{
	"id": "b7314fe1-f76e-460c-a2ed-97febc12ee9b",
	"created_at": "2026-04-06T00:16:16.604161Z",
	"updated_at": "2026-04-10T03:20:42.397681Z",
	"deleted_at": null,
	"sha1_hash": "f38a79d23a7a9e7da9c192fabf4bbc53620854d9",
	"title": "QBot Malware Detection: Old Dog New Tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39885,
	"plain_text": "QBot Malware Detection: Old Dog New Tricks\r\nBy Alla Yurchenko\r\nPublished: 2022-02-16 · Archived: 2026-04-05 21:52:22 UTC\r\nYou can’t teach an old dog new tricks. Yet, cybercriminals ignore common stereotypes, updating QBot with new\r\nnefarious tricks to attack victims globally. This malware “veteran” emerged back in 2007, yet security researchers\r\nobserve QBot being constantly updated to ride the wave of malicious trends.\r\nFor instance, security researchers observe QBot maintainers increasingly abusing the LOLBin (Living Off the\r\nLand Binaries). Particularly, a common LOLBin is known as Regsvr32.exe: threat actors utilize this command-line utility to plant trojans like Lokibot and QBot in a victim’s system. This approach creates a lucrative\r\nenvironment for the operation’s success, given that Regsvr32.exe is a tool used within multiple routine processes.\r\nQBot Attacks\r\nQBot (QakBot, QuakBot, also Pinkslipbot) first surfaced in the late 2000s. For about 15 years, the trojan has been\r\ncausing headaches, with the cybercrooks behind it faithfully coming up with innovative ways of carrying out their\r\nmalicious activity.\r\nOver the last few years, the QBot malware has grown into a wide-ranging Windows malware family, mostly\r\nutilized in phishing campaigns. It enables hackers to steal bank and Windows domain credentials, infect other\r\nmachines, and provide ransomware groups with remote access. According to current data, QBot was employed as\r\na delivery agent for ransomware to acquire initial access to corporate networks by such notorious gangs as REvil,\r\nPwndLocker, Egregor, ProLock, and MegaCortex.\r\nQBot Infection Chain\r\nTypically, QBot infections stem from another malware infestation or, most commonly, a phishing attack. QBot\r\ntargets devices running Windows, employing phishing emails as an initial point of access and exploits\r\nvulnerabilities in a system’s default applications like Microsoft’s email client, Outlook. Today, equipped with a\r\nmodule that reads email threads, hackers behind QBot have reached new heights in making bogus emails seem\r\nmore legitimate to their victims. QBot phishing attacks rely on a vast repertoire of lures, such as sham invoices,\r\npayment reminders, banking information, job offers, scanned documents, virus detection warnings, and disturbing\r\nCOVID-19 alerts, pushing a recipient to open the infected file, enabling embedded macro code.\r\nIn the current campaigns, QBot operators deliver malicious Word, Excel, RTF, and composite documents. When a\r\nvictim opens a document, it fuels the QBot infections’ spread. The initial QBot DLL loader is downloaded and the\r\nQBot process uses a Windows schedule task to elevate its level of access to the system. In as little as 30 minutes,\r\nthe entire victim’s system is raided.\r\nPreventing the QBot\r\nhttps://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/\r\nPage 1 of 2\n\nQBot has been on the cybersecurity radar for more than 15 years now, earning itself a notorious rank of a seasoned\r\nmalware old-timer, distributed via email. In the light of a growing number of email phishing campaigns, Microsoft\r\nannounced a default change for five Office applications that run macros, i.e., to block internet-obtained VBA\r\nmacros, effective April 2022. \r\nThe above solution will hopefully become a giant security leap for Windows-operated devices. In the meantime,\r\ndetection rules by Nattatorn Chuensangarun help security professionals to expose the latest QBot attacks against\r\nthe organization’s network:\r\nQbot Malware collects browser information (via process_creation)\r\nQbot Malware use REG Process to Defense Evasion (via process_creation)\r\nQbot Malware use msra Process to Privilege Escalation (via process_creation)\r\nThe full list of detections in the Threat Detection Marketplace repository of the SOC Prime platform is available\r\nhere.\r\nSign up for free at SOC Prime’s Detection as Code platform to make threat detection easier, faster, and more\r\nefficient with industry’s best practices and shared expertise. The platform also enables SOC professionals to share\r\ndetection content of their creation, participate in top-tier initiatives, and monetize the input.\r\nGo to Platform Join Threat Bounty\r\nSource: https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/\r\nhttps://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/"
	],
	"report_names": [
		"qbot-malware-detection-old-dog-new-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f38a79d23a7a9e7da9c192fabf4bbc53620854d9.pdf",
		"text": "https://archive.orkl.eu/f38a79d23a7a9e7da9c192fabf4bbc53620854d9.txt",
		"img": "https://archive.orkl.eu/f38a79d23a7a9e7da9c192fabf4bbc53620854d9.jpg"
	}
}