{
	"id": "068e6ca1-6fa4-4308-9eb0-ed0fb3013cb4",
	"created_at": "2026-04-06T00:09:10.485173Z",
	"updated_at": "2026-04-10T03:20:44.589537Z",
	"deleted_at": null,
	"sha1_hash": "db4a5695f66fda5f56d43bdbd6145af1a460756b",
	"title": "QakBot Malware Bypass Windows Security Using Unpatched Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4708287,
	"plain_text": "QakBot Malware Bypass Windows Security Using Unpatched\r\nVulnerability\r\nArchived: 2026-04-05 21:37:45 UTC\r\nExecutive Summary\r\nThis paper investigates a recent QakBot phishing campaign's ability to evade Mark-of-the-Web (MoTW) security\r\nfeatures, allowing for escape from the designated security zone and  successful installation of malicious software\r\non victim device.. Key observations:\r\nEclecticIQ analysts investigated QakBot phishing campaigns switching to a Zero-Day Vulnerability to\r\nevade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a\r\nresult of the switch to a zero-day exploit.\r\nThe threat actor distributes QakBot using phishing emails with a malicious URL inside.\r\nWhen a victim user clicks on the malicious URL, it starts to download an encrypted ZIP folder that\r\ncontains an ISO image. If the ISO image is opened by victim, it will mount itself on a disk and open\r\nanother File Explorer window that contains the final QakBot Loader as a JavaScript format which can be\r\nexecuted by a simple user click.\r\nThe final QakBot Loader (WW.js) contains a malformed digital signature to evade the Mark of the Web\r\n(MoTW) Security feature on Windows OS. · EclecticIQ analysts observed use of zero-day vulnerabilities is\r\nincreasing among non-nation state cyber criminals.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 1 of 15\n\nLiving off the Land Binaries (LOLBINS) like Regsvr32.exe (2) and WScript.exe (3) are actively abused to\r\nexecute QakBot Malware.\r\nWhat is Mark of The Web (MoTW)?\r\nMark of the Web (MoTW) is used by Windows as a security feature across its product suite. This feature works by\r\nchecking downloaded executable files against a file whitelist that are downloaded by Windows users.If the file is\r\nnot on that list, Windows Defender SmartScreen will show a warning message like image below and it will not\r\nexecute the malware:\r\n \r\nFigure 1 – Windows SmartScreen warning\r\nThe MS Office Protected view feature is used to protect MS Office users against potential malware in documents.\r\nMost of the MS Office file types flagged with MOTW will be opened with PROTECTED VIEW:\r\nFigure 2 -MS Office document opened as Protected View\r\nMS Office is able to block macro enabled office document downloaded from the internet, if the appropriate setting\r\nis enabled. Macros in MS Office files flagged with MOTW are disabled and a warning message is displayed to the\r\nuser:\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 2 of 15\n\nFigure 3 – Macros blocked on downloaded Excel document\r\nWhen a Windows OS user downloads a file from the internet, it creates an Alternative Data Stream (ADS) named\r\nZone.Identifier and adds a ZoneId to this ADS in order to indicate the zone from which the file originates. This is\r\na proactive security feature to prevent downloading malicious files on untrusted source. Many Windows security\r\nfeatures such as Microsoft Office Protected view, SmartScreen, Smart App Control, and warning dialogs rely on\r\nthe presence of the MoTW to function correctly.\r\nAs the example image shows, details of MoTW alternate data streams on downloaded file from VirusTotal.ZoneID\r\nbeing used to identify a file, for example The following ZoneId values may be used in a Zone.Identifier ADS:\r\n1. Local computer\r\n2. Local intranet\r\n3. Trusted sites\r\n4. Internet\r\n5. Restricted sites\r\nFigure 4 – Extracting ZoneID ADS on downloaded file\r\nQakBot Campaign Observed Evading Windows Mark of the Web (MoTW)\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 3 of 15\n\nAt the beginning of November 2022, EclecticIQ analysts examined a recent campaign that delivers QakBot (also\r\ncalled Qbot) to victim devices via phishing emails, executes by abusing multiple Living Off the Land Binaries\r\n(LOLBAS) and evades the Mark of the Web (MoTW) flag to increase the infection rate. Qakbot has been\r\nobserved as an initial access point for ransomware groups (4).\r\nThreat actors have used QakBot since 2007 (5) as a Banking Trojan to steal credit card information from victim\r\ndevices. It evolved as initial access malware for remotely delivering additional malicious payloads. Black Basta\r\nRansomware gang used QakBot to create an initial access point of victim's device and move laterally within an\r\norganization's network to execute ransomware at the end of the kill chain.\r\nQakBot’s execution process is highlighted below:\r\nFigure 5 - QakBot Execution Flow\r\nFirst Stage: Phishing Emails Containing Malicious URLs Deliver Qakbot Loader\r\nThe attack starts with a phishing email containing a malicious URL and ZIP password for delivering the QakBot\r\nmalware. Victims clicking on the URL download an encrypted ZIP folder which can be unzipped with a password\r\nprovided by attackers via phishing email. That unzipped file contains a randomly named malicious ISO image.\r\nThe ISO image contains a final QakBot loader in form of a JavaScript file (WW.js) which is used to execute\r\nQakBot DLL in-memory of wermgr.exe (a Windows error reporting process).\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 4 of 15\n\nFigure 6 - Example of Phishing Email delivers QakBot Malware\r\nSecond Stage 2.1: In-Memory Execution of QakBot Malware via JavaScript\r\nLoader\r\nThe QakBot Loader can be executed by one of the most widely abused Living Off the Land Binaries And Scripts\r\n(LOLBAS) called wscript.exe (3). Threat Actors often abuse Windows built in features to avoid detection. On\r\nWindows OS, JavaScript file extension can be executed by user click, upon the execution it uses Windows built in\r\nsoftware called wscript.exe (3).\r\nFigure 7 - QakBot loader inside mounted ISO image.\r\nQakBot Loader deploys the Regsvr32.exe (2) command line tool as an obfuscated string to evade antivirus\r\ndetections. When a user clicks on the WW.js, it will use Regsvr32.exe (2) to load the QakBot DLL, which is\r\nlocated under the port directory and is named resemblance.tmp.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 5 of 15\n\nFigure 8 - QakBot Loader with malformed digital signature.\r\nFigure 9 - Resemblance.tmp contains MZ magic header which marking it executable.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 6 of 15\n\nFigure 10 - Extracted malformed digital signature from JavaScript QakBot Loader\r\nSecond Stage 2.2: QakBot Loader uses Malformed Digital Signature to Evade\r\nMark of the Web (MoTW)\r\nOn November 3rd, researcher Will Dormann (6) identified three different MoTW bypass methods for bypassing\r\nthe MoTW feature. On November, 8th, Microsoft released patches (CVE-2022-41049, CVE-2022-41091) (7)\r\naddressing two of the methods. The 3rd method - using malformed digital signatures (CVE-2022-44698) (8) -\r\npatched on December 13 and is actively exploited in the wild.\r\nNormally, after executing the QakBot loader, Windows will display a warning message (see Figure 11) to avoid\r\nthe execution. Because of the malformed digital signature, the loader bypasses the Mark of the Web (MoTW) flag,\r\nand the execution is proceeds without a Windows warning pop-up message.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 7 of 15\n\nFigure 11 - Mark of the Web (MoTW) in action\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 8 of 15\n\nFigure 12 - Downloaded JavaScript file from untrusted URL automatically flagged by MoTW.\r\nThird Stage: QakBot Uses Multiple Techniques to Evade Anti-Malware Scanners\r\nIn the next stage of the attack, QakBot injects itself inside the legitimate Windows Error Reporting process\r\n(wermgr.exe) to evade behavior based anti-malware solutions.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 9 of 15\n\nFigure 13 - Injected QakBot DLL\r\nMore information about the Living Off the Land Binaries Regsvr32.exe and WScript.exe can be found via the\r\nlinks below.\r\nRegsvr32.exe (2)\r\nWScript.exe (3)\r\nFigure 14 - Process injection on wermgr.exe and LOLBAS observed in process tree.\r\nQakBot uses Windows API Hashing (Dynamic API Resolution) to evade signature-based anti-malware scanners.\r\nIt hides the content of the import address table by XOR Encrypted API Hashing Algorithm called CRC32.\r\nBelow pictures showing Decompiled functions being used to perform API Hashing:\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 10 of 15\n\nFigure 15 - XOR Encrypted API Hashing.\r\nEclecticIQ analysts extracted the XOR key which is used to decrypt the content of APIs during the execution time\r\nand used this key to decrypt other APIs for further analysis.\r\nFigure 16 - XOR Encryption key stored as static to decrypt the API hash.\r\nQakBot also uses the XOR encryption algorithm to hide its strings for minimizing AV detection. Figure 10 shows\r\nencrypted strings are stored in the .rdata Section. They are decrypted during run time.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 11 of 15\n\nFigure 17 - XOR Encrypted strings hidden inside rdata section\r\nEclecticIQ analysts successfully decrypted the XOR encrypted strings used by QakBot. The decrypted strings are\r\nused by QakBot for testing the internet connection of the victim device, conducting a sandbox check, gaining\r\npersistence on the victim device by abusing Schedule Task, and gathering victim computer information upon the\r\nattacker’s request through a command-and-control (C2) server.\r\nFigure 18 – Decrypted Strings from QakBot Malware\r\nFourth Stage: Command and Control (C2) Connection\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 12 of 15\n\nAfter successful execution, QakBot checks its internet connectivity and will send multiple POST requests to its C2\r\nservers.\r\nQakBot checks internet availability on victim's device:\r\nFigure 19 - QakBot malware checking Internet availability\r\nC2 protocol uses JSON object encapsulation with a RC4 Encrypted message which is encoded with Base64.\r\nFigure 20 - QakBot performs command and control connections\r\nRaw example of an HTTP POST request sent by QakBot to its C2:\r\nMITRE ATT\u0026CK\r\nTechnique Name TTP ID\r\nUser Execution: Malicious Link T1204.001\r\nSystem Binary Proxy Execution: Regsvr32  T1218.010\r\nCommand and Scripting Interpreter: JavaScript  T1059.007\r\nPhishing: Spearphishing Link  T1566.002\r\nApplication Layer Protocol: Web Protocols  T1071.001\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 13 of 15\n\nProcess Injection: Process Hollowing T1055.012 \r\nObfuscated Files or Information  T1027\r\nObfuscated Files or Information: Dynamic API Resolution T1027.007\r\nSystem Information Discovery  T1082\r\nScheduled Task/Job: Scheduled Task  T1053.005\r\nVirtualization/Sandbox Evasion: System Checks  T1497.001\r\nWindows Management Instrumentation  T1047\r\nIndicators:\r\nFIle Name SHA 256 Hash\r\nresemblance.tmp 8ca16991684f7384c12b6622b8d1bcd23bc27f186f499c2059770ddd3031f274\r\nUY76.img 26f5bc698dfec8e771b781dc19941e2d657eb87fe8669e1f75d9e5a1bb4db1db\r\nWW.js c5df8f8328103380943d8ead5345ca9fe8a9d495634db53cf9ea3266e353a3b1\r\nInjected-QakBot-dll 6fb41b33304b65e6e35f04e8cc70f7a24cd36e29bbb97266de68afcf113f9a5f\r\nFind the data for COMMAND AND CONTROL SERVER C2 \r\nFind the data for YARA RULES\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services.\r\nHeadquartered in Amsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe\r\nand the U.S. with decades of experience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill\r\nin the EclecticIQ Audience Interest Survey to drive our research towards your priority area.\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 14 of 15\n\nStructured Data\r\nFind the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.\r\nTAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery\r\nPlease refer to our support page for guidance on how to access the feeds.\r\nYou might also be interested in:\r\nNetwork Environment-Focused Conversations Needed in Approaches to Cyber Security\r\nEmotet Downloader Document Uses Regsvr32 for Execution\r\nAI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities\r\nAppendix\r\n1. https://asec.ahnlab.com/en/41889/\r\n2. https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ \r\n3. https://lolbas-project.github.io/lolbas/Binaries/Wscript/\r\n4. https://www.darkreading.com/threat-intelligence/black-basta-gang-deploys-qakbot-malware-cyber-campaign \r\n5. https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot \r\n6. https://twitter.com/wdormann/status/1588020965271035904\r\n7. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091 \r\n8. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698 \r\n9. https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/ \r\n10. https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/\r\nSource: https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature"
	],
	"report_names": [
		"qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature"
	],
	"threat_actors": [],
	"ts_created_at": 1775434150,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db4a5695f66fda5f56d43bdbd6145af1a460756b.pdf",
		"text": "https://archive.orkl.eu/db4a5695f66fda5f56d43bdbd6145af1a460756b.txt",
		"img": "https://archive.orkl.eu/db4a5695f66fda5f56d43bdbd6145af1a460756b.jpg"
	}
}