{
	"id": "c2f96511-5d30-4324-80dd-66d8afe6fa25",
	"created_at": "2026-04-06T02:11:07.817885Z",
	"updated_at": "2026-04-10T03:20:20.263179Z",
	"deleted_at": null,
	"sha1_hash": "fe99a75722e34f69de33eccdc9731c44609f13b0",
	"title": "Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49538,
	"plain_text": "Qakbot Malware Now Exfiltrating Emails for Sophisticated\r\nThread Hijacking Attacks\r\nBy Laurie Iacono, Cole Manaster\r\nPublished: 2020-06-04 · Archived: 2026-04-06 01:59:22 UTC\r\nKroll identified a growing trend in Qakbot (also known as Qbot) cases targeting and exfiltrating locally stored\r\nemails to commit a sophisticated phishing method known as email thread hijacking. This increase, merged with\r\nintelligence gathered by Kroll and analysts from the National Cyber-Forensics and Training Alliance (NCFTA)\r\nsuggests the attacks are part of an ongoing campaign to steal financial data from multiple industries including\r\nmedia, education and academia.\r\nThis new tactic of exfiltrating emails opens Qakbot victims up to multiple issues: \r\nFirst, if the exfiltrated emails contain sensitive customer or patient data, there could be costly notice\r\nobligations to disclose the leaked data.\r\nSecond, similar to how Emotet acts as a dropper for Ryuk ransomware, recent news indicates that Qakbot\r\nis being used as a point of entry by the operators of ProLock ransomware, meaning that users falling for\r\nthese sophisticated phishing lures risk encrypting their entire networks.\r\nEmail thread hijacking occurs when cyber criminals respond to or forward legacy email threads with new phishing\r\nlures. Even though the threads may originate from a compromised user account or an actor-controlled system, by\r\nleveraging existing email threads and adding a malicious link or attachment, these messages help threat actors\r\nevade phishing detection software such as antivirus or spam filters. In addition, these threads appearing to come\r\nfrom a trusted sender increases the likelihood that others will click on the message, thereby exponentially\r\nspreading the infection. \r\nIn this flood of recent incidents, Kroll observed the attackers scraping and exfiltrating locally stored emails to an\r\nactor-controlled system where the actor can continue to hijack  email threads even after leaving the compromised\r\nnetwork.\r\nIn one instance, a company approached Kroll stating that they were receiving suspicious emails from one of their\r\nsubsidiaries. Upon further inspection, Kroll learned that an employee using their work computer had clicked on a\r\nmalicious link from their personal email account that downloaded a Qakbot dropper.\r\nFrom that initial compromise, the malware scraped thousands of emails and contacts across multiple users.\r\nThe Evolution of Qakbot\r\nBanking trojan Qakbot has been active for over a decade. Like other trojans, it is most well-known for targeting\r\nbanking customer information. Its repertoire of malicious behavior includes: \r\nOnline banking and website credential theft\r\nhttps://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks\r\nPage 1 of 4\n\nWindows account credential theft\r\nKeyloggers \r\nAuthentication cookie grabber\r\nBrute force attacks\r\nHooking onto running processes \r\nWorm-like behavior to propagate through and persist within an infected network\r\nIn the spring of 2019, multiple outlets reported on a massive Qakbot campaign which included the new tactic of\r\nemail thread hijacking. After these public reports, the group appeared to go on a brief hiatus through late 2019.\r\nThis new campaign shows efforts to strengthen the malware and cause even more damage by stealing emails and\r\npotentially sensitive data. Such tactics mean that Qakbot victims could now be subject to notification requirements\r\naround leaked data. \r\nKroll Observations: Anatomy of a Qakbot Email Hijack\r\nInitial\r\nCompromise\r\nMalicious attachment from a phishing email\r\nExecution Visual basic script execution which drops and executes a malicious file\r\nEvasion\r\nOne of the tell-tale indicators of Qakbot: the original malicious executable is overwritten\r\nwith the legitimate Microsoft calculator executable calc.exe.\r\nPersistence\r\nSeries of automated installation and processes such as establishing folders within the\r\ninfected user directory and persistent scheduled tasks within user and system registry hives\r\nhttps://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks\r\nPage 2 of 4\n\nCollection\r\nNew folders are populated with individual email messages and aggregated text files\r\ncontaining additional contact details.\r\nThe naming convention for this maliciously created folder contains the host name of\r\nthe infected system, the name of the infected user and a UNIX-formatted timestamp:\r\nC:\\Users\\\u003cuser\u003e\\EmailStorage_\u003chostname\u003e_\u003cusername\u003e_\u003ctimestamp\u003e\r\nWithin the root of this new folder, the malware generates a text file named\r\n“collector_log.txt” which contains a record of the malware’s enumeration and\r\nexfiltration process. \r\nThis file provides insight into the malicious process including the names of the email\r\nfolders which it is enumerating as well as a purported total number of emails the\r\nmalware was able to successfully collect and exfiltrate.\r\nA review of recent Qakbot cases identified the following:\r\nEmails dating more than three years prior to malware execution have been included in the collected\r\nEmailStorage folder, meaning that there may not be a date limit for the email enumerator. \r\nThere is a lack of keywords or other limiting pattern by which specific email messages in local mailboxes\r\nwere targeted for exfiltration. Kroll has identified instances where specific email messages were deleted\r\nwithin the EmailStorage folder. \r\nIn some instances, the entire EmailStorage folder is deleted once messages have all been exfiltrated. \r\nBased on observed cases, there was no evidence that attachments were included in the collected data.\r\nKroll collaborators at the National Cyber Forensics Training Alliance (NCFTA) observed Qakbot samples\r\nsending SMTP traffic indicative of outbound spam thread hijackings.\r\nMitigating the Risks of Phishing via Email Thread Hijacking\r\nAs mentioned by Devon Ackerman, Managing Director in our Cyber Risk practice, in a previous article on\r\nbanking trojans, employee education and awareness is still key for defense. \r\nUpdate Phishing Training Materials\r\nStandard phishing training should include steps to educate staff on email thread hijacking and build a\r\nhealthy dose of skepticism to help minimize the chances of users clicking on links and attachments when\r\nthey receive new replies to historical email threads. \r\nGauge the Effectiveness of Training Programs\r\nIncorporate social engineering exercises, such as phishing attacks, as part of regularly scheduled security\r\nchecks.\r\nAdditionally, it’s important to highlight that traditional antivirus solutions have historically proved ineffective\r\nagainst trojans like Qakbot. It’s crucial to implement a robust endpoint detection solution that can monitor\r\nsuspicious activity and behaviors. \r\nhttps://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks\r\nPage 3 of 4\n\nSource: https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks\r\nhttps://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks"
	],
	"report_names": [
		"qakbot-malware-exfiltrating-emails-thread-hijacking-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775441467,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe99a75722e34f69de33eccdc9731c44609f13b0.pdf",
		"text": "https://archive.orkl.eu/fe99a75722e34f69de33eccdc9731c44609f13b0.txt",
		"img": "https://archive.orkl.eu/fe99a75722e34f69de33eccdc9731c44609f13b0.jpg"
	}
}