{ "id": "6d41d1ae-42c1-4220-80fb-714c431dc1bb", "created_at": "2026-04-06T00:19:41.9063Z", "updated_at": "2026-04-10T03:23:51.586116Z", "deleted_at": null, "sha1_hash": "f83d889973326e38052c9f243975c2d0ec9bd2eb", "title": "Qbot malware switches to new Windows Installer infection vector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1628494, "plain_text": "Qbot malware switches to new Windows Installer infection vector\r\nBy Sergiu Gatlan\r\nPublished: 2022-04-11 · Archived: 2026-04-05 16:44:35 UTC\r\nThe Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments\r\ncontaining malicious MSI Windows Installer packages.\r\nThis is the first time the Qbot operators are using this tactic, switching from their standard way of delivering the malware via\r\nphishing emails dropping Microsoft Office documents with malicious macros on targets' devices.\r\nSecurity researchers suspect this move might be a direct reaction to Microsoft announcing plans to kill malware delivery via\r\nVBA Office macros in February after disabling Excel 4.0 (XLM) macros by default in January.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nMicrosoft has begun rolling out the VBA macro autoblock feature to Office for Windows users in early April 2022, starting\r\nwith Version 2203 in the Current Channel (Preview) and to other release channels and older versions later.\r\n\"Despite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their use of\r\nmalicious macros in Office documents, specifically Excel 4.0 macros,\" Microsoft said in December.\r\n\"It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by\r\ndefault and thus requires users to enable it manually for such threats to execute properly.\"\r\nThis is a significant security improvement towards protecting Office customers since using malicious VBA macros\r\nembedded in Office documents is a prevalent method to push a large assortment of malware strains in phishing attacks,\r\nincluding Qbot, Emotet, TrickBot, and Dridex.\r\nWhat is Qbot?\r\nQbot (also known as Qakbot, Quakbot, and Pinkslipbot) is a modular Windows banking trojan with worm features used\r\nsince at least 2007 to steal banking credentials, personal information, and financial data, as well as to drop backdoors on\r\ncompromised computers and deploy Cobalt Strike beacons.\r\nThis malware is also known for infecting other devices on a compromised network using network share exploits and highly\r\naggressive brute-force attacks targeting Active Directory admin accounts.\r\nAlthough active for over a decade, the Qbot malware has been primarily used in highly targeted attacks against corporate\r\nentities since they provide a higher return on investment.\r\nMultiple ransomware gangs, including REvil, Egregor, ProLock, PwndLocker, and MegaCortex, have also used Qbot to\r\nbreach corporate networks.\r\nSince Qbot infections can lead to dangerous infections and highly disruptive attacks, IT admins and security professionals\r\nneed to become familiar with this malware, the tactics it's using to spread throughout a network, and those used by the\r\nbotnet operators to deliver it to new targets.\r\nA Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of\r\nits infections accurately.\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/\r\nhttps://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/" ], "report_names": [ "qbot-malware-switches-to-new-windows-installer-infection-vector" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434781, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f83d889973326e38052c9f243975c2d0ec9bd2eb.pdf", "text": "https://archive.orkl.eu/f83d889973326e38052c9f243975c2d0ec9bd2eb.txt", "img": "https://archive.orkl.eu/f83d889973326e38052c9f243975c2d0ec9bd2eb.jpg" } }