{
	"id": "7e89958e-09a2-43e0-a407-bd29a37c3e8a",
	"created_at": "2026-04-06T00:16:37.406691Z",
	"updated_at": "2026-04-10T03:21:50.320765Z",
	"deleted_at": null,
	"sha1_hash": "f1ea3c30935d7106bfe1cc5a8187015bfeec3c76",
	"title": "QBot malware abuses Windows WordPad EXE to infect devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1701116,
	"plain_text": "QBot malware abuses Windows WordPad EXE to infect devices\r\nBy Lawrence Abrams\r\nPublished: 2023-05-27 · Archived: 2026-04-05 14:07:03 UTC\r\nThe QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect\r\ncomputers, using the legitimate program to evade detection by security software.\r\nA DLL is a library file containing functions that can be used by more than one program at the same time. When an\r\napplication is launched, it will attempt to load any required DLLs.\r\nIt does this by searching through specific Windows folders for the DLL and, when found, loads it. However, Windows\r\napplications will prioritize DLLs in the same folder as the executable, loading them before all others.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nDLL hijacking is when a threat actor creates a malicious DLL of the same name as a legitimate one, and places it in the early\r\nWindows search path, usually the same folder as the executable. When that executable is launched, it will load the malware\r\nDLL rather than the legitimate one and execute any malicious commands within it.\r\nQBot abuses WordPad DLL hijacking flaw\r\nQBot, also known as Qakbot, is a Windows malware that initially started as a banking trojan but evolved into a malware\r\ndropper. Ransomware gangs, including Black Basta, Egregor, and Prolock, have partnered with the malware operation to\r\ngain initial access to corporate networks to conduct extortion attacks.\r\nSecurity researcher and Cryptolaemus member ProxyLife told BleepingComputer that a new QBot phishing campaign began\r\nabusing a DLL hijacking vulnerability in the Windows 10 WordPad executable, write.exe.\r\nWhile BleepingComputer has not seen the original phishing emails, ProxyLife told us they contain a link to download a file.\r\nWhen a person clicks on the link it will download a random named ZIP archive from a remote host will be downloaded.\r\nThis ZIP file contains two files: document.exe (the Windows 10 WordPad executable) and a DLL file\r\nnamed edputil.dll (used for the DLL hijack).\r\nContents of the downloaded ZIP file\r\nSource: BleepingComputer\r\nAs you can see from the properties of the document.exe file, it is simply a renamed copy of the legitimate Write.exe\r\nexecutable used to launch the Windows 10 WordPad document editor.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/\r\nPage 3 of 5\n\nRenamed Windows 10 WordPad executable\r\nSource: BleepingComputer\r\nWhen document.exe is launched, it automatically attempts to load a legitimate DLL file called edputil.dll, which is normally\r\nlocated in the C:\\Windows\\System32 folder. \r\nHowever, when the executable attempts to load edputil.dll, it does not check for it in a specific folder and will load any DLL\r\nof the same name found in the same folder as the document.exe executable.\r\nThis allows the threat actors to perform DLL hijacking by creating a malicious version of the edputil.dll DLL and storing it\r\nin the same folder as document.exe so it is loaded instead.\r\nOnce the DLL is loaded, ProxyLife told BleepingComputer that the malware uses C:\\Windows\\system32\\curl.exe to\r\ndownload a DLL camouflaged as a PNG file from a remote host.\r\nThis PNG file (actually a DLL) is then executed using rundll32.exe with the following command:\r\nrundll32 c:\\users\\public\\default.png,print\r\nQBot will now quietly run in the background, stealing emails for use in further phishing attacks and eventually downloading\r\nother payloads, such as Cobalt Strike (a post-exploitation toolkit threat actors use to gain initial access to the infected\r\ndevice).\r\nThis device will then be used as a foothold to spread laterally throughout the network, commonly leading to corporate data\r\ntheft and ransomware attacks.\r\nBy installing QBot through a trusted program like the Windows 10 WordPad (write.exe), the threat actors hope security\r\nsoftware will not flag the malware as malicious.\r\nHowever, using curl.exe means that this infection method will only work on Windows 10 and later, as earlier operating\r\nsystem versions do not include the Curl program.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/\r\nPage 4 of 5\n\nFor the most part, this should not be an issue, as older versions of Windows have been phased out after reaching the end of\r\nsupport.\r\nAt this time, the QBot operation has moved on to other infection methods in recent weeks, but it is not uncommon for them\r\nto switch to previous tactics in later campaigns.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/"
	],
	"report_names": [
		"qbot-malware-abuses-windows-wordpad-exe-to-infect-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434597,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1ea3c30935d7106bfe1cc5a8187015bfeec3c76.pdf",
		"text": "https://archive.orkl.eu/f1ea3c30935d7106bfe1cc5a8187015bfeec3c76.txt",
		"img": "https://archive.orkl.eu/f1ea3c30935d7106bfe1cc5a8187015bfeec3c76.jpg"
	}
}