Skip to content
Malware family Windows

QakBot

QakBot, also known as QBot, QuackBot, and Pinkslipbot, is a long-running Windows malware family first observed in 2007.

Profile source: Mallory opens in a new tab

QakBot

Family profile

QakBot, also known as QBot, QuackBot, and Pinkslipbot, is a long-running Windows malware family first observed in 2007. It began as a banking trojan focused on credential theft, keystroke capture, and financial fraud, and later evolved into a modular loader and intrusion-enablement platform used to deliver additional payloads, including ransomware. It has been associated with large-scale criminal operations and has been used by multiple threat actors and affiliate ecosystems as an initial access and post-compromise malware component.

QakBot is typically distributed through phishing-driven campaigns, including malicious attachments, hijacked email threads, fake or compromised websites, and HTML smuggling chains. Observed delivery patterns have included password-protected archives, disk-image containers, shortcut-based execution chains, and other user-assisted infection flows designed to evade perimeter inspection and Mark-of-the-Web protections.

On infected systems, QakBot employs extensive anti-analysis and defense-evasion measures. Reported behaviors include encrypted strings and configuration data, dynamic API resolution through hashing, sandbox and emulator checks, virtualization detection, process and module inspection for analyst tools, and security-product discovery. It can identify installed antivirus products and peripheral devices, gather detailed host profiling data, and use built-in Windows utilities and WMI for reconnaissance across the local system and domain environment.

QakBot supports persistence through mechanisms including registry-based autoruns and scheduled tasks, and it has stored configuration data in the Windows Registry. It is also capable of copying itself, relaunching in staged execution branches, and maintaining long-term access on compromised hosts. For execution and stealth, QakBot has used process injection and process hollowing into legitimate Windows binaries.

Operationally, QakBot functions as both an information stealer and a loader. It has been documented stealing sensitive data and credentials, capturing keystrokes, propagating within networks, and enabling remote code execution or operator-directed follow-on activity. Its command-and-control communications have used encrypted configurations and encrypted HTTP-based traffic. In later-stage intrusions, QakBot has been used to support broader criminal objectives such as lateral movement, network scanning, payload delivery, and ransomware deployment.

QakBot has been notably linked to cybercrime delivery ecosystems and has been delivered by or alongside other malware families and access operations. It has also been referenced in operations involving groups such as TA577 and in intrusion chains later associated with ransomware actors including Black Basta. Law-enforcement disruption in 2023 significantly impacted its operations, but QakBot remains one of the most widely recognized malware families in the banking-trojan-to-loader lineage.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Initial Access
  • Keylogging
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Process Injection
  • Reconnaissance

Reported operators

Threat actors

20 named in public reporting
TA577

TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.

TA570

Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.

UNC4393

The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.

TA551

Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.

UNC2633

The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.

UNC2500

The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.

DEV-0450

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.

DEV-0506

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.

DEV-0464

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.

DEV-0826

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.

DEV-0216

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.

Lockean

In most of the attacks described in the report, the threat actor gained initial access to the victim network through Qbot/QakBot, a banking trojan that changed its role to distribute other malware, including ransomware strains ProLock, Egregor, and DoppelPaymer.

Storm-1811

In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment.

VortexWerewolf

QakBot (Qbot/Quakbot) continues to operate well after the FBI's August 2023 "Operation Duck Hunt" takedown. Campaign tchk08, first observed February 2024, delivers QakBot via an MSI installer masquerading as Adobe Acrobat.

BlackBasta

“The presence of actors like Cortes, with ties to Qakbot, demonstrates how ransomware crews frequently outsource expertise, rely on external access brokers or pull in operators with malware-specific experience as needed.”

FIN7

In March 2023, CTU researchers observed an intrusion deploying Clop ransomware stemming from a Qakbot infection...

MALLARD SPIDER

"...QakBot infections have led to the deployment of ransomware, including Egregor, Maze, DoppelPaymer, MedusaLocker and ProLock."

Storm-0506

"The threat actor gained initial access to the organization via Qakbot infection..."

TA542

Qbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily.

Cardinal

“It also had a strong association with the Qakbot botnet, prior to its takedown in August 2023.”

Exploited software

Vulnerabilities linked to QakBot

6 CVEs

MITRE ATT&CK

QakBot in ATT&CK

130 distinct techniques

Techniques

130 techniques
T1057 Process Discovery T1562 Impair Defenses T1082 System Information Discovery T1112 Modify Registry T1518.001 Security Software Discovery T1565 Data Manipulation T1547.001 Registry Run Keys / Startup Folder T1120 Peripheral Device Discovery T1110 Brute Force T1566 Phishing T1105 Ingress Tool Transfer T1012 Query Registry T1027.007 Dynamic API Resolution T1018 Remote System Discovery T1083 File and Directory Discovery T1047 Windows Management Instrumentation T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information T1135 Network Share Discovery T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment T1053.005 Scheduled Task T1518 Software Discovery T1016 System Network Configuration Discovery T1055 Process Injection T1041 Exfiltration Over C2 Channel T1497 Virtualization/Sandbox Evasion T1189 Drive-by Compromise T1046 Network Service Discovery T1497.001 System Checks T1482 Domain Trust Discovery T1071.001 Web Protocols T1036 Masquerading T1055.012 Process Hollowing T1033 System Owner/User Discovery T1547.009 Shortcut Modification T1059.005 Visual Basic T1219 Remote Access Tools T1573 Encrypted Channel T1027.006 HTML Smuggling T1204.002 Malicious File T1059 Command and Scripting Interpreter T1564 Hide Artifacts T1218.011 Rundll32 T1027.005 Indicator Removal from Tools T1566.003 Spearphishing via Service T1027.002 Software Packing T1620 Reflective Code Loading T1071 Application Layer Protocol T1580 Cloud Infrastructure Discovery T1021.002 SMB/Windows Admin Shares T1543.003 Windows Service T1564.001 Hidden Files and Directories T1560 Archive Collected Data T1574.001 DLL T1656 Impersonation T1053 Scheduled Task/Job T1566.002 Spearphishing Link T1218.010 Regsvr32 T1569.002 Service Execution T1074 Data Staged T1132 Data Encoding T1090.003 Multi-hop Proxy T1555.003 Credentials from Web Browsers T1005 Data from Local System T1547 Boot or Logon Autostart Execution T1555 Credentials from Password Stores T1185 Browser Session Hijacking T1059.007 JavaScript T1114 Email Collection T1070.004 File Deletion T1564.004 NTFS File Attributes T1003 OS Credential Dumping T1070 Indicator Removal T1027.009 Embedded Payloads T1649 Steal or Forge Authentication Certificates T1204 User Execution T1498 Network Denial of Service T1496 Resource Hijacking T1021 Remote Services T1090 Proxy T1562.004 Disable or Modify System Firewall T1498.001 Direct Network Flood T1568.002 Domain Generation Algorithms T1557 Adversary-in-the-Middle T1056.001 Keylogging T1568.001 Fast Flux DNS T1049 System Network Connections Discovery T1069.001 Local Groups T1204.001 Malicious Link T1486 Data Encrypted for Impact T1558 Steal or Forge Kerberos Tickets T1570 Lateral Tool Transfer T1622 Debugger Evasion T1068 Exploitation for Privilege Escalation T1553.002 Code Signing T1562.006 Indicator Blocking T1090.002 External Proxy T1583.003 Virtual Private Server T1036.005 Match Legitimate Resource Name or Location T1489 Service Stop T1218.007 Msiexec T1568 Dynamic Resolution T1584 Compromise Infrastructure T1584.005 Botnet T1106 Native API T1016.001 Internet Connection Discovery T1014 Rootkit T1036.008 Masquerade File Type T1539 Steal Web Session Cookie T1027.010 Command Obfuscation T1203 Exploitation for Client Execution T1572 Protocol Tunneling T1027.011 Fileless Storage T1210 Exploitation of Remote Services T1497.003 Time Based Checks T1114.001 Local Email Collection T1010 Application Window Discovery T1553.005 Mark-of-the-Web Bypass T1562.001 Disable or Modify Tools T1074.001 Local Data Staging T1027.001 Binary Padding T1095 Non-Application Layer Protocol T1091 Replication Through Removable Media T1124 System Time Discovery T1573.001 Symmetric Cryptography T1132.001 Standard Encoding T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1036.003 Rename Legitimate Utilities

Reporting

Research mentioning QakBot

Jul 15
Palo Alto Networks Unit 42

TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development

A competitor killer feature Scans of /proc for memory signatures of Mirai, QBOT, Vamp, Anime and dvrHelper

Jul 7
Codeby

Анализ вредоносных документов: макросы Office и PDF

Сильно повреждённые файлы или нестандартные контейнеры (например, password-protected ZIP с .doc внутри - типичный приём Qakbot) требуют предварительной распаковки вручную.

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

QakBot1

Jun 30
Cyber Security News

Hackers Use SystemBC Malware to Hide C2 Traffic and Maintain Persistent Access

The malware is frequently paired with loaders like Buer, QBot, and Emotet to gain initial access before SystemBC is deployed deeper.

Jun 27
Medium Rabbit Knight

Hunting HTML Smuggling with Velociraptor: Setting the Stage. Part 1 | by Rabbit Knight | Jun, 2026 | Medium

QakBot operators wrapped their initial access payloads in HTML smuggling files throughout 2022 and 2023.

Jun 26
Codeby

Threat intelligence feeds: сравнение IOC-фидов для SOC

Feodo Tracker - C2-серверы банковских троянов и loader-ботнетов (исторически Dridex, Emotet, TrickBot, QakBot, BazarLoader; ряд семейств дисраптнут, но инфраструктура продолжает отслеживаться).

Jun 25
Talosintelligence Other

Introduction to COM usage by Windows threats

Qakbot, also known as Qbot or Pinkslipbot, is a long-running modular banking trojan that has been active since at least 2007 and evolved into a general-purpose malware delivery platform used by financially motivated actors.

Jun 16
Sans Isc

From a VHDX File to a Remcos RAT - SANS Internet Storm Center

Using a disk image as a "malware container" has been used multiple times in the past[2] ... https://isc.sans.edu/diary/obama224+distribution+Qakbot+tries+vhd+virtual+hard+disk+images/29294

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.