Banking trojan / Loader
QakBot
aka Qbot · QuakBot · Pinkslipbot
A durable banking trojan turned modular loader and ransomware enabler, dismantled in 2023's Operation Duck Hunt but resurfacing afterward.
QakBot (Qbot) is one of the longest-lived crimeware families, active since ~2008. It began as a banking trojan and matured into a modular loader that steals credentials and email, hijacks message threads for convincing lures, and deploys Cobalt Strike and ransomware.
Role in ransomware
For years QakBot was a leading initial-access broker, leading to Black Basta, Conti and other ransomware. Its email thread-hijacking — replying within real stolen conversations — made its phishing unusually effective.
Operation Duck Hunt
In August 2023, the FBI-led Operation Duck Hunt seized QakBot's infrastructure and pushed an uninstaller to victims, removing it from ~700,000 machines. Smaller campaigns resurfaced afterward. The takedown is profiled on Cyber Breaches; a thread-hijacking analysis lives on the Reverse Engineering Hub.
Defense
Block malicious attachment types (OneNote, ISO, LNK), monitor for Cobalt Strike, and treat QakBot as pre-ransomware activity.