Skip to Content

Black Basta, QBot, aka Qakbot Ransomware Development – QakBot TTP evolution

Updated on 2022-12-29: FIN7 report

By far, the best infosec report of last week is Prodaft’s analysis of the FIN7 cybercrime cartel. The report covers the gang’s membership, various tools, and internal chat logs, including conversations where the FIN7 leaders threaten to hurt their members’ family members in case any of them want to leave their “enterprise.” Read more: [FIN7] Fin7 Unveiled: A deep dive into notorious cybercrime gang [PDF]

“Another shocking revelation clearly indicates that the group members are not always on good terms among themselves. It has been exposed that the administrator of the group threatens the team members by insisting that they have to work more while giving them ultimatums or even threatening to hurt their family members in case of resigning or escaping from responsibilities.”

FIN7 Team Structure

Updated on 2022-12-28

Threat actors used Black Basta ransomware to steal sensitive data from multiple electric utilities linked to the Chicago-based engineering firm Sargent & Lundy, which is also a major U.S. government contractor.

Updated on 2022-12-22

Prodaft discovered that FIN7 group is using an automated attack system that abuses Microsoft Exchange and SQL injection flaws to breach corporate networks, pilfer data, and choose targets for ransomware attacks.

Updated on 2022-12-16

Cisco Talos is seeing the Qakbot botnet utilize SVG images and HTML smuggling in its recent malspam operations.

Updated on 2022-12-15

Cisco Talos researchers spotted a phishing campaign delivering the QBot malware leveraging a new tactic using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. Read more: HTML smugglers turn to SVG images

Phishing campaign delivering the QBot malware

Updated on 2022-12-13: Black Basta profile

If you’re looking for a threat actor profile on the Black Basta gang, InQuest has put out one this week. Read more: Black Basta: Riding the Crimeware Sleigh

Updated on 2022-12-05

Here’s one more report on QakBot, this time from Splunk. Read more: From Macros to No Macros: Continuous Malware Improvements by QakBot

Updated on 2022-12-02

Zscaler has a breakdown of updates to the code of the Black Basta ransomware during November 2022. These include changes to the ransomware’s file encryption algorithms, the introduction of stack-based string obfuscation, and the use of per-victim file extensions. Zscaler researchers believe the modifications are an attempt to better evade antivirus and EDR solutions. Read more: Back in Black… Basta

Compares the features between BlackBasta version 1.0 and 2.0

Updated on 2022-12-01: QakBot TTP evolution

A yummy report from Tidal on how QakBot TTPs have evolved over the past year. Read more: Identifying and Defending Against QakBot’s Evolving TTPs

QakBot's TTP Evolution

Updated on 2022-11-25: Black Basta + Qakbot

Cybereason researchers are reporting on malware infection killchains where victims were initially infected with the Qakbot trojan before they got ransomed by the Black Basta ransomware crew. Read more: THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies

“To make the recovery more difficult, the threat actor also locked the victim out of the network by disabling DNS services. We observed this tactic used on more than one victim.”

Updated on 2022-11-20

Securonix researchers have published a report on the recent updates to the QakBot (Qbot) malware code. For the technical only. Read more: Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload

Updated on 2022-11-18

Phishing emails deploying QBot have resorted to abusing a DLL hijacking vulnerability in Windows 10 Control Panel, as a means to evade detection by security solutions. Read more: QBot phishing abuses Windows Control Panel EXE to infect devices

Updated on 2022-11-04: Black Basta linked to FIN7

In a report on Thursday, SentinelOne researchers linked the Black Basta ransomware operation, which launched in April 2022, to the FIN7 cybercrime cartel. Previously, in a report last year, Microsoft said that a FIN7 subgroup—named Elbrus— created and ran the Darkside and BlackMatter RaaS operations as well. Read more: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor

Updated on 2022-11-03

Sentinel Labs researchers linked the Black Basta ransomware gang to FIN7, based on the use of the EDR tool developed by FIN7 by Black Basta. Read more: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor

Updated on 2022-10-31

QAKBOT: Trend Micro has a report out on the QAKBOT trojan and its use of valid certificates to sign some of its modules, a technique the botnet has used all summer long. Read more: Where is the Origin?: QAKBOT Uses Valid Code Signing

“A look at the abused certificates also reveals that they were not issued to non-existent organizations for abuse, but rather valid certificates issued to real existent organizations through proper process.”

Updated on 2022-10-27

ASEC analysis team discovered Qakbot disseminated to Korean users via ISO files, with a new detection bypass mechanism. Its distribution process is the same as that of IcedID and Bumbleebee i.e. hijacking email threads. Read more: Qakbot Malware Being Distributed in Korea

Updated on 2022-10-24: Black Basta ransomware

Check Point has a technical breakdown of the Black Basta ransomware code. Read more: Black Basta and the Unnoticed Delivery

Updated on 2022-10-17: QBot infects over 800 corporate users in new, ongoing campaign

Kaspersky is warning that QBot, aka Qakbot, an information stealer with a backdoor and self-spreading capabilities, has infected at least 800 corporate users in the U.S., Germany, Italy and India, since late-September. QBot exploited the Follina vulnerability earlier this year, but the malware is also known to hijack email threads in an effort to trick unsuspecting victims into downloading and installing the malware. Keep an eye out for suspicious emails. Read more: QBot Malware Infects Over 800 Corporate Users in New, Ongoing Campaign

Updated on 2022-10-14: Black Basta via QAKBOT

A Trend Micro report describes how recent infections with the QAKBOT malware deploy Brute Ratel or Cobalt Strike payloads within minutes of entering a system. Trend Micro linked these attacks to the threat actor behind the Black Basta ransomware. Read more: Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike

The intrusion timeline for the attack of Black Basta via QAKBOT

Updated on 2022-10-12

Trend Micro investigation revealed that the Black Basta ransomware gang has adopted the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain, as their TTPs and infrastructure overlapped with each other. Read more: Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike

Updated on 2022-09-28

A U.S. subsidiary of Elbit Systems confirmed suffering a ransomware attack, months after the Black Basta ransomware group listed it on its leak site as one of its victims. The data compromised included employee names, addresses, SSNs, dates of birth, direct deposit information, and ethnicity. However, documents shared by the attackers as proof of the hack contained confidentiality agreements, an audit report, and a payroll report.

Updated on July 2022

A Trend Micro report details new tactics employed by Black Basta affiliates, who are now using the QakBot trojan for initial access into corporate networks and the PrintNightmare to expand their access.

Qakbot evolves

Security researchers from Zscaler said in a report this week that the rising number of infections seen in recent months from the Qakbot (QBot, QuackBot, Pinkslipbot) botnet can be traced back to the deployment of several new evasion detection techniques. This includes the use of ZIP files to hide their payloads, new code obfuscation methods, and the use of unknown file extensions (OCX, ooccxx, dat, or gyp) to deliver payloads.

Updated on June 2022

Security firm Cybereason has published a report on the Black Basta ransomware. The report echoes previous findings from IBM X-Force, Trend Micro, and NCC Group, including that Black Basta members are connected to the now-defunct Conti gang, something the Conti group tried to “formally deny” a few weeks back.

NCC Group researchers have published a technical report on the operations of the Black Basta ransomware. Trend Micro and IBM also published reports on the same gang in previous weeks. NCC Group’s findings confirm Trend Micro’s assessment that many Black Basta infections originate from initial infections with the QakBot trojan. In addition, Uptycs also published its own report on this ransomware strain, analyzing the Linux version of the ransomware that can target VMWare ESXi servers.

Updated on May 2022

IBM’s X-Force team has a technical report out on the Black Basta ransomware. Also, check out a similar report from Trend Micro.

Trend Micro has published a report on the new Black Basta ransomware operation, believed to have splintered off from the old Conti gang.

Updated on March 2022: Qakbot is Hijacking eMail Threads

According to a report from Sophos, the Qakbot botnet is now hijacking email conversations to spread malware. The malware operators inject messages into existing email threads in an attempt to trick users into downloading the malware. Qakbot has been known since 2008, when it was a Trojan designed to steal bank account access credentials.


  • Qakbot operates on the endpoint, stealing credentials for accessing email, as well as accessing websites to upload their malware payloads to help spread itself or added functions on behalf of other malicious actors. Enable MFA on your email accounts, make sure authentication tokens expire, triggering a re-authentication. Do not allow reusable passwords when accessing services from non-corporate systems or the Internet.
  • Qakbot focuses on initial access and brokers that access to other threat actors with varying objectives spanning from ransomware to intellectual property theft. Keeping up with the latest tactics, techniques, and procedures is important so your organization can test, measure, and improve the detection and response.



The American subsidiary of Elbit Systems disclosed suffering a data breach after the Black Basta ransomware gang claimed responsibility. The data breach occurred on June 08 and affected 369 people. Read more: Defense firm Elbit Systems of America discloses data breach

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.