{
  "family": "qbot",
  "sample_count": 1758,
  "category": "banking_trojan",
  "description": "Qbot, also known as Qakbot or Qakbot, is a banking trojan and credential-stealer first observed in 2008 that has remained continuously active and become a major delivery vector for ransomware including ProLock, Egregor, and Conti. It steals banking credentials, browser data, and email, and propagates through network shares and brute-forcing. Qbot is typically delivered through phishing campaigns using thread-hijacking, where attackers reply to existing email threads to add credibility. International law enforcement disrupted Qakbot infrastructure in August 2023.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "qakbot",
    "pinkslipbot",
    "qbotvar"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Qbot?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Qbot, also known as Qakbot or Qakbot, is a banking trojan and credential-stealer first observed in 2008 that has remained continuously active and become a major delivery vector for ransomware including ProLock, Egregor, and Conti. It steals banking credentials, browser data, and email, and propagates through network shares and brute-forcing. Qbot is typically delivered through phishing campaigns using thread-hijacking, where attackers reply to existing email threads to add credibility. International law enforcement disrupted Qakbot infrastructure in August 2023."
      }
    },
    {
      "@type": "Question",
      "name": "How does Qbot spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Qbot (Qakbot) spreads through phishing email reply-chain hijacking, malicious Office attachments, and ZIP-with-LNK delivery, often preceding Conti, Black Basta, and other ransomware deployments."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Qbot infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Email thread hijacking complaints from contacts, browser injection on banking sites, scheduled tasks with random names, and antivirus references to Qakbot, Qbot, or Pinkslipbot are key indicators."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Qbot on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1566.001",
    "T1055",
    "T1071.001",
    "T1547.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}