Recent phishing campaigns have taken a page from the playbook of the defunct QakBot trojan, employing similar tactics in their approach. DarkGate and PikaBot, two malware families, are now being utilized in phishing campaigns, replicating methods that were previously characteristic of QakBot’s operations.
These strategies involve hijacking email threads for initial infections and utilizing URLs with unique patterns that restrict user access, closely mirroring QakBot’s delivery methods. Notably, the malware families involved in these campaigns closely resemble the types that were typically associated with QakBot-affiliated attacks, illustrating a resurgence of older attack methodologies in contemporary cybercrime.
The termination of QakBot, also known as QBot and Pinkslipbot, was a result of the coordinated law enforcement operation termed Operation Duck Hunt, conducted earlier in August. The reemergence of similar attack strategies using DarkGate and PikaBot doesn’t come as a surprise, given that both can serve as conduits to deliver additional payloads to compromised systems, making them an appealing choice for cybercriminals seeking to maximize the impact of their attacks.
Zscaler’s analysis of PikaBot in May 2023 had previously underscored its similarities to QakBot, emphasizing resemblances in distribution methods, campaigns, and malware behaviors.