QakBot (Qbot) Malware Technical Analysis: Delivery Chains, Artifacts, and Defender Playbook

Posted on September 22, 2025

4 min read

1. Introduction

QakBot (a.k.a. Qbot, QuakBot, Pinkslipbot) is a long-running modular botnet that evolved from a banking trojan into a flexible access platform for credential theft, lateral movement, and ransomware staging. This analysis distills how QakBot typically arrives, executes, persists, communicates, and how to detect and mitigate it with concrete artifacts and hunting tips. While international partners disrupted major QakBot infrastructure in late August 2023, its techniques remain widely reused by other loaders and affiliates—so defenders still need these patterns on their radar.

2. Background / Threat Overview

QakBot has operated since at least 2008 and historically preceded human-operated ransomware such as Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal, and PwndLocker. Its modular design (injection, discovery, credential theft, and payload delivery) made it central to the cybercrime supply chain until the 2023 disruption operation. Even so, many campaigns used the same delivery tricks—OneNote, HTML smuggling, PDF→JS/WSF chains—and successor loaders (e.g., DarkGate, Pikabot) adopted QakBot-style thread-hijacking lures.

3. Technical Analysis

3.1 Initial Access

Malspam → OneNote (.one) → embedded MSI → WSF/XMLHTTP → QakBot DLL. OneNote documents carried an MSI posing as a legitimate installer; the MSI ran hex-encoded WSF to pull the payload.
Malspam → HTML (HTML smuggling) → ZIP → JS → PowerShell → QakBot payload (and variants with WSF/HTA). HTML produced a user-saved ZIP with a script that staged PowerShell or XMLHTTP download.
Malspam → PDF with link → JS/WSF → PowerShell/XMLHTTP → DLL.
Malspam → ZIP → Excel XLL add-in → dropper → DLL; scheduled task established execution every few minutes.

These chains frequently arrived via email thread hijacking, often from compromised mailboxes, using terse replies with “invoice/attachment/report” themes and URLs or archives.

3.2 Execution

Script stage writes a QakBot DLL to %APPDATA%\Microsoft\<random>\ and launches via rundll32.exe with an export (varies by build). Some chains proxy execution through conhost.exe for defense evasion.
Command stages often employ base64 PowerShell or XMLHTTP in WSF/JS to download/reflectively load the bot module.
QakBot injects into explorer.exe or browsers for web-inject/credential theft and to blend network traffic.

3.3 Persistence

Registry Run key (created, removed while running, then restored before reboot):
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random> → typically points to rundll32.exe loading the bot DLL from the roaming path.
Encrypted config in registry:
HKCU\Software\Microsoft\<random> → values are 8-char hex names; RC4-encrypted structured config, padded with random data.

Additional persistence has included scheduled tasks with random names that relaunch the DLL every N minutes (commonly 5–10), often created by an injected explorer.exe via schtasks.exe.

3.4 Command and Control (C2)

Historically a three-tier C2 where infected bots promoted to supernodes proxy traffic to deeper tiers.
Configs (after RC4 decoding) list IPs/domains/ports; campaigns used TLS to IPv4, rotating endpoints frequently.

3.5 Payloads and Post-Exploitation

QakBot routinely staged Cobalt Strike or Brute Ratel beacons and then enabled hands-on-keyboard activity culminating in ransomware deployment (families varied by affiliate).

3.6 Example Artifacts & Snippets

Run key command line

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run ^
  /v {b3fA2d} /t REG_SZ ^
  /d "rundll32.exe C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\{rNd}\\{rNd}.dll,Start" /f

Scheduled task

schtasks /Create /SC MINUTE /MO 10 /TN "{WdUpdate_{rNd}}" ^
  /TR "rundll32.exe %APPDATA%\\Microsoft\\{rNd}\\{rNd}.dll,Init" /RU "%USERNAME%"

4. Detection and Response

4.1 Telemetry Mapping by Platform (EDR/SIEM Comparison)

The comparison below is flattened for maximum theme compatibility. Each behavior lists platform-specific telemetry without any custom styles or scripts.

4.1.1. Behavior: Process creation (Office/OneNote/PDF) → script engine

Windows Security Log: 4688 Process Creation
Sysmon: Event ID 1 (Process Create)
Microsoft Defender for Endpoint: DeviceProcessEvents (InitiatingProcessFileName, FileName, ProcessCommandLine)
Splunk CIM: Endpoint.Processes (process, parent_process)
Elastic (ECS / Winlog): process.*; winlog.event_data: NewProcessName, ParentProcessName

4.1.2. Behavior: Script engine → PowerShell (encoded/base64)

Windows Security Log: 4688; PowerShell Operational 4103/4104 (if enabled)
Sysmon: 1 (Process Create)
MDE: DeviceProcessEvents (ProcessCommandLine contains -enc or FromBase64String)
Splunk CIM: Endpoint.Processes; Splunk_TA_microsoft_sysmon
Elastic: process.command_line; winlog.channel: Microsoft-Windows-PowerShell/Operational

4.1.3. Behavior: DLL execution via `rundll32.exe` from user profile

Windows Security Log: 4688
Sysmon: 1 (Process Create), 7 (Image Load)
MDE: DeviceProcessEvents; DeviceImageLoadEvents (FolderPath startswith %APPDATA%\\Microsoft\\)
Splunk CIM: Endpoint.Processes
Elastic: process.name: rundll32.exe; file.path for loaded DLL; event.code: 7 (Sysmon)

4.1.4. Behavior: Registry Run key set (persistence)

Windows Security Log: 4657 Registry Value Change
Sysmon: 12 (Registry Object Create), 13 (Registry Value Set)
MDE: DeviceRegistryEvents (RegistryValueName, PreviousRegistryValueData, RegistryValueData)
Splunk CIM: Endpoint.Registry (action=set, object=registry)
Elastic: registry.*; winlog.event_data.TargetObject; event.code: 12/13

4.1.5. Behavior: Creation of `HKCU\\Software\\Microsoft\\<random>` (encrypted config)

Windows Security Log: 4657
Sysmon: 12/13
MDE: DeviceRegistryEvents (RegistryKey startswith HKCU/Software/Microsoft/)
Splunk CIM: Endpoint.Registry
Elastic: registry.key, registry.value; winlog.event_data.Details

4.1.6. Behavior: Scheduled task created / modified

Windows Security Log: 4698 (Create), 4699 (Delete), 4702 (Updated)
Sysmon: 1 (Process Create for schtasks.exe)
MDE: DeviceProcessEvents (FileName: schtasks.exe); DeviceScheduledTaskEvents
Splunk CIM: Change (object=scheduled_task) or Endpoint.Processes
Elastic: winlog.channel: Microsoft-Windows-TaskScheduler/Operational; process.args

4.1.7. Behavior: Named pipe creation/connection

Windows Security Log: n/a
Sysmon: 17 (Pipe Created), 18 (Pipe Connected)
MDE: DeviceEvents (ActionType: PipeCreated/PipeConnected)
Splunk CIM: Endpoint.Network or Endpoint.Filesystem (via Sysmon TA), PipeName
Elastic: winlog.event_data.PipeName; event.code: 17/18

4.1.8. Behavior: File drop in `%APPDATA%\\Microsoft\\<random>\\`

Windows Security Log: 4663 Object Access (if enabled)
Sysmon: 11 (File Create)
MDE: DeviceFileEvents (FolderPath)
Splunk CIM: Endpoint.Filesystem
Elastic: file.path; event.code: 11

4.1.9. Behavior: Outbound TLS beacons to rotating IPs (no SNI)

Windows Security Log: 5156/5158 WFP (if enabled)
Sysmon: 3 (Network Connection)
MDE: DeviceNetworkEvents (RemoteIP, RemotePort, InitiatingProcessAccountName)
Splunk CIM: Network_Traffic
Elastic: network.*; winlog.event_data.DestinationIp; event.code: 3

4.2 Host-Based Hunting (EDR/Sysmon/Windows)

Registry persistence: monitor Run key writes that execute rundll32.exe from %APPDATA%\Microsoft\.
Process chains: winword.exe/onenote.exe/acrord32.exe → wscript.exe/mshta.exe → powershell.exe or conhost.exe proxy → rundll32.exe loading DLL from user profile.
Named pipes: alert on suspicious pipe names; baseline legitimate pipes and flag anomalous creations shortly after initial execution.
Scheduled tasks: random task names, 5–10 minute cadence, created by explorer.exe or script engines.

4.3 Network-Based Hunting

Flag outbound TLS to IPs without SNI and to numerous ephemeral IPs soon after initial execution.
Use beaconing analytics (interval, jitter, byte in/out ratio) to triage hosts with suspicious patterns.

4.4 Incident Response Checklist

Isolate the host; capture full RAM and a forensic disk image.
Export the two registry locations above; dump scheduled tasks and ShimCache/AmCache.
Search for child processes and scripts from Office/OneNote/PDF viewers around first-seen time.
Identify any follow-on beacons (Cobalt Strike/Brute Ratel); treat as separate intrusions if present.
Rotate credentials (especially local admin, cached browser creds) and deploy EDR block-mode.

4.5 Example Queries

KQL (Microsoft 365 Defender Advanced Hunting)

// Rundll32 executing DLL from user profile Microsoft subfolder
DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has_any ("AppData\\Roaming\\Microsoft\\", "%APPDATA%\\Microsoft\\")
| summarize count() by DeviceName, InitiatingProcessFileName, ProcessCommandLine, bin(Timestamp, 1h)

// Registry Run key persistence
DeviceRegistryEvents
| where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| where RegistryValueData has "rundll32.exe" and RegistryValueData has_any ("AppData\\Roaming\\Microsoft", "%APPDATA%\\Microsoft%")
| project Timestamp, DeviceName, RegistryValueName, RegistryValueData

// Named pipes
DeviceEvents
| where ActionType in ("PipeCreated","PipeConnected")
| where AdditionalFields has_any ("QBot","qb","qak") or tostring(AdditionalFields) contains "\\\\.\\pipe\\"
| project Timestamp, DeviceName, ActionType, AdditionalFields

Splunk SPL

// Rundll32 from user profile
(index=endpoint OR index=sysmon) (process_name=rundll32.exe OR Image="*\\rundll32.exe")
  (CommandLine="*\\AppData\\Roaming\\Microsoft\\*")
| stats count by host, parent_process_name, process_name, CommandLine, _time

// Registry Run key writes (Sysmon EID 13)
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"
| search Details="*rundll32.exe*" AND Details="*\\AppData\\Roaming\\Microsoft\\*"
| table _time, host, User, TargetObject, Details

5. Mitigation and Prevention

Email controls: block risky attachment classes (JS/WSF/HTA/XLL), detonate OneNote/PDF/HTML in sandbox, and aggressively rewrite/strip URLs in replies (thread-hijack).
Script constraining: WDAC/AppLocker or Intune ASR to restrict wscript.exe, mshta.exe, XLL loading, and HTML smuggling outcomes.
Office hardening: disable XLL add-ins from the internet; block OneNote from launching embedded executables/MSI where feasible.
EDR prevention: block rundll32 loading from user-writeable paths; alert on DLL execution under %APPDATA%\Microsoft\.
Network: egress filtering by application, TLS inspection for unknown destinations, and continuous beaconing analytics.
User awareness: train for thread-hijack cues (context mismatch, unexpected “RE:” with archives/links).

6. Impact / Implications

QakBot’s value was initial access at scale and rapid monetization via credential theft and loader delivery. Even after infrastructure disruption, the attack chains live on: multiple crimeware crews have swapped in other loaders (DarkGate, Pikabot) but kept the same thread-hijack + HTML/OneNote playbooks. Organizations that hardened specifically against “QakBot” indicators but not behavioral TTPs remain exposed.

7. Conclusion

Treat QakBot less as a single family and more as a pattern: malspam with thread hijacking, script-to-DLL staging, user-writeable persistence via Run keys and tasks, and stealthy TLS C2. Bake the artifacts and detections above into your SIEM/EDR, and you’ll blunt both legacy QakBot and its successors.

8. FAQ

Q: Didn’t QakBot get taken down?
A: Yes—major infrastructure was disrupted in late August 2023 and IOCs were published. But the tradecraft (delivery and execution techniques) continues to be reused by other loaders, so detections remain relevant.

Q: What single control blocks the most QakBot-style attacks?
A: Email and script-execution controls: block internet-origin XLL/JS/WSF/HTA, inspect HTML smuggling, and restrict rundll32 execution from user-writeable paths.

Q: Which artifacts should I triage first on a suspect host?
A: The Run key and encrypted config under HKCU\Software\Microsoft\..., the %APPDATA%\Microsoft\<random>\ DLL path, and any random-name scheduled tasks created near the first-seen time.