Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



QBot Malware Infects Over 800 Corporate Users in New, Ongoing Campaign

More than 800 corporate users have been infected in a new QBot malware distribution campaign since September 28, Kaspersky warns.

More than 800 corporate users have been infected in a new QBot malware distribution campaign since September 28, Kaspersky warns.

Also known as Qakbot and Pinkslipbot, QBot is an information stealer with backdoor and self-spreading capabilities that has been around since 2009 and which is often used as the initial infection vector in malicious attacks.

Earlier this year, QBot was distributed in attacks exploiting Follina, a Microsoft Support Diagnostic Tool (MSDT) vulnerability tracked as CVE-2022-30190, which leads to remote code execution.

Since 2020, one of the main infection methods employed by QBot’s operators has been the hijacking of email threads, a technique that has been used in multiple waves of attacks and which remains successful even today.

“Qbot steals email archives from infected devices and uses the stolen emails for subsequent mailings, with the acquired information being used to lure victims into opening those emails,” Kaspersky senior security researcher Victoria Vlasova explained in a conversation with SecurityWeek.

Between September 28 and October 7, Kaspersky observed close to 1,800 users being infected with QBot worldwide. More than half of the new victims are corporate users, Vlasova says.

According to the security researcher, the United States, Italy, Germany, and India are the countries targeted the most in this new campaign.

Out of a total of 220 victims in the United States, 95 are corporate users, potentially exposing their organizations to further malicious activity, including the distribution of ransomware and other malware families.

“Employees should be especially careful now when communicating in business correspondence so as not to accidentally open a malicious file with Qbot,” Vlasova points out.

Kaspersky could not confirm the number of potentially impacted organizations and the industries that have been affected the most in this campaign.

“Corporate users can be either one in a particular organization or several in one and we cannot tell the exact number of impacted organizations in this case either,” Vlasova noted.

Given that Kaspersky has provided infection details based on data collected by its security products only, the total number of new QBot infections might be much higher.

Related: New ‘Maggie’ Backdoor Targeting Microsoft SQL Servers

Related: New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems

Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...