QakBot Risk Actors Nonetheless in Motion, Utilizing Ransom Knight and Remcos RAT in Newest Assaults



Oct 05, 2023NewsroomRansomware / Malware


Regardless of the disruption to its infrastructure, the risk actors behind the QakBot malware have been linked to an ongoing phishing marketing campaign since early August 2023 that led to the supply of Ransom Knight (aka Cyclops) ransomware and Remcos RAT.

This means that “the legislation enforcement operation could not have impacted Qakbot operators’ spam supply infrastructure however relatively solely their command-and-control (C2) servers,” Cisco Talos researcher Guilherme Venere mentioned in a brand new report printed in the present day.

The exercise has been attributed with reasonable confidence by the cybersecurity agency to QakBot associates. There is no such thing as a proof up to now that the risk actors have resumed distributing the malware loader itself post-infrastructure takedown.


QakBot, additionally referred to as QBot and Pinkslipbot, originated as a Home windows-based banking trojan in 2007 and subsequently developed capabilities to ship further payloads, together with ransomware. In late August 2023, the infamous malware operation was dealt a blow as a part of an operation named Duck Hunt.

Ransom Knight and Remcos RAT

The newest exercise, which commenced simply earlier than the takedown, begins with a malicious LNK file doubtless distributed by way of phishing emails that, when launched, detonates the an infection and finally deploys the Ransom Knight ransomware, a current rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme.

The ZIP archives containing the LNK recordsdata have additionally been noticed incorporating Excel add-in (.XLL) recordsdata to propagate the Remcos RAT, which facilitates persistent backdoor entry to the endpoints.


A few of the file names getting used within the marketing campaign are written in Italian, which suggests the attackers are concentrating on customers in that area.

“Although we’ve not seen the risk actors distributing Qakbot post-infrastructure takedown, we assess the malware will doubtless proceed to pose a big risk transferring ahead,” Venere mentioned.

“Given the operators stay lively, they might select to rebuild Qakbot infrastructure to completely resume their pre-takedown exercise.”

Discovered this text fascinating? Observe us on Twitter  and LinkedIn to learn extra unique content material we publish.


Supply hyperlink

What do you think?

Written by TechWithTrends

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


Automate prior authorization utilizing CRD with CDS Hooks and AWS HealthLake


Report: Wholesome work cultures, understanding of person wants are key indicators of efficiency