Keypoints
- Qakbot changed initial-access tactics in 2023 from Office macros to OneNote files, Mark-of-the-Web evasion, and HTML smuggling to bypass restrictions.
- OneNote campaigns produced major bot recruitment peaks in Jan–Feb 2023, and an HTML smuggling campaign caused another peak in March 2023.
- Operators conceal C2 infrastructure in compromised web servers and residential (ISP-issued dynamic) IP ranges rather than relying solely on VPS hosting.
- Qakbot rapidly converts infected hosts into C2s or proxies; Black Lotus Labs observed 70–90 new C2s over seven-day cycles and high churn (25% inactive within one day, 50% within a week).
- Infected bots transmit most useful data quickly—about half on day one and nearly 90% by day seven—allowing operators to load additional malware or repurpose hosts.
- A backconnect server and a tiered C2 architecture (Tier 1 residential C2s and Tier 2 VPS-hosted nodes) enable resiliency and complicate mitigation; Lumen telemetry can identify many C2s before campaign use.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Use of macro-based Office documents as initial access: ‘macro-based exploitation in Microsoft Office documents’
- [T1204.002] User Execution: Malicious File – Socially engineered email attachments delivering payloads that ‘drop malicious files that infect Windows hosts.’
- [T1105] Ingress Tool Transfer – Use of HTML smuggling to deliver payloads to victims: ‘HTML smuggling techniques.’
- [T1027] Obfuscated Files or Information – Use of Mark of the Web evasion and other obfuscation to bypass defenses: ‘Mark of the Web evasion and HTML smuggling techniques.’
- [T1071] Application Layer Protocol – C2 communications hidden in compromised web servers and residential IPs: ‘hide their C2s in compromised web servers and hosts existing in the residential IP space.’
- [T1041] Exfiltration Over C2 Channel – Rapid data transmission to C2s shortly after infection: ‘a bot transmits about half of all the data it will ever send to a C2. By day seven, the number gets close to 90%.’
Indicators of Compromise
- [File types] Malicious attachments used for initial access – OneNote files (.one), Microsoft Office documents with macros (.doc, .docm) delivered via email attachments.
- [Delivery technique] HTML-smuggled payloads and embedded URLs – referenced in the March 2023 HTML smuggling campaign and as embedded links in spam emails.
- [IP addresses/C2 nodes] Residential IP ranges and compromised web servers – Tier 1 C2 nodes observed in ISP-issued dynamic/residential IP space; Tier 2 C2s hosted on VPS providers.
- [Server] Backconnect server behavior – a server observed interacting only with bots hours after infection and often used to turn bots into proxies.
- [Repository] Higher-tier infrastructure listing – article references a GitHub list of higher-tier infrastructure used by Qakbot (see source for link).
Qakbot adapted its delivery and access chain in 2023 by abandoning much macro-based Office exploitation after Microsoft restricted macros and instead leveraging OneNote attachments, Mark-of-the-Web (MOTW) evasion, and HTML smuggling to get victims to execute payloads. Lumen/Black Lotus Labs telemetry ties major bot recruitment peaks to OneNote campaigns in January–February and an HTML smuggling campaign in March, and notes defenders can mitigate some vectors by blocking OneNote at mail servers.
The botnet’s command-and-control architecture is deliberately evasive: operators hide Tier 1 C2s in compromised web servers and residential (ISP-issued dynamic) IP space and maintain a tiered structure where Tier 1 residential C2s frequently report to Tier 2 VPS-hosted nodes. Qakbot rapidly converts infected hosts into additional C2s or proxies (often via a backconnect server), producing high churn—Black Lotus Labs observed 70–90 new C2s over seven-day cycles, with >25% of C2s active for a single day and ~50% inactive within a week—which frustrates static IOC-based blocking.
Operational telemetry shows infected bots exfiltrate most useful data quickly (≈50% on day one, ≈90% by day seven), after which operators can load further payloads or repurpose hosts for resale or as new C2 nodes. The backconnect server commonly turns bots into proxies and bots may simultaneously communicate with multiple Tier 1 and Tier 2 C2s, underscoring a resilient, multi-layered C2 model that Lumen’s visibility can partially preidentify (up to ~35% of confirmed C2s prior to campaign use). Read more: https://blog.lumen.com/qakbot-retool-reinfect-recycle/?utm_source=rss&utm_medium=rss&utm_campaign=qakbot-retool-reinfect-recycle