Qbot

Category: banking_trojan · Aliases: Trojan.Qbot, Banking.Qakbot, Win32/Qakbot · Sample count (EMBER 2018): 1,758 · Enrichment: curated_sourced · Updated: 2026-07-02T09:04:51Z
First seen: 2007Status: disrupted 2023 resurged

Overview

Executive Summary

Qbot (also known as Qakbot or QuackBot) is an extremely sophisticated, highly modular banking trojan and botnet that has been active since at least 2007. Originally designed to steal banking credentials via web injection, it has evolved into one of the most prominent Initial Access Brokers (IAB) in the cybercriminal ecosystem. Qbot is now primarily utilized to establish a deeply persistent foothold in corporate networks, steal Active Directory credentials, and facilitate the devastating, network-wide deployment of tier-1 ransomware, such as BlackBasta, Egregor, or ProLock.

Infection Vector and Technical Capabilities

Qbot is overwhelmingly distributed via massive, highly sophisticated email thread-hijacking campaigns. It replies to existing, legitimate corporate email threads with malicious links or ZIP attachments (often containing weaponized Excel documents with XLM macros), making the phishing lures incredibly convincing. Its technical capabilities represent the apex of cybercriminal engineering:

Threat Assessment

A Qbot detection is a critical, enterprise-threatening crisis. It is a Tier-1 threat indicating that a highly capable, financially motivated threat group is actively operating within the network. If Qbot is not eradicated completely and immediately, a full-scale ransomware deployment is almost guaranteed within days.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Spearphishing Attachment
T1027.006HTML Smuggling
T1053.005Scheduled Task
T1055.001DLL Injection

Indicators of Compromise

Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.

Delivery vectors

Network indicators

Persistence mechanisms

Detection Guidance

Detection ideas drawn from public reporting. Tune to your environment before deploying.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_QBOT {
    meta:
        description = "Detects Qbot (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "qbot" ascii wide nocase
        $s2 = "trojan.qbot" ascii wide nocase
        $s3 = "banking.qakbot" ascii wide nocase
        $s4 = "win32/qakbot" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Qbot Activity
id: d9b8af17f349af0718badc314ce6b4bd
status: experimental
description: Detects generic indicators of the qbot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*qbot*"
            - "*trojan.qbot*"
            - "*banking.qakbot*"
            - "*win32/qakbot*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Run FBI-distributed Qakbot uninstaller (where applicable per the 2023 takedown)
  2. Isolate the host and block C2 IP ranges
  3. Rotate credentials in browser stores and email clients on host
  4. Hunt for Cobalt Strike beacons and follow-on ransomware staging

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not rely solely on AV signatures; Qbot updates frequently
  2. Do not restore from backups without verifying the backup pre-dates infection
  3. Do not ignore email reply-chain hijacking — notify recipients

References & External Analysis

Frequently Asked Questions

What is QakBot/Qbot?

A modular banking trojan used by financially-motivated actors since at least 2007, used for credential theft and as a malware delivery agent.

How has QakBot evolved?

MITRE notes it evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.

How does QakBot typically arrive?

Through phishing emails containing malicious attachments or links, sometimes within hijacked email threads.

What are QakBot's other names?

It is also tracked as Qbot, Pinkslipbot, and QuackBot.

Is QakBot linked to ransomware?

Yes; it has acted as an access broker preceding ransomware deployment.

How can organizations defend against QakBot?

Block phishing, restrict macros, monitor for credential theft and lateral movement, and keep tested offline backups.

Where is the authoritative reference?

MITRE ATT&CK's QakBot entry (S0650), linked on this page.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/qbot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.