Skip to main content
close search
site logo

US leads takedown of Qakbot malware, which automated initial infections

The botnet and malware had infected more than 700,000 computers worldwide and was linked to the abuse of OneNote files.

Published Aug. 30, 2023
David Jones's headshot
Reporter
An image of Federal Bureau of Investigation Director Christopher Wray at a press conference.
Director of the Federal Bureau of Investigation (FBI) Christopher Wray (C), joined by Attorney General Merrick Garland and Assistant Attorney General Lisa Monaco, delivers remarks on an international ransomware enforcement action at the U.S. Justice Department on January 26, 2023 in Washington, DC. Kevin Dietsch/Getty Images via Getty Images

The Department of Justice disclosed a massive international operation to disrupt the Qakbot malware, which has infected more than 700,000 computers across the globe and led to hundreds of millions of dollars in damages. 

The malware, also known as “Qbot” or “Pinkslipbot,” had been used by criminal threat actors to infect critical infrastructure systems, primarily using email messages with malicious attachments or hyperlinks. 

Officials said the operation was the largest U.S. led disruption of a botnet infrastructure in history. It marked the latest effort by federal officials to disrupt multinational cybercrime by mustering an international coalition. The U.S. worked alongside France, Germany, the Netherlands, the U.K., Romania and Latvia for the takedown

“The FBI led a worldwide joint, sequenced operation that crippled one of the longest-running criminal botnets,” FBI Director Christopher Wray, said in a statement Tuesday. “With our federal and international partners, we will continue to systematically target every part of cybercriminal organizations, their facilitators and their money – including by disrupting and dismantling their ability to use illicit infrastructure to attack us.”

The FBI was able to redirect botnet traffic toward servers it controlled and disrupt the operation. More than 200,000 computers in the U.S. alone were found to be infected. Authorities also seized $8.6 million in illicit cryptocurrency as part of the takedown. 

Qakbot, which first emerged in 2007, is a banking trojan that is used to steal financial data and login credentials from web browsers, according to research from ZScaler. Qakbot is also used as a backdoor to inject payloads such as Cobalt Strike. 

Officials at ZScaler, which was cited by law enforcement for “valuable technical assistance” during the case, declined to comment for the story.

Threat groups including Conti, Egregor, REvil, Black Basta and others have used Qakbot for initial infection into computer systems, according to the DOJ. 

“Typically, Qakbot automated its delivery method in order to cast a wide net and infect as many potential victims as possible,” John Hammond, principal security researcher at Huntress, said via email. 

Last November, Huntress reported a 400% increase in Qakbot activity. Researchers say Qakbot began to launch attacks by leveraging malicious OneNote attachments after Microsoft began to disable macros.

The FBI and Dutch National Police have set up website links where stolen credentials can be accessed to find out if they were used.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell