QakBot Malware Operators Resurface with New Phishing Campaign Despite FBI Takedown

In a surprising turn of events, the FBI’s recent mission against the notorious QakBot malware operators may not have been as successful as initially believed. Just like a storyline from a comic book, these cyber-villains have returned with a vengeance.

Cybersecurity experts from Cisco Talos have recently unveiled a concerning development—a brand new phishing campaign believed to be orchestrated by QakBot operators. This campaign, which has been active since August of this year, has a clear objective: the distribution of Cyclops and Remcos Remote Access Trojans (RATs).

The report from Cisco Talos suggests that the FBI’s law enforcement operation might not have disrupted the QakBot operators’ spam delivery infrastructure. Instead, it appears to have primarily affected their command and control (C2) servers, leaving room for the resurgence of their malicious activities.

This news comes on the heels of an announcement made in late August 2023 by FBI Director Christopher Wray, who disclosed the agency’s efforts in dismantling one of the most extensive and disruptive botnet networks as part of Operation Duck Hunt. Wray highlighted the wide range of victims, including financial institutions, critical infrastructure government contractors, and medical device manufacturers, all targeted by this formidable botnet.

While the researchers at Talos have connected the latest phishing campaign to QakBot affiliates, they have emphasized that these threat actors are now distributing other RATs instead of the QakBot loader itself. Giuseppe Venere from Talos pointed out, “Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward.”

The resilience of QakBot’s operators suggests that their arrest was not part of the FBI’s operation, leaving the possibility open that they may choose to rebuild the QakBot infrastructure. QakBot, also known as Qbot or Pinkslipbot, is a malware strain that has been active for over a decade, primarily targeting Windows-based systems. Over the years, it has undergone significant evolution, expanding its capabilities to include the distribution of ransomware and other malicious activities.