{
	"id": "6e06b433-e176-4648-980a-310f615372dd",
	"created_at": "2026-04-06T01:31:46.143194Z",
	"updated_at": "2026-04-10T03:24:24.339212Z",
	"deleted_at": null,
	"sha1_hash": "f34201bbbb1e43cd641a8356973c67ccd6b59bd7",
	"title": "Qbot malware switched to stealthy new Windows autostart method",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1861720,
	"plain_text": "Qbot malware switched to stealthy new Windows autostart method\r\nBy Sergiu Gatlan\r\nPublished: 2020-12-09 · Archived: 2026-04-06 01:03:11 UTC\r\nA new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and\r\nit automatically removes any traces when the system restarts or wakes up from sleep.\r\nQbot (also known as Qakbot, Quakbot, and Pinkslipbot) is a Windows banking trojan with worm features active since at\r\nleast 2009 and used to steal banking credentials, personal information, and financial data.\r\nThe malware has also been used for logging user keystrokes, for dropping backdoors on compromised computers, and to\r\ndeploy Cobalt Strike beacons used by ransomware operators to deliver ProLock and Egregor ransomware payloads.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIn recent campaigns, Qbot victims have been infected using phishing emails featuring Excel document attachments\r\npretending to be DocuSign documents.\r\nSwitching to a stealthier persistence mechanism\r\nStarting with November 24, when Binary Defense threat researcher James Quinn says that the new Qbot version was\r\nspotted, the malware is using a newer and stealthier persistence mechanism that takes advantage of system shutdown and\r\nresume messages to toggle persistence on infected devices. \r\nThis tactic is so successful that some researchers have previously thought that the Qbot trojan has removed this persistence\r\nmechanism altogether.\r\n\"While initial reports by other researchers had stated that the Run key persistence mechanism was removed in the new\r\nversion of Qakbot, it has instead been added to a more stealthy and interesting persistence mechanism that listens for System\r\nShutdown Messages, along with PowerBroadcast Suspend/Resume messages,\" Quinn explains.\r\nQbot Window message listener (Binary Defense)\r\nThe trojan will add a registry Run key on the infected systems that allows it to automatically start on system login and will\r\ntry to immediately remove it once the user powers up or wakes up the computer from sleep to evade detection by anti-malware solutions or security researchers.\r\nWhat makes this technique stealthy is the perfect timing used by Qbot's developers to inject the key in the Windows registry.\r\nThe malware will only add the Run key before the system goes into sleep or shuts down but it will do it so close to it\r\nhappening that \"security products don’t have a chance to detect and report on the new run key.\"\r\nQbot will then try to delete the persistence key several times once it's launched again on system wake up or login.\r\nHowever, because the key's value name is randomly generated on each infected system, Qbot will attempt \"to delete any run\r\nkeys with value data matching\" its path.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/\r\nPage 3 of 5\n\nQbot Run key persistence mechanism (Binary Defense)\r\nWhile this method for gaining persistence is new for Qbot, other malware has used similar techniques to evade detection in\r\nthe past, including the Gozi and Dridex banking trojans.\r\n\"It looks like the two malware families have a similar mechanism in that they are both listening for the\r\nWM_QUERYENDSESSION and WM_ENDSESSION messages to detect when the user logs off, but the new version of\r\nQakbot is going further by also looking for power events such as WM_POWERBROADCAST and PBT_APMSUSPEND to\r\ninstall its hooks when the system is suspended, too,\" Binary Defense threat team senior director Randy Pargman told\r\nBleepingComputer.\r\nInstallation and config changes\r\nQbot's installation technique has also been updated in this new version as it uses a new DLL architecture which combines\r\nthe malware loader and the bot within a single DLL.\r\nPreviously the loader evaded detection by automated malware sandbox systems by storing all the malicious code in a\r\nseparate DllRegisterServer component and only calling it via regsvr32.exe or rundll32.exe when using certain command-line\r\narguments.\r\nThe new version simplifies this technique by removing the command-line arguments from the process and switching\r\ninjecting the bot code into newly created processes.\r\n\"Removing the command line switches and analysis checks through new process creation (while still keeping many of the\r\nanti-analysis/anti-sandbox checks), the new loader’s installation mechanism only occurs after the bot has been injected into\r\nexplorer.exe,\" Quinn adds.\r\nQbot has also switched to a new in-registry encrypted config from the .dat configuration and log files previously stored on\r\nvictims' compromised computers.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/"
	],
	"report_names": [
		"qbot-malware-switched-to-stealthy-new-windows-autostart-method"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439106,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f34201bbbb1e43cd641a8356973c67ccd6b59bd7.pdf",
		"text": "https://archive.orkl.eu/f34201bbbb1e43cd641a8356973c67ccd6b59bd7.txt",
		"img": "https://archive.orkl.eu/f34201bbbb1e43cd641a8356973c67ccd6b59bd7.jpg"
	}
}