QakBot / QBot
What is QakBot / QBot?
QakBot / QBotA long-running banking trojan and ransomware loader disrupted by the FBI's Operation Duck Hunt in August 2023, with operators resurfacing months later.
QakBot, also known as QBot, Pinkslipbot or Quakbot, is a modular banking trojan first observed in 2008 that evolved into one of the most prolific ransomware loaders of the 2020s. Distributed mainly via thread-hijacked email and HTML smuggling, it deployed Cobalt Strike, Brute Ratel and ransomware affiliates linked to BlackBasta, Conti and Royal. In August 2023 the FBI announced Operation Duck Hunt, in which it seized QakBot infrastructure across multiple countries and pushed an uninstaller to roughly 700,000 infected hosts, returning around 8.6 million USD in cryptocurrency. Operators resurfaced months later with new campaigns, underscoring how loader ecosystems persist despite disruption.
● Examples
- 01
A QakBot infection chains into a BlackBasta deployment within a week, after Cobalt Strike beacons reach internal servers.
- 02
Threat-hunting teams add detections for QakBot's resurrected campaigns using new TLP:CLEAR indicators in late 2023.
● Frequently asked questions
What is QakBot / QBot?
A long-running banking trojan and ransomware loader disrupted by the FBI's Operation Duck Hunt in August 2023, with operators resurfacing months later. It belongs to the Malware category of cybersecurity.
What does QakBot / QBot mean?
A long-running banking trojan and ransomware loader disrupted by the FBI's Operation Duck Hunt in August 2023, with operators resurfacing months later.
How does QakBot / QBot work?
QakBot, also known as QBot, Pinkslipbot or Quakbot, is a modular banking trojan first observed in 2008 that evolved into one of the most prolific ransomware loaders of the 2020s. Distributed mainly via thread-hijacked email and HTML smuggling, it deployed Cobalt Strike, Brute Ratel and ransomware affiliates linked to BlackBasta, Conti and Royal. In August 2023 the FBI announced Operation Duck Hunt, in which it seized QakBot infrastructure across multiple countries and pushed an uninstaller to roughly 700,000 infected hosts, returning around 8.6 million USD in cryptocurrency. Operators resurfaced months later with new campaigns, underscoring how loader ecosystems persist despite disruption.
How do you defend against QakBot / QBot?
Defences for QakBot / QBot typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for QakBot / QBot?
Common alternative names include: QBot, Pinkslipbot, Quakbot.
● Related terms
- malware№ 084
Banking Trojan
Malware designed to steal online-banking credentials and authorize fraudulent transactions, typically through web injects, form grabbing, or overlays.
- malware№ 621
Loader
Malware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.