Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

QakBot Malware Dismantled in Major International Law Enforcement Operation

A coordinated law enforcement effort has taken down QakBot, a notorious Windows malware family that’s estimated to have compromised over 700,000 computers globally and facilitated financial fraud as well as ransomware. The U.S. Justice Department said the malware is “being deleted from victim computers, preventing it from doing any more harm,” adding it seized more than $8.6 million in cryptocurrency in illicit profits. The dismantling has been hailed as “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals.”

Operation Duck Hunt: The International Takedown of QakBot

The coordinated law enforcement effort, codenamed Operation Duck Hunt, involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler. The counteroffensive against QakBot enabled access to the malware’s infrastructure, thereby making it possible to redirect the botnet traffic to and through servers controlled by the U.S. Federal Bureau of Investigation (FBI) with the ultimate goal of neutralizing the “far-reaching criminal supply chain.”

QakBot: A Highly Sophisticated Banking Trojan

QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-purpose Swiss Army knife that acts as a distribution center for malicious code on infected machines, including ransomware, unbeknownst to the victims. Some of the major ransomware families propagated through QakBot comprise Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. QakBot administrators are said to have received fees corresponding to approximately $58 million in ransoms paid by victims between October 2021 and April 2023.

The Fight Against QakBot

QakBot has demonstrated a higher level of complexity over time, rapidly shifting its tactics in response to new security guardrails. Typically distributed via phishing emails, the modular malware also comes fitted with command execution and information harvesting capabilities. It has seen constant updates during its lifetime, with the actors (codenamed Gold Lagoon or Mallard Spider) known to take extended breaks each summer before resuming their spamming campaigns.

The Future of QakBot

The sophistication and adaptability of QakBot is evident in the operators’ ability to weaponize a wide range of file formats (e.g., PDF, HTML, and ZIP) in its attack chains. Its backend infrastructure is located in Russia. QakBot, like Emotet and IcedID, employs a three-tiered system of servers to control and communicate with the malware installed on infected computers. QakBot has also been one of the most active malware families in the second quarter of 2023, leveraging as many as 18 unique attack chains and clocking 56 campaigns over the time period, underscoring the e-crime group’s penchant for “quickly permuting their tradecraft to exploit gaps in network defenses.”


The takedown of QakBot has been hailed as a significant victory for law enforcement agencies in the fight against cybercrime. Its sophistication and adaptability demonstrate the need for constant vigilance and collaboration to combat the ever-evolving threat landscape posed by malware families like QakBot.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.