On October 5, 2023, the Cisco Talos cybersecurity firm stated it had evidence of activity from cybercriminals behind the Qakbot botnet, even though a major international police operation led by Germany, the United States, France and the Netherlands had dismantled its infrastructure, at the end of August 2023.
Yet according to Cisco Talos, the cybercriminal group is currently leading a phishing campaign in an attempt to spread the Ransom Knight ransomware and the Remcos Trojan horse. Researchers identified metadata in the current campaign that is identical to that of past Qakbot attacks.
“The activity seems to have started before the FBI seized Qakbot’s infrastructure at the end of August, and has since been ongoing,” explains Cisco Talos. According to the cybersecurity firm, this shows “the law enforcement operation may not have reached the spam distribution infrastructure of Qakbot operators, but only their command and control servers (C2).”
Nevertheless, Cisco Talos points out that, since its dismantling, no new Qakbot malware rollout has been reported. Still, the cybersecurity firm believes that “the malware will continue to pose a significant threat in the future. This is all the more likely since the developers have not been arrested and are still operational, which raises the possibility that they might choose to rebuild Qakbot’s infrastructure.”