top of page

Evasive and Tenacious Malware QBot Analysis Reveals Short Server Lifespans

In a recent report, Lumen Black Lotus Labs revealed that 25% of QBot's command-and-control (C2) servers are only active for a single day. What's more, 50% of the servers don't remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure. QBot, also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007. The malware arrives on victims' devices via spear-phishing emails, which either directly incorporate lure files or contain embedded URLs that lead to decoy documents. The threat actors behind QBot have continuously improved their tactics over the years to infiltrate victim systems using different methods such as email thread hijacking, HTML smuggling, and employing uncommon attachment types to slip past security barriers. Researchers believe that the use of dynamic C2 infrastructure is an indication that the QBot threat actors are using sophisticated methods to evade detection and avoid being taken down. The fact that the malware has been around for over a decade is a testament to the threat actors' ability to adapt and change their tactics as needed to stay one step ahead of security defenses. business users and individuals alike need to be aware of the QBot threat and take steps to protect themselves, such as being cautious of spear-phishing emails and not clicking on links or opening attachments from unknown senders.


bottom of page