The operators behind the QakBot malware have extended their reach by establishing 15 new command-and-control (C2) servers in their network, according to a recent report.
Team Cymru’s ongoing analysis of the malware’s infrastructure has unveiled this expansion, which comes shortly after Lumen Black Lotus Labs revealed the ephemeral nature of some C2 servers, with a quarter of them active for just a single day. QakBot has exhibited a history of slowing down during the summer months, leading experts to question whether this pause is an opportunity for the operators to enhance and update their tools.
QakBot’s C2 network employs a tiered architecture akin to other malware like Emotet and IcedID. The C2 nodes communicate with higher-level Tier 2 (T2) C2 nodes hosted on VPS providers in Russia. Most bot C2 servers, which facilitate communication with victim hosts, are located in India and the U.S.
The malware also employs a BackConnect (BC) server alongside the C2 and Tier 2 C2s, converting infected bots into proxies for other malicious activities.
Recent research from Team Cymru reveals a significant reduction in the number of existing C2s communicating with the T2 layer, a shift attributed in part to Black Lotus Labs’ null-routing of higher-tier infrastructure. Observations indicate a decline in U.S. C2 activity after June 2, potentially connected to null-routing the T2 layer. Despite this, six active C2 servers from before June and two that came online in June continue to exhibit activity.
Team Cymru notes that QakBot’s tactics inadvertently punish victims twice—first through the initial compromise and then through potential reputational risks of being identified as malicious. The null-routing strategy effectively cuts off communication to upstream servers, providing a layer of protection against compromise.