S0650: QakBot
Analyst context for executives and security teams
QakBot matters because ATT&CK describes it as a long-running, modular Windows banking trojan that evolved into a delivery agent for ransomware, including ProLock and Egregor. For leaders, the key decision value is not just “malware prevention”; it is whether the organization can quickly recognize a Windows endpoint moving from infection into discovery, credential collection, persistence, command-and-control, and potential ransomware staging behavior.
Executive priority
Prioritize QakBot as a resilience and incident-readiness test case for Windows environments. The supplied relationships connect it to financially motivated activity, email-based distribution context through TA551, initial access broker context through TA577, and ransomware-linked ecosystem context through Storm-1811. Executives should ask whether SOC, identity, endpoint, email/web, and incident response teams can prove coverage for the behaviors ATT&CK associates with this malware: obfuscation, WMI execution, scheduled tasks, process injection, discovery, keylogging, local data collection, and exfiltration over C2.
Technical view
ATT&CK lists QakBot for Windows and provides no official detection text, so defenders should validate behavior-based coverage from the related techniques rather than rely on the malware name alone. Focus testing and hunts on Windows execution and persistence via WMI and Scheduled Task, stealth via obfuscated files, packing, binary padding, masqueraded file types, command obfuscation, fileless storage, and process injection/process hollowing. Discovery coverage should include application windows, user context, network configuration, internet connectivity, remote systems, and network connections. Collection and credential-risk coverage should include local data access and keylogging indicators, with network analytics for exfiltration over an existing C2 channel.
Likely telemetry
- Windows endpoint process creation, parent/child process, command-line, and script execution telemetry
- WMI activity and remote/local WMI execution records
- Windows Scheduled Task creation, modification, and execution events
- Endpoint file metadata, file writes, suspicious extensions or file-type mismatches, packed or padded binaries, and obfuscation indicators
- Memory and EDR telemetry relevant to process injection or process hollowing
Detection direction
- Do not depend on static QakBot indicators alone; ATT&CK relationships show multiple obfuscation and evasion behaviors that can change file appearance and weaken hash-based controls.
- Validate Windows behavior detections for WMI execution, scheduled task abuse, suspicious process injection or hollowing, and command obfuscation.
- Correlate discovery behaviors that may be individually noisy: user discovery, network configuration discovery, internet connectivity checks, remote system discovery, application window discovery, and network connection enumeration.
- Tune detections around legitimate administration activity, especially WMI, scheduled tasks, and network discovery commands, by using baselines for expected administrative accounts, hosts, and maintenance windows.
- Confirm visibility into collection and credential-risk behaviors such as local data access and keylogging-related signals; absence of this telemetry should be documented as a response limitation.
Mitigation priorities
- Harden and monitor Windows execution paths most relevant to the supplied relationships: WMI, Scheduled Task, script/command execution, and suspicious child-process chains.
- Reduce delivery and evasion risk with layered email/web controls, attachment and HTML handling policies, and endpoint controls that inspect behavior rather than only file hashes.
- Limit blast radius through least privilege, administrative account separation, and controls that reduce the value of captured credentials or keystrokes.
- Improve endpoint resilience with EDR coverage capable of observing process injection, process hollowing, fileless storage, and suspicious persistence activity.
- Segment critical systems and monitor internal discovery so a compromised Windows host cannot easily map or reach high-value systems.
Analyst notes and limits
This take is based on ATT&CK S0650 QakBot version 1.3 and the supplied relationships. The most decision-relevant point is QakBot’s evolution from banking trojan to ransomware delivery agent and its mapped behaviors across discovery, stealth, execution, persistence, collection, credential access, and exfiltration. Because ATT&CK provides no official detection section for this object, coverage should be proven with local telemetry and behavior validation.
The supplied object lists Windows as the QakBot platform but does not specify tactics on the malware object itself and provides no official detection guidance. Related techniques include platforms beyond Windows, but those broader platforms should not be assumed for QakBot without additional evidence. This summary does not establish current activity, customer exposure, or guaranteed detection coverage.
QakBot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.010 | Regsvr32 Sub-technique | QakBot can use Regsvr32 to execute malicious DLLs.CitationRed Canary QbotCitationCyberint Qakbot May 2021CitationATT QakBot April 2021CitationTrend Micro Black Basta October 2022CitationNCC Group Black Basta June 2022CitationDeep Instinct Black Basta August 2022 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | QakBot has placed its payload in hidden subdirectories.CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.CitationTrend Micro Qakbot May 2020CitationATT QakBot April 2021 |
| Enterprise | T1018 | Remote System Discovery | QakBot can identify remote systems through the |
| Enterprise | T1005 | Data from Local System | QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.CitationRed Canary QbotCitationKaspersky QakBot September 2021 |
| Enterprise | T1090.002 | External Proxy Sub-technique | QakBot has a module that can proxy C2 communications.CitationKaspersky QakBot September 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | QakBot can use PowerShell to download and execute payloads.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.CitationCrowdstrike Qakbot October 2020CitationATT QakBot April 2021CitationKaspersky QakBot September 2021CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | QakBot can identify the installed antivirus product on a targeted system.CitationCrowdstrike Qakbot October 2020CitationATT QakBot April 2021CitationATT QakBot April 2021CitationKaspersky QakBot September 2021 |
| Enterprise | T1106 | Native API | QakBot can use |
| Enterprise | T1027.001 | Binary Padding Sub-technique | QakBot can use large file sizes to evade detection.CitationTrend Micro Qakbot May 2020CitationGroup IB Ransomware September 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | QakBot can remotely create a temporary service on a target host.CitationNCC Group Black Basta June 2022 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | QakBot can use domain generation algorithms in C2 communication.CitationTrend Micro Qakbot May 2020 |
| Enterprise | T1685 | Disable or Modify Tools | QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1083 | File and Directory Discovery | QakBot can identify whether it has been run previously on a host by checking for a specified folder.CitationATT QakBot April 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | QakBot can maintain persistence by creating an auto-run Registry key.CitationTrend Micro Qakbot May 2020CitationCrowdstrike Qakbot October 2020CitationTrend Micro Qakbot December 2020CitationGroup IB Ransomware September 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | QakBot can store its configuration information in a randomly named subkey under |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1135 | Network Share Discovery | QakBot can use |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | QakBot can use process hollowing to execute its main payload.CitationATT QakBot April 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | The QakBot web inject module can inject Java Script into web banking pages visited by the victim.CitationKaspersky QakBot September 2021CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1218.007 | Msiexec Sub-technique | QakBot can use MSIExec to spawn multiple cmd.exe processes.CitationCrowdstrike Qakbot October 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | QakBot can deobfuscate and re-assemble code strings for execution.CitationCyberint Qakbot May 2021CitationATT QakBot April 2021CitationKaspersky QakBot September 2021 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.CitationKroll Qakbot June 2020CitationTrend Micro Qakbot December 2020CitationKaspersky QakBot September 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | QakBot has gained execution through users opening malicious links.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationTrend Micro Qakbot December 2020CitationATT QakBot April 2021CitationKaspersky QakBot September 2021CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1124 | System Time Discovery | QakBot can identify the system time on a targeted host.CitationKaspersky QakBot September 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | QakBot has gained execution through users opening malicious attachments.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020CitationTrend Micro Qakbot December 2020CitationCyberint Qakbot May 2021CitationATT QakBot April 2021CitationKaspersky QakBot September 2021CitationGroup IB Ransomware September 2020CitationDeep Instinct Black Basta August 2022CitationMicrosoft Ransomware as a Service |
| Enterprise | T1041 | Exfiltration Over C2 Channel | QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.CitationKaspersky QakBot September 2021 |
| Enterprise | T1033 | System Owner/User Discovery | QakBot can identify the user name on a compromised system.CitationKaspersky QakBot September 2021CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1027.006 | HTML Smuggling Sub-technique | QakBot has been delivered in ZIP files via HTML smuggling.CitationTrend Micro Black Basta October 2022CitationDeep Instinct Black Basta August 2022 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | QakBot can measure the download speed on a targeted host.CitationKaspersky QakBot September 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | QakBot can RC4 encrypt strings in C2 communication.CitationKaspersky QakBot September 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | QakBot can use obfuscated and encoded scripts.CitationCyberint Qakbot May 2021CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.CitationTrend Micro Qakbot May 2020CitationCrowdstrike Qakbot October 2020CitationKaspersky QakBot September 2021 |
| Enterprise | T1553.002 | Code Signing Sub-technique | QakBot can use signed loaders to evade detection.CitationATT QakBot April 2021CitationDeep Instinct Black Basta August 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.CitationCyberint Qakbot May 2021 |
| Enterprise | T1210 | Exploitation of Remote Services | QakBot can move laterally using worm-like functionality through exploitation of SMB.CitationCrowdstrike Qakbot October 2020 |
| Enterprise | T1057 | Process Discovery | QakBot has the ability to check running processes.CitationATT QakBot April 2021 |
| Enterprise | T1069.001 | Local Groups Sub-technique | QakBot can use |
| Enterprise | T1574.001 | DLL Sub-technique | QakBot has the ability to use DLL side-loading for execution.CitationDeep Instinct Black Basta August 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | QakBot can use |
| Enterprise | T1539 | Steal Web Session Cookie | QakBot has the ability to capture web session cookies.CitationKroll Qakbot June 2020CitationKaspersky QakBot September 2021 |
| Enterprise | T1055 | Process Injection | QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationTrend Micro Qakbot December 2020CitationKaspersky QakBot September 2021CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1482 | Domain Trust Discovery | QakBot can run |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | QakBot has stored stolen emails and other data into new folders prior to exfiltration.CitationKroll Qakbot June 2020 |
| Enterprise | T1110 | Brute Force | QakBot can conduct brute force attacks to capture credentials.CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020CitationKaspersky QakBot September 2021 |
| Enterprise | T1553.005 | Mark-of-the-Web Bypass Sub-technique | QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1185 | Browser Session Hijacking | QakBot can use advanced web injects to steal web banking credentials.CitationCyberint Qakbot May 2021CitationKaspersky QakBot September 2021 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | The QakBot dropper can delay dropping the payload to evade detection.CitationCyberint Qakbot May 2021CitationKaspersky QakBot September 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | QakBot has the ability to download additional components and malware.CitationTrend Micro Qakbot May 2020CitationCrowdstrike Qakbot October 2020CitationTrend Micro Qakbot December 2020CitationCyberint Qakbot May 2021CitationKaspersky QakBot September 2021CitationGroup IB Ransomware September 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | QakBot can identify peripheral devices on targeted systems.CitationTrend Micro Qakbot May 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | QakBot has the ability use TCP to send or receive C2 packets.CitationKaspersky QakBot September 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | QakBot has spread through emails with malicious links.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationTrend Micro Qakbot December 2020CitationATT QakBot April 2021CitationKaspersky QakBot September 2021CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | QakBot can make small changes to itself in order to change its checksum and hash value.CitationCrowdstrike Qakbot October 2020CitationCyberint Qakbot May 2021 |
| Enterprise | T1112 | Modify Registry | QakBot can modify the Registry to store its configuration information in a randomly named subkey under |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | QakBot has spread through emails with malicious attachments.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationTrend Micro Qakbot December 2020CitationCyberint Qakbot May 2021CitationATT QakBot April 2021CitationKaspersky QakBot September 2021CitationGroup IB Ransomware September 2020CitationDeep Instinct Black Basta August 2022CitationMicrosoft Ransomware as a Service |
| Enterprise | T1056.001 | Keylogging Sub-technique | QakBot can capture keystrokes on a compromised host.CitationKroll Qakbot June 2020CitationTrend Micro Qakbot December 2020CitationKaspersky QakBot September 2021 |
| Enterprise | T1091 | Replication Through Removable Media | QakBot has the ability to use removable drives to spread through compromised networks.CitationTrend Micro Qakbot May 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | QakBot can Base64 encode system information sent to C2.CitationCrowdstrike Qakbot October 2020CitationKaspersky QakBot September 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | QakBot can use VBS to download and execute malicious files.CitationTrend Micro Qakbot May 2020 CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020CitationTrend Micro Qakbot December 2020CitationCyberint Qakbot May 2021CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1082 | System Information Discovery | QakBot can collect system information including the OS version and domain on a compromised host.CitationCrowdstrike Qakbot October 2020CitationATT QakBot April 2021CitationGroup IB Ransomware September 2020CitationMicrosoft Ransomware as a Service |
| Enterprise | T1047 | Windows Management Instrumentation | QakBot can execute WMI queries to gather information.CitationKaspersky QakBot September 2021 |
| Enterprise | T1010 | Application Window Discovery | QakBot has the ability to enumerate windows on a compromised host.CitationATT QakBot April 2021 |
| Enterprise | T1518 | Software Discovery | QakBot can enumerate a list of installed programs.CitationGroup IB Ransomware September 2020 |
| Enterprise | T1049 | System Network Connections Discovery | QakBot can use |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | QakBot has the ability to create scheduled tasks for persistence.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020CitationTrend Micro Qakbot December 2020CitationRed Canary QbotCitationCyberint Qakbot May 2021CitationKaspersky QakBot September 2021CitationGroup IB Ransomware September 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.CitationCrowdstrike Qakbot October 2020CitationRed Canary QbotCitationCyberint Qakbot May 2021CitationATT QakBot April 2021CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1572 | Protocol Tunneling | The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.CitationKaspersky QakBot September 2021 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | QakBot has collected usernames and passwords from Firefox and Chrome.CitationKaspersky QakBot September 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | QakBot can encrypt and pack malicious payloads.CitationCyberint Qakbot May 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | QakBot can delete folders and files including overwriting its executable with legitimate programs.CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020CitationATT QakBot April 2021CitationGroup IB Ransomware September 2020 |
Groups, software, and campaigns
G0127: TA551
G1037: TA577
TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]
G1046: Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | dba2548fa183… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Qakbot December 2020
Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
Open source URL -
[2]
Red Canary Qbot
Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
Open source URL -
[3]
Kaspersky QakBot September 2021
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
Open source URL -
[4]
ATT QakBot April 2021
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
Open source URL -
[5]
Pinkslipbot
(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)
-
[6]
QBot
(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)
-
[7]
QuackBot
(Citation: Kaspersky QakBot September 2021)
-
[8]
mitre-attack S0650Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.