{
	"id": "6d0aee67-a6ab-43ee-a5fb-a72a17d3b3ac",
	"created_at": "2026-04-06T00:19:55.538628Z",
	"updated_at": "2026-04-10T03:21:51.25943Z",
	"deleted_at": null,
	"sha1_hash": "d974190532bd24f2b52773d11fe7f41d7f6f589b",
	"title": "QBot banker delivered through business correspondence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 557611,
	"plain_text": "QBot banker delivered through business correspondence\r\nBy Victoria Vlasova\r\nPublished: 2023-04-17 · Archived: 2026-04-05 19:47:02 UTC\r\nIn early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka\r\nQakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mail letters written in different\r\nlanguages — variations of them were coming in English, German, Italian, and French. The messages were based\r\non real business letters the attackers had gotten access to, which afforded them the opportunity to join the\r\ncorrespondence thread with messages of their own. As a general rule, such letters would be urging the\r\naddressee — under a plausible pretext — to open an enclosed PDF file. As an example, they could be asking to\r\nprovide all the documentation pertaining to the attached application or to calculate the contract value based on the\r\nattached cost estimate.\r\nExample of a forwarded letter containing a malicious attachment\r\nSuch simulated business correspondence can obstruct spam tracking while increasing the probability of the victim\r\nfalling for the trick. For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’\r\nfield; however, the sender’s fraudulent e-mail address will be different from that of the real correspondent.\r\nA short look at QBot\r\nThe banking Trojan QBot was detected for the first time in 2007. Since then, it has gone through multiple\r\nmodifications and improvements to become one of the most actively spread malware in 2020. In 2021, we\r\npublished a detailed QBot technical analysis. Currently the banker keeps getting new functions and module\r\nupdates for increased effectiveness and profit.\r\nhttps://securelist.com/qbot-banker-business-correspondence/109535/\r\nPage 1 of 5\n\nQBot distribution methods have also evolved. Early on it was distributed through infected websites and pirated\r\nsoftware. Now the banker is delivered to potential victims through malware already residing on their computers,\r\nsocial engineering, and spam mailings.\r\nQBot infection chain\r\nNew QBot infection chain\r\nThe QBot malware delivery scheme begins with an e-mail letter with a PDF file in the attachment being sent. The\r\ndocument’s content imitates a Microsoft Office 365 or Microsoft Azure alert advising the user to click Open to\r\nview the attached files. If the user complies, an archive will be downloaded from a remote server (compromised\r\nsite), protected with a password given in the original PDF file.\r\nExamples of PDF attachments\r\nIn the downloaded archive there is a .wsf (Windows Script File) file containing an obfuscated script written in\r\nJScript.\r\nhttps://securelist.com/qbot-banker-business-correspondence/109535/\r\nPage 2 of 5\n\nObfuscated JScript\r\nAfter the WSF file is deobfuscated its true payload gets revealed: a PowerShell script encoded into a Base64 line.\r\nEncoded PowerShell script\r\nSo, as soon as the user opens the WSF file from the archive, the PowerShell script will be discretely run on the\r\ncomputer and use wget to download a DLL file from a remote server. The library’s name is an automatically\r\ngenerated alphabetic sequence varying from one victim to another.\r\nDecoded PowerShell script\r\nThe PowerShell script will try in succession to download the file from each one of the URLs listed in the code. To\r\nfigure whether the download attempt was successful, the script will check the file size using the Get-Item\r\ncommand to get the information. If the file size is 100,000 bytes or more, the script will run the DLL with the help\r\nof rundll32. Otherwise, it will wait for four seconds before attempting to download the library using the next link\r\ndown the list. The downloaded library is the Trojan known as QBot (detected as Trojan-Banker.Win32.Qbot.aiex).\r\nTechnical description of malicious DLL\r\nWe have analyzed the Qbot samples from the current e-mail campaign. The bot’s configuration block features\r\ncompany name “obama249” and time stamp “1680763529” (corresponding to April 6, 2023 6:45:29), as well as\r\nover a hundred IP addresses the bot will be using to connect to command servers. Most of these addresses belong\r\nto those users, whose infected systems provide an entry point into the chain which is used to redirect the botnet\r\ntraffic to real command servers.\r\nQbot’s functionality hardly changed in the past couple of years. As before, the bot is capable of extracting\r\npasswords and cookies from browsers, stealing letters from your mailbox, intercepting traffic, and giving\r\nhttps://securelist.com/qbot-banker-business-correspondence/109535/\r\nPage 3 of 5\n\noperators remote access to the infected system. Depending on the value of the victim, additional malware can be\r\ndownloaded locally, such as CobaltStrike (to spread the infection through the corporate network) or various\r\nransomware. Or else the victim’s computer can be turned into a proxy server to facilitate redirection of traffic,\r\nincluding spam traffic.\r\nStatistics\r\nWe have analyzed the QBot attack statistics collected using Kaspersky Security Network (KSN). According to our\r\ndata, the first letters with malicious PDF attachments began to arrive in the evening of April 4. The mass e-mail\r\ncampaign began at 12:00 p.m. on the following day and continued until 9:00 p.m. During that time we detected an\r\napproximate total of 1,000 letters. The second upsurge began on April 6, again at noon, with over 1,500 letters\r\ndispatched to our customers this time. For the next few days new messages kept coming, and soon, on the evening\r\nof April 12 we discovered another upsurge with 2,000 more letters sent to our customers. After that cybercriminal\r\nactivity went down, but users still receive fraudulent messages.\r\nGeography of Qbot family attacks, April 1–11, 2023 (download)\r\nIn addition, we checked which countries were targeted by Qbot the most by relating the number of users attacked\r\nin a given country against the total number of users attacked worldwide. It turned out, the bank Trojan QBot was a\r\nmore common issue for the residents of Germany (28.01%), Argentina (9.78%), and Italy (9.58%).\r\nQBot is a well-known malware. Kaspersky solutions for consumers and for business use multi-layered approach,\r\nincluding Behavior Detection to detect and block this threat including the variant described in this article. All\r\ncomponents of the attack are detected as HEUR:Trojan.PDF.QBot.gen, HEUR:Trojan.Script.Generic, Trojan-Banker.Win32.Qbot, and HEUR:Trojan-Dropper.Script.Qbot.gen, PDM:Trojan.Win32.Generic. Kaspersky\r\nsolutions also detect and block most of the spam emails used in this attack.\r\nQbot indicators of compromise\r\nMD5\r\nPDF files\r\n253E43124F66F4FAF23F9671BBBA3D98\r\n39FD8E69EB4CA6DA43B3BE015C2D8B7D\r\nZIP archives\r\n299FC65A2EECF5B9EF06F167575CC9E2\r\nA6120562EB673552A61F7EEB577C05F8\r\nWSF files\r\n1FBFE5C1CD26C536FC87C46B46DB754D\r\nFD57B3C5D73A4ECD03DF67BA2E48F661\r\nDLL\r\n28C25753F1ECD5C47D316394C7FCEDE2\r\nhttps://securelist.com/qbot-banker-business-correspondence/109535/\r\nPage 4 of 5\n\nMalicious links\r\nZIP archive\r\ncica.com[.]co/stai/stai.php\r\nabhishekmeena[.]in/ducs/ducs.php\r\nDLL\r\nrosewoodlaminates[.]com/hea/yWY9SJ4VOH\r\nagtendelperu[.]com/FPu0Fa/EpN5Xvh\r\ncapitalperurrhh[.]com/vQ1iQg/u6oL8xlJ\r\ncenterkick[.]com/IC5EQ8/2v6u6vKQwk8\r\nchimpcity[.]com/h7e/p5FuepRZjx\r\ngraficalevi.com[.]br/0p6P/R94icuyQ\r\nkmphi[.]com/FWovmB/8oZ0BOV5HqEX\r\npropertynear.co[.]uk/QyYWyp/XRgRWEdFv\r\ntheshirtsummit[.]com/MwBGSm/lGP5mGh\r\nSource: https://securelist.com/qbot-banker-business-correspondence/109535/\r\nhttps://securelist.com/qbot-banker-business-correspondence/109535/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/qbot-banker-business-correspondence/109535/"
	],
	"report_names": [
		"109535"
	],
	"threat_actors": [],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d974190532bd24f2b52773d11fe7f41d7f6f589b.pdf",
		"text": "https://archive.orkl.eu/d974190532bd24f2b52773d11fe7f41d7f6f589b.txt",
		"img": "https://archive.orkl.eu/d974190532bd24f2b52773d11fe7f41d7f6f589b.jpg"
	}
}