QakBot Resurfaces in New Phishing Campaigns Post-Takedown

Though it seemed defeated, the QakBot trojan isn't gone—it’s returned with renewed vigor. After a major international crackdown in 2023 dismantled its infrastructure, law enforcement actions did not put it to rest permanently.

In December 2023, researchers spotted a new, low-volume phishing campaign targeting the hospitality sector. Attackers used spoofed emails posing as the IRS, attaching a PDF that, when opened, downloaded a digitally signed MSI installer - delivering a revived version of QakBot (v0x500).

The threat continues evolving. In January 2025, cybersecurity teams discovered an enhanced BackConnect (BC) module linked to QakBot. This module, featuring advanced remote access and persistence capabilities, operates like a standalone agent for following up on infected systems.

Why It Matters:

• Takedowns are not the end. Attackers quickly regroup, adapt, and return.
• New delivery methods. The shift from macro-laden files to MSI installers inside PDFs still bypasses security filters.
• Advanced post-infection tools. The updated BC module provides stealthy access and expands QakBot’s threat capabilities.

What You Should Do:

• Don’t trust attachments, even from seemingly official sources.
• Validate file origins and inspect digitally signed installers carefully.
• Fallback to safe habits - avoid opening risky attachments on high-value systems.
• Deploy behavior-based detection tools to catch unusual access patterns or persistence modules.

Social Snippet:
QakBot is back - with a new phishing campaign and upgraded remote access modules. Stay alert and patch up your defenses.