Skip to content

Qbot botnet changes tactics to infect Windows users

  • by
  • 2 min read

Qbot botnet operators have switched tactics and are now pushing malicious payloads using phishing emails containing password-protected ZIP archive attachments with malicious windows installer packages. 

Qbot, also known as Qakbot, Quakbot and Pinkslipbot, is a modular Windows banking trojan that has been in circulation since at least 2007 and is used to steal banking credentials, personal information, and financial data as well as to install backdoors on infected devices to deploy Cobalt Strike beacons. 

Usually, Qbot operators would deliver the payload using phishing emails with Microsoft Office documents with malicious macros. However, this is the first time they’re using this particular tactic. Researchers believe this new tactic could be in response to Microsoft panning to remove malware delivery using VBA Office macros in February, having disabled Excel 4.0 (XLM) macros by default in January. 

In the News: Android banking malware, Coinbase troubles, Moto G22 launch and more

Adapting to changes

Microsoft has started rolling out the VBA macro autoblock feature to Office users on Windows starting in early April. The feature has been rolled out to version 2203 in the current preview channel and will be rolling the feature out to other release channels and older versions later. 

The Qbot malware uses macros in Office applications to infect users.

Threats often use Excel 4.0 macros to evade detection. However, now that this feature is disabled by default, users will have to enable it manually if they want to use macros, reducing the risk of undetected infection. 

The Qbot malware is famous for infecting other devices on a compromised network using network sharing exploits and launching very aggressive brute-force attacks on active directory admin accounts. It’s usually used in highly targeted attacks on corporate entities as they have a higher return on investment for the operators. 

The malware has been used by multiple ransomware gangs, including REvil, PwndLocker, MegaCortex, Egregor and ProLock. 

In the News: Elon Musk is no longer joining the Twitter board

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: