ClickCease QakBot Threat Actors: Ransom Knight And Remcos RAT Attacks

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

QakBot Threat Actors: Ransom Knight And Remcos RAT Attacks

Wajahat Raja

October 19, 2023 - TuxCare expert team

In the ever-evolving landscape of cyber threats, a familiar adversary has reared its head once again. QakBot, a well-known malware and botnet operator with a long history, has returned, displaying its tenacity in the aftermath of a global operation that destroyed some of its server infrastructure. This revival is accompanied by a concerning trend: QakBot’s association with an ongoing phishing campaign that has been disseminating the Remcos remote access trojan (RAT) and Ransom Knight ransomware since August. This blog delves into the recent activities of QakBot threat actors, shedding light on its connection to these malicious campaigns and the potential implications for the cybersecurity landscape.


Unveiling QakBot Threat Actors Return

Despite substantial infrastructural disruptions, QakBot’s operators have shown to be resourceful. They have been
actively participating in a phishing effort since early August 2023, culminating in the distribution of Ransom Knight ransomware attacks (also known as Cyclops) and Remcos RAT.

It’s worth noting that the enforcement operation seems to have only affected QakBot’s command-and-control (C2) servers, leaving the spam delivery infrastructure unaffected. According to a recent report, this revelation stems from research undertaken by Guilherme Venere, a cybersecurity expert at Cisco Talos.

Affiliation with Moderate Confidence

With moderate confidence, cybersecurity experts link this ongoing campaign to QakBot affiliates. Importantly, there is no evidence that the threat actors continued the distribution of the QakBot malware loader after the infrastructure was taken down. This calls into question their strategic objective and whether they have changed their focus to newer, more devious tactics.

The QakBot Journey

When formulating a robust
security response to QakBot and Remcos RAT attacks, it is imperative to stay informed about the evolving tactics and strategies employed by these threat actors. QakBot, also known as QBot and Pinkslipbot, made its first appearance in 2007 as a Windows-based banking trojan. It evolved over time to transmit new payloads, including ransomware. However, in late August 2023, during an operation aptly dubbed Duck Hunt, this legendary malware operation suffered a serious setback, indicating the authorities’ desire to halt its activities.

The Recent Campaign

In the realm of cybersecurity,
cyber threat attribution to QakBot has become a critical concern for organizations worldwide. The newest wave of activity, which began shortly before the infrastructure takedown, is normally initiated by a rogue LNK file. This file is frequently sent via phishing emails. When activated, it starts the infection process, which results in the deployment of Ransom Knight ransomware. Ransom Knight is a recent rebranding of the Cyclops ransomware-as-a-service (RaaS) scheme that emphasizes cyber threat evolution.

Remcos RAT cyberattacks linked to QakBot, in addition to Ransom Knight, have become an essential aspect of this campaign. The ZIP folders containing the LNK files were found to include Excel add-in (.XLL) files. These files are used to spread the Remcos RAT, which gives threat actors continuous backdoor access to compromised endpoints. The use of Remcos RAT emphasizes the intricacy of this campaign.

The usage of file names written in Italian is an unusual component of this strategy. This indicates a targeted effort, with threat actors targeting users in the Italian-speaking region. Their target specificity implies a level of strategic intent that goes beyond opportunistic attacks.

QakBot Malware Group Investigations


Despite its infrastructural problems, experts warn that QakBot should not be overlooked. “Though we have not seen the threat actors distributing QakBot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward,” says Guilherme Venere of Cisco Talos. “Given that the operators are still active, they may decide to rebuild Qakbot infrastructure in order to restore full pre-takedown activities.” This emphasizes the significance of remaining vigilant in the face of evolving threats.

Expanding Arsenal

Surprisingly, this assault cycle does not stop with the deployment of Ransom Knight and Remcos RAT. Other malware, such as DarkGate, MetaStealer, and RedLine Stealer, have been delivered using the same infrastructure. The scope of this activity is difficult to nail down, but QakBot’s distribution network has continually demonstrated its worth. It has targeted victims not only in Italy but also in Germany and other English-speaking countries, demonstrating the campaign’s global reach.


ransomware campaigns by QakBot actors, as well as their connection to the spread of Ransom Knight and Remcos RAT, serve as a sharp reminder of the ever-changing danger that organizations and individuals face. Despite the fact that its infrastructure has been targeted by law enforcement, QakBot’s threat actors remain active and flexible. 

As their strategies and targets evolve, cybersecurity experts and organizations must remain watchful, strengthening their defenses to combat this and other emerging threats. Staying one step ahead of threats in a digital world that is continuously evolving is critical to maintaining a secure online environment.

The sources for this piece include articles in The Hacker News and SC Media


QakBot Threat Actors: Ransom Knight And Remcos RAT Attacks
Article Name
QakBot Threat Actors: Ransom Knight And Remcos RAT Attacks
Discover the latest on QakBot threat actors linked to Ransom Knight and Remcos RAT attacks. Learn more to stay informed and protected!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter