{
	"id": "160b9dc4-e9d4-4fb4-8720-a5a61fc5f966",
	"created_at": "2026-04-06T00:12:53.706922Z",
	"updated_at": "2026-04-10T03:23:51.130167Z",
	"deleted_at": null,
	"sha1_hash": "e65bb210bbc1b2b294908f5c0e4b6027545df77b",
	"title": "New QBot email attacks use PDF and WSF combo to install malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2428282,
	"plain_text": "New QBot email attacks use PDF and WSF combo to install malware\r\nBy Lawrence Abrams\r\nPublished: 2023-04-17 · Archived: 2026-04-05 13:09:20 UTC\r\nQBot malware is now distributed in phishing campaigns utilizing PDFs and Windows Script Files (WSF) to infect Windows\r\ndevices.\r\nQbot (aka QakBot) is a former banking trojan that evolved into malware that provides initial access to corporate networks\r\nfor other threat actors. This initial access is done by dropping additional payloads, such as Cobalt Strike, Brute Ratel,\r\nand other malware that allows other threat actors to access the compromised device.\r\nUsing this access, the threat actors spread laterally through a network, stealing data and eventually deploying ransomware in\r\nextortion attacks.\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nStarting this month, security researcher ProxyLife and the Cryptolaemus group have been chronicling Qbot's use of a new\r\nemail distribution method — PDF attachments that download Windows Script Files to install Qbot on victim's devices.\r\nIt starts with an email\r\nQBot is currently being distributed through reply-chain phishing emails, when threat actors use stolen email exchanges and\r\nthen reply to them with links to malware or malicious attachments.\r\nThe use of reply-chain emails is an attempt to make a phishing email less suspicious as its a reply to an ongoing\r\nconversation.\r\nThe phishing emails use a variety of languages, marking this as a worldwide malware distribution campaign.\r\nQBot phishing email\r\nSource: BleepingComputer\r\nAttached to these emails is a PDF file named 'CancelationLetter-[number].pdf ,' that, when opened, displays a message\r\nstating, \"This document contains protected files, to display them, click on the \"open\" button.\"\r\nHowever, when the button is clicked, a ZIP file that contains a Windows Script (wsf) file will be downloaded instead.\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nPage 3 of 6\n\nPDF document used to distribute malicious WSF files\r\nSource: BleepingComputer\r\nA Windows Script File ends with a .wsf extension and can contain a mixture of JScript and VBScript code that is executed\r\nwhen the file is double-clicked.\r\nThe WSF file used in the QBot malware distribution campaign is heavily obfuscated, with the ultimate goal of executing a\r\nPowerShell script on the computer.\r\nMalicious WSF file distributed by QBot PDF files\r\nSource: BleepingComputer\r\nThe PowerShell script that is executed by the WSF file attempts to download a DLL from a list of URLs. Each URL is tried\r\nuntil the file is successfully downloaded to the %TEMP% folder and executed.\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nPage 4 of 6\n\nPowerShell script executed by the WSF file\r\nSource: BleepingComputer\r\nWhen the QBot DLL is executed, it will run the PING command to determine if there is an internet connection. The\r\nmalware will then inject itself into the legitimate Windows wermgr.exe (Windows Error Manager) program, where it will\r\nquietly run in the background.\r\nQBot malware injected into the memory of the Wermgr.exe process\r\nSource: BleepingComputer\r\nQBot malware infections can lead to devastating attacks on corporate networks, making it vital to understand how the\r\nmalware is being distributed.\r\nRansomware affiliates linked to multiple Ransomware-as-a-Service (RaaS) operations, including BlackBasta, REvil,\r\nPwndLocker, Egregor, ProLock, and MegaCortex, have used Qbot for initial access into corporate networks.\r\nResearchers at The DFIR Report have shown that it only takes around 30 minutes for QBot to steal sensitive data after the\r\ninitial infection. Even worse, malicious activity only takes an hour to spread to adjacent workstations.\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nPage 5 of 6\n\nTherefore, if a device becomes infected with QBot, it is critical to take the system offline as soon as possible and perform a\r\ncomplete evaluation of the network for unusual behavior.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nhttps://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/"
	],
	"report_names": [
		"new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e65bb210bbc1b2b294908f5c0e4b6027545df77b.pdf",
		"text": "https://archive.orkl.eu/e65bb210bbc1b2b294908f5c0e4b6027545df77b.txt",
		"img": "https://archive.orkl.eu/e65bb210bbc1b2b294908f5c0e4b6027545df77b.jpg"
	}
}