeed,\r\nintended targets will be much more likely to open emails from a recognized sender. \r\nUnlike the waves of QAKBOTopen on a new tab that we observed in the weeks leading up to its June 2021 break,\r\nthis most recent campaign uses Visual Basic for Applications (VBA) macros alongside Excel 4.0 macros. In the\r\nfollowing, we dive into the tools and techniques of this new edition and include a thorough analysis of\r\nQAKBOT’s history and previous tactics in our technical brief.open on a new tab\r\nhttps://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html\r\nPage 1 of 5\n\nFigure 1. QAKBOT spam campaign activity from May 10, 2021 to October 25, 2021\r\nFigure 2. Hijacked email used by QAKBOT\r\nQAKBOT operators are a key enabler for ransomware attacks. Since 2019, infections have led to the eventual\r\ndeployment of human-operated ransomware families (MegaCortex and PwndLocker in 2019, Egregor, and\r\nProLock in 2020, and Sodinokibi/REvil in 2021). \r\nIts reemergence in September is likely a signal of the initial infection of hosts. In the coming weeks, the operators\r\nmight try to monetize some of these infections using ransomware. However, it is important to note that although\r\nQAKBOT activity is generally an initial investigation of targets by known malicious groups, not all QAKBOT\r\ninfections will lead to serious ransomware incidents.\r\nHow does the newest version of QAKBOT operate with VBA macros? \r\nWhen a victim opens the malicious file in their spam email, an auto_open macro will try to create a new sheet and\r\nset the font color to white. Macros typically execute as soon as the victim opens the document and selects the\r\n“Enable Content” button. It reads data embedded in a form control “UserForm1”, which is revealed to be the\r\nfollowing:  \r\nHard-coded QAKBOT payload hosts \r\nThe urlmon library\r\nhttps://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html\r\nPage 2 of 5\n\nFigure 3. Data embedded in the form\r\nThe macro then assigns the values to cells in “Sheet 5” and evaluates and concatenates the command to download\r\nthe QAKBOT DLL from a remote host. The process chain has also altered slightly with regsvr32.exe using -silent\r\ninstead of -s parameter. The DLL download URL still uses now() to form the DLL name. The macro then deletes\r\nthe “Sheet5” when the document is closed.\r\nhttps://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html\r\nPage 3 of 5\n\nFigure 4. Process chain from the new QAKBOT sample\r\nFor persistence, QAKBOT uses the same scheduled task as it has in the past:\r\nFigure 5. The scheduled task QAKBOT uses for persistence\r\nhttps://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html\r\nPage 4 of 5\n\nSecurity recommendations\r\nThe constant resurgence of new, more sophisticated variants of known malware, as well as the emergence of\r\nentirely unknown threats, demands solutions with advanced detection and response capabilities. Users can protect\r\nthemselves from new QAKBOT samples and other threats that spread through emails by following some of these\r\nbest practicesopen on a new tab: \r\nAvoid downloading attachments or selecting embedded links from emails before verifying the sender and\r\nthe content.\r\nHover the pointer above embedded links to show the link’s target.\r\nCheck the identity of the sender. Unfamiliar email addresses, mismatched email and sender names, and\r\nspoofed company emails are some of the signs that the sender has malicious intent.\r\nIf the email claims to come from a legitimate company, check if they sent it before taking any action.\r\nUsers can also protect systems through managed detection and response (MDR)open on a new tab, which utilizes\r\nadvanced artificial intelligence to correlate and prioritize threats, determining if they are part of a larger attack. It\r\ncan detect threats before they are executed, thus preventing further compromise.\r\nFor more information about the QAKBOT threat, download our technical briefopen on a new tab. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html\r\nhttps://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html"
	],
	"report_names": [
		"qakbot-loader-returns-with-new-techniques-and-tools.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434191,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc423417741e274163162fb880084872adfaf1ef.pdf",
		"text": "https://archive.orkl.eu/bc423417741e274163162fb880084872adfaf1ef.txt",
		"img": "https://archive.orkl.eu/bc423417741e274163162fb880084872adfaf1ef.jpg"
	}
}