On 17 December 2023, Cluster25 reported via their official social media a low-volume campaign linked to Qbot, whose infrastructure was reportedly dismantled by United States federal authorities back in late August 2023.
The resurgence of Qbot is definitively significant in the threat landscape:
In October 2023, numerous Qbot-linked events were observed in the wild, merely two months after the presumed eradication of the Qbot threat.
In November 2023, the rise in PikaBot and GarkGate events had been correlated with a lower volume of Qbot attacks. This assessment may be corroborated by Cluster25's analysis, which identified overlaps between PikaBot and Qbot events.
Cluster25 reports command-and-control (C2) communication via HTTP POST requests to URLs consistent with "/teorema505." Payloads consistent with this indicator were uploaded in the evening of 16 December 2023 on MalwareBazaar, providing a potential confirmation of a recent or active campaign.
Consistent with the trend observed since last October, a resurgence of Qbot appears to be a reality in the current threat landscape. The disruption carried out in August 2023 appears to have tentative rather than definitive impact.