QakBot malware resurfaces with new tactics aimed at the hospitality sector

QakBot Malware

A new wave of phishing messages is spreading QakBot Malware has been spotted more than three months after law enforcement efforts dismantled infrastructure by infiltrating the command-and-control (C2) network.

Microsoft, which made the discovery, described it as a low-volume campaign that started on December 11, 2023 and targeted the hospitality industry.

“Targets received a PDF from a user posing as an IRS employee,” the tech giant said said in a series of posts shared on X (formerly Twitter).

“The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Running the MSI resulted in Qakbot being invoked using export ‘hvsi’ execution of an embedded DLL.”

Microsoft said the payload was generated on the same day the campaign started and was configured with the previously unseen version 0x500.

Zscaler ThreatLabz, in one after shared on

QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstall file to render the malware ineffective to make.

QakBot malware

Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of collecting sensitive information and delivering additional malware, including ransomware.

In October 2023, Cisco Talos revealed that QakBot affiliates were using phishing lures to deliver a mix of ransomware, remote access Trojans, and stealer malware.

QakBot’s return mirrors that of Emotet, which also resurfaced in late 2021, months after being dismantled by law enforcement. Remained An durable threatalbeit at a lower level.

While it remains to be seen whether the malware will return to its former glory, the resilience of such botnets underlines the need for organizations to avoid falling victim to spam emails used in Emotet and QakBot campaigns .


#QakBot #malware #resurfaces #tactics #aimed #hospitality #sector

Notify of
Inline Feedbacks
View all comments
Previous Post
No-Code Applications

Unmasking the dark side of low-code/no-code applications

Next Post
Default Passwords

CISA is urging manufacturers to eliminate default passwords to thwart cyber threats

Related Posts