TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
QakBot
QakBot, also known as QBot, QuackBot, and Pinkslipbot, is a long-running Windows malware family first observed in 2007.
Profile source: Mallory opens in a new tabQakBot
Family profile
QakBot, also known as QBot, QuackBot, and Pinkslipbot, is a long-running Windows malware family first observed in 2007. It began as a banking trojan focused on credential theft, keystroke capture, and financial fraud, and later evolved into a modular loader and intrusion-enablement platform used to deliver additional payloads, including ransomware. It has been associated with large-scale criminal operations and has been used by multiple threat actors and affiliate ecosystems as an initial access and post-compromise malware component.
QakBot is typically distributed through phishing-driven campaigns, including malicious attachments, hijacked email threads, fake or compromised websites, and HTML smuggling chains. Observed delivery patterns have included password-protected archives, disk-image containers, shortcut-based execution chains, and other user-assisted infection flows designed to evade perimeter inspection and Mark-of-the-Web protections.
On infected systems, QakBot employs extensive anti-analysis and defense-evasion measures. Reported behaviors include encrypted strings and configuration data, dynamic API resolution through hashing, sandbox and emulator checks, virtualization detection, process and module inspection for analyst tools, and security-product discovery. It can identify installed antivirus products and peripheral devices, gather detailed host profiling data, and use built-in Windows utilities and WMI for reconnaissance across the local system and domain environment.
QakBot supports persistence through mechanisms including registry-based autoruns and scheduled tasks, and it has stored configuration data in the Windows Registry. It is also capable of copying itself, relaunching in staged execution branches, and maintaining long-term access on compromised hosts. For execution and stealth, QakBot has used process injection and process hollowing into legitimate Windows binaries.
Operationally, QakBot functions as both an information stealer and a loader. It has been documented stealing sensitive data and credentials, capturing keystrokes, propagating within networks, and enabling remote code execution or operator-directed follow-on activity. Its command-and-control communications have used encrypted configurations and encrypted HTTP-based traffic. In later-stage intrusions, QakBot has been used to support broader criminal objectives such as lateral movement, network scanning, payload delivery, and ransomware deployment.
QakBot has been notably linked to cybercrime delivery ecosystems and has been delivered by or alongside other malware families and access operations. It has also been referenced in operations involving groups such as TA577 and in intrusion chains later associated with ransomware actors including Black Basta. Law-enforcement disruption in 2023 significantly impacted its operations, but QakBot remains one of the most widely recognized malware families in the banking-trojan-to-loader lineage.
Capabilities
- Credential Theft
- Defense Evasion
- Exfiltration
- Initial Access
- Keylogging
- Lateral Movement
- Persistence
- Post Exploitation
- Process Injection
- Reconnaissance
Reported operators
Threat actors
20 named in public reportingSince the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.
The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.
In most of the attacks described in the report, the threat actor gained initial access to the victim network through Qbot/QakBot, a banking trojan that changed its role to distribute other malware, including ransomware strains ProLock, Egregor, and DoppelPaymer.
In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment.
QakBot (Qbot/Quakbot) continues to operate well after the FBI's August 2023 "Operation Duck Hunt" takedown. Campaign tchk08, first observed February 2024, delivers QakBot via an MSI installer masquerading as Adobe Acrobat.
“The presence of actors like Cortes, with ties to Qakbot, demonstrates how ransomware crews frequently outsource expertise, rely on external access brokers or pull in operators with malware-specific experience as needed.”
In March 2023, CTU researchers observed an intrusion deploying Clop ransomware stemming from a Qakbot infection...
"...QakBot infections have led to the deployment of ransomware, including Egregor, Maze, DoppelPaymer, MedusaLocker and ProLock."
"The threat actor gained initial access to the organization via Qakbot infection..."
Qbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily.
“It also had a strong association with the Qakbot botnet, prior to its takedown in August 2023.”
Exploited software
Vulnerabilities linked to QakBot
6 CVEsMITRE ATT&CK
QakBot in ATT&CK
130 distinct techniquesTechniques
130 techniquesReporting
Research mentioning QakBot
TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development
A competitor killer feature Scans of /proc for memory signatures of Mirai, QBOT, Vamp, Anime and dvrHelper
Анализ вредоносных документов: макросы Office и PDF
Сильно повреждённые файлы или нестандартные контейнеры (например, password-protected ZIP с .doc внутри - типичный приём Qakbot) требуют предварительной распаковки вручную.
Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul
QakBot1
Hackers Use SystemBC Malware to Hide C2 Traffic and Maintain Persistent Access
The malware is frequently paired with loaders like Buer, QBot, and Emotet to gain initial access before SystemBC is deployed deeper.
Hunting HTML Smuggling with Velociraptor: Setting the Stage. Part 1 | by Rabbit Knight | Jun, 2026 | Medium
QakBot operators wrapped their initial access payloads in HTML smuggling files throughout 2022 and 2023.
Threat intelligence feeds: сравнение IOC-фидов для SOC
Feodo Tracker - C2-серверы банковских троянов и loader-ботнетов (исторически Dridex, Emotet, TrickBot, QakBot, BazarLoader; ряд семейств дисраптнут, но инфраструктура продолжает отслеживаться).
Introduction to COM usage by Windows threats
Qakbot, also known as Qbot or Pinkslipbot, is a long-running modular banking trojan that has been active since at least 2007 and evolved into a general-purpose malware delivery platform used by financially motivated actors.
From a VHDX File to a Remcos RAT - SANS Internet Storm Center
Using a disk image as a "malware container" has been used multiple times in the past[2] ... https://isc.sans.edu/diary/obama224+distribution+Qakbot+tries+vhd+virtual+hard+disk+images/29294