Attivo Networks Blogs

Qakbot Malware… It’s Back, Nastier Than Ever, and with a BullsEye on Healthcare

Be thankful if you haven’t heard the name or encountered Qakbot or Pinkslipbot, which are variants of this malware. It is a particularly nasty and evasive form of malware that is self-propagating. It is known to copy itself on the network and onto removable drives, and while moving laterally is known to mutate making it very difficult to analyze and stop.

Attivo has recently seen an outbreak of Qakbot in the medical industry and is working with several security operations teams to help them be able to detect, analyze, and remove this malware in their networks. With Attivo forensics, security teams are also further empowered with C&C IP addresses so that they can proactively update prevention systems and protect against the exfiltration of data.

This blog provides a brief overview of how Qakbot works in the Kill Chain and how by adding in the Attivo Deception Platform, security operations teams can quickly detect, analyze and remediate against these threats.

Exploring Qakbot in the Kill Chain

Qakbot initial

Qakbot Foothold


Adding Deception to Deceive and Delay Attacker


Attivo Forensics and Threat Intelligence

The Attivo BOTsink Multi-dimension Correlation Engine is able to explode attacks safely within a VM. A port can also be opened to communicate with Command and Control for other threat intelligence such as methods, tools, and intent.

  • Action:
    • Automatic BOTsink detection or
    • Sample upload to BOTsink for analysis




Organizations with some of the best-in-class prevention system are demonstrating that they cannot reliably stop Qakbot.

  • New malware strain is going undetected by signature-based systems
  • While moving laterally the malware changes itself making it hard to detect and stop
  • The web exploits utilized legitimate looking java scripts and are bypassing security prevention systems.

Deception is playing a critical role in protecting against Qakbot attacks. Not reliant on known signatures or attack patterns, Attivo can deceive the attacker into engaging. Once detected, the attack is analyzed and in-depth reporting provided for quarantining and updating of prevention systems. Some of the core cited customer value is the ability to detect Qakbot during lateral movement. It’s ability to mutate has challenged many operations teams.

Additional Resources:

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

seventeen − 8 =

Ready to find out what’s lurking in your network?

Scroll to Top