• Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SOLUTIONS
    • M365 Mail Security
    • Managed Certificates
    • 32Guards
    • AS4
  • RESOURCES
    • Documentation
    • Forum
    • Webcast Training
    • Training Courses
    • Support
    • Software Download
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
    • NFR Licenses
  • COMPANY
    • Contact
    • Testimonials
    • Team
    • Career
    • Events
    • Awards
  • PRICES
  • BLOG
    • Blog
    • Newsletter Subscription
  • FREE TRIAL VERSION
    • Price Request
    • Free Trial Version
  • English
    • Deutsch
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Nach Zerschlagung: Qakbot Hacker weiter aktiv

After the bust: Qakbot hackers still active

At the end of August 2023, the FBI proudly announced the dismantling of the Qakbot infrastructure. However, the masterminds behind Qakbot are still active and distributing malware, including the Ransomware Ransom Knight (Cyclops) and the backdoor Remcos. Read our blog article to learn about the threats posed by Qakbot and its successors and how you can protect yourself.

Hackers used Qakbot for years to extort companies and government agencies. The main target since January 2020 has been healthcare in the U.S., but other industries in other countries have also been affected.

The botnet provided a command-and-control infrastructure that could be used to attack companies and individuals around the globe. According to investigators, the server infrastructure was located in Germany. Investigators took it over and deprived the perpetrators of access to the systems. Federal Minister of the Interior Nancy Faeser spoke of a “major and effective strike.”

Effective, yes, but unfortunately not in the long term: The masterminds behind Qakbot are still active and distribute malware, including the ransomware Ransom Knight (Cyclops) and the backdoor Remcos – both infiltrated via phishing emails.

What is Qakbot?

Qakbot, also known as “Qbot” and “Pinkslipbot”, is a malicious computer worm and banking Trojan that was first discovered in 2009. The malicious code targets Windows-based systems and is designed to collect confidential information, especially banking data and login credentials. Qakbot often spreads via infected email attachments, malicious websites and peer-to-peer networks.

The malware is capable of performing a variety of malicious activities, including keylogging (recording keystrokes), data theft, inserting backdoors into infected systems, and spreading the malware itself. In addition, Qakbot is able to persist in an infected system, i.e. remain active even after the computer is rebooted.

QakBot has appeared in two different ways so far: On the one hand, QakBot is bundled with contaminated Microsoft Office attachments, which are used to carry out attacks against affected companies. On the other hand, QakBot works in combination with the ProLock ransomware, in which case QakBot serves as a door opener.

QakBot-infected emails contain links pointing to compromised websites, from which contaminated files are then supposed to be downloaded. Running these files then downloads the ransomware via PowerShell.

Different malware, still dangerous

When the Qakbot rings twice we wrote in this space about two years ago, and despite the shutdown of the 700,000 or so Qakbot drones, security analysts believe that although the malware botnet’s command-and-control infrastructure has been seized by law enforcement, the infrastructure is intact and the operators have – apparently successfully – sought ways to continue distributing malicious code.

In doing so, the perpetrators were identified by the use of malicious LNK files named and formatted in the same way as those previously associated with Qakbot. These include a dozen file names that make it appear as if they are, for example, an invoice or a bank transfer. About half of them are written in Italian, which suggests that the malware botnet has been focusing on a certain region lately. The LNK files are in a ZIP archive that also contains the Remcos backdoor disguised as a legitimate Excel XL add-on file.

Qakbot masterminds now use Ransomware-as-a-Service

While it appears that the “malware” part of the botnet has been seriously disrupted; the attackers are not using malware previously associated with Qakbot. However, they seem to have become customers of the ransomware-as-a-service provider “Cyclops” instead. This group also recently attracted attention for using RedLine malware.

So, security experts are skeptical because the main actors have not been identified and caught. In general, it can be assumed that the existing malware will be modified for new campaigns. So the danger remains, and with it the question of how best to protect against such attacks.

Email firewalls against Qakbot

It is also necessary to use a powerful email firewall to protect against spam and malware. This can ward off the dangers from the very beginning. NoSpamProxy offers numerous features for this, which protect you from attacks with malware like QakBot.

  • URL Safeguard

    The URL Safeguard rewrites or blocks URLs in inbound e-mails, and it checks the respective URL again each time at the time it is clicked by the user to see whether it leads to a malicious target. If the URL is deemed dangerous, access is prevented. Blocked URLs can be unblocked by the administrator.

  • Reputation filter

    The reputation filter evaluates sender reputation by checking SPF, DKIM and DMARC entries and rejects fake emails in the vast majority of cases, no matter how well done the email is in terms of appearance and content.

  • Content filter

    The content filter in NoSpamProxy offers the possibility to block certain file types such as executable files or Word documents with macros, to turn all Word, Excel and PDF files into harmless PDFs with the help of Content Disarm and Reconstruction (CDR) or to reject the email.

Optimal protection against Qakbot with 32Guards

New malware trends, new types of spam attacks and emerging threats of all kinds are detected by 32Guards in the shortest possible time. And 32Guards is constantly learning: The growing database makes it possible to continuously improve 32Guards and adapt it to the current threat situation.

Unlike conventional cybersecurity solutions, 32Guards takes a global approach to analyzing current threats: The information of the individual NoSpamProxy instances, for example, file name, file size or hash value, is combined by a higher-level malware intelligence and evaluated in real time. This enables rapid analysis and thus immediate reaction to acute danger situations.

Reliably protect against QakBot with NoSpamProxy

With NoSpamProxy and the 32Guards service, you can reliably protect your company from malware like QakBot. Request your free trial version now!

Get your free 30-day NoSpamProxy trial now!
  • share 
  • share 
  • share 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

You need support?

You can find more information about NoSpamProxy in our documentation and forum.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events

NoSpamProxy Newsletter

Subscribe to Newsletter
RSS Feed Logo RSS Feed Logo Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Info Icon
    No support on Thursday, June 19, 202516.06.2025 - 13:48
  • Advanced Threat Protection ATP Preview
    Advanced Threat Protection: NoSpamProxy offers numerous ATP features at no extra charge13.06.2025 - 13:32
  • NoSpamProxy Update
    NoSpamProxy Server 15.5 now available03.06.2025 - 13:00
IMPRINT • EULA • Privacy Policy • • © 2025 Net at Work GmbH
  • Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
Link to: New SwissSign MPKI: What you need to do now Link to: New SwissSign MPKI: What you need to do now New SwissSign MPKI: What you need to do nowInfo Icon Link to: Bosch CyberCompare adds NoSpamProxy to its portfolio Link to: Bosch CyberCompare adds NoSpamProxy to its portfolio Bosch CyberCompare nimmt NoSpamProxy ins Portfolio auf PreviewBosch CyberCompare adds NoSpamProxy to its portfolio
Scroll to top Scroll to top Scroll to top