The Qakbot malware operation [2] [3] [4] [5] [6], also known as Qbot or Pinkslipbot [1] [2] [3] [4], remains a significant threat despite a recent law enforcement raid called “Operation Duck Hunt” that targeted its infrastructure [6].


The FBI’s operation only affected the group’s command and control servers [3], leaving their spam delivery infrastructure intact [2] [3] [4] [5]. The Qakbot malware group [3] [4] [5] [6], originally a banking trojan that evolved into a botnet for ransomware attacks [3], is still active and may choose to rebuild their infrastructure [3] [5]. Since August 2023 [1] [2] [4] [8], researchers from Cisco’s Talos unit have observed the group running a campaign using phishing attacks to distribute the Ransom Knight ransomware and Remcos RAT [3]. In this campaign [1] [5], Qakbot has inserted malicious messages into existing email conversations and downloaded three different malicious payloads [7], including modules for password-stealing [7], network scanning [7], and sending spam emails [7]. The campaign uses LNK files in phishing emails [3], with filenames written in Italian [3], suggesting a focus on users in that region [3].

Security teams should take Qakbot infections seriously as they can be a precursor to a ransomware attack [7]. Cisco Talos has released a report on this ongoing ransomware campaign [6]. Sophos recommends caution when dealing with unusual or unexpected emails and suggests using security technologies to prevent Qakbot infections [7].


Despite the law enforcement operation’s impact on the Qakbot group’s command and control servers, their spam delivery infrastructure remains unaffected [2]. The Qakbot threat actors have been linked to an ongoing phishing campaign since August 2023 [2], delivering the Ransom Knight ransomware and the Remcos RAT [1] [2] [3] [4] [6] [8]. Although there is no evidence of Qakbot malware distribution post-infrastructure takedown, it is assessed that the malware will likely continue to pose a significant threat in the future [2]. The threat actors may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity [2]. Security measures [7], such as caution when handling suspicious emails and the use of security technologies, are recommended to mitigate the risk of Qakbot infections.