QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks

Cyber Security

Oct 05, 2023NewsroomRansomware / Malware

Despite the disruption to its infrastructure, the threat actors behind the QakBot malware have been linked to an ongoing phishing campaign since early August 2023 that led to the delivery of Ransom Knight (aka Cyclops) ransomware and Remcos RAT.

This indicates that “the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command-and-control (C2) servers,” Cisco Talos researcher Guilherme Venere said in a new report published today.

The activity has been attributed with moderate confidence by the cybersecurity firm to QakBot affiliates. There is no evidence to date that the threat actors have resumed distributing the malware loader itself post-infrastructure takedown.


QakBot, also called QBot and Pinkslipbot, originated as a Windows-based banking trojan in 2007 and subsequently developed capabilities to deliver additional payloads, including ransomware. In late August 2023, the notorious malware operation was dealt a blow as part of an operation named Duck Hunt.

Ransom Knight and Remcos RAT

The latest activity, which commenced just before the takedown, starts with a malicious LNK file likely distributed via phishing emails that, when launched, detonates the infection and ultimately deploys the Ransom Knight ransomware, a recent rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme.

The ZIP archives containing the LNK files have also been observed incorporating Excel add-in (.XLL) files to propagate the Remcos RAT, which facilitates persistent backdoor access to the endpoints.


Some of the file names being used in the campaign are written in Italian, which suggests the attackers are targeting users in that region.

“Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward,” Venere said.

“Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver
Amazon Prime Day 2024 Sale: Best Deals on Smart TVs Under Rs. 30,000
Apple releases iOS 18 public beta for iPhone — Here’s what’s new and how to get it
Amazon sellers lose coveted buy box ahead of Prime Day after Target discount snafu
Dyson OnTrac Headphones With Customisable Ear Cushions, Up to 50 Hours of Battery Life Launched

Leave a Reply

Your email address will not be published. Required fields are marked *