Qakbot’s back: FBI takedown, just 3 months to crack!

December 19, 2023
1 min read

Multiple sources have confirmed the resurgence of the Qakbot malware, just months after the FBI and other law enforcement agencies shut down the Windows botnet. Microsoft Threat Intelligence believes a new Qakbot phishing campaign was launched on December 11, targeting the hospitality sector with phishing emails containing malicious PDF attachments that look like they come from the US Internal Revenue Service (IRS). Researchers have found that the same PDF template was used by operators of the Pikabot malware. Qakbot is associated with attacks from the group known as TA577. Clicking on the button in the PDF leads to the download and installation of Qakbot. The new version of the malware has a 64-bit architecture and uses AES for network encryption.

The takedown of the Qakbot botnet in August was described by the FBI as “the most significant technological and financial operation ever led by the Department of Justice against a botnet.” However, Qakbot’s quick return highlights the difficulty of tackling cybercrime, especially without making arrests. Security experts emphasize the need for organizations to remain vigilant, implement robust cybersecurity measures, and educate employees about the risks associated with phishing emails and other cyber threats.

Qakbot’s revival is similar to what happened with Emotet, another botnet that was taken down by law enforcement but resurfaced later. Emotet became the number-one malware in operation again within a year of its takedown. However, since 2022, Emotet has become less active, with periods of inactivity and silence. Researchers speculate that Qakbot’s ongoing activity may mirror what happened with Emotet, taking time to fully die off. While Qakbot’s operations have been disrupted by the takedown, it may require rebuilding efforts by the threat actors to regain its previous activity levels.

Overall, the resurgence of Qakbot highlights the challenges in dealing with cybercriminals and the need for constant vigilance and cybersecurity measures to combat malware attacks.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and