- The huge bust of FBI Qakbot has only been waiting for the reign of malware; He returned stronger and more stealthy
- New Qakbot spam bombs attacks induce employees to unleash ransomware in their own businesses
- Despite the billions of people seized, Qakbot’s brain remains free in Russia, far from the American police
In a major cybercrime repression, the FBI and the international partners declared the victory against Qakbot – also known as Qbot – in August 2023.
The malicious operation, which has infected more than 700,000 computers worldwide (including around 200,000 in the United States), was linked to $ 58 million in ransomware losses.
Described by American lawyer Martin Estrada as “the most important technological and financial operation ever led by the Ministry of Justice against a botnet”, the operation Duck Hunt led to the seizure of 52 servers and the confiscation of $ 8.6 million in cryptocurrency – but, like many supposed Knockouts in cybercrime, the celebration was premature.
Qakbot re -emerge
In just three months, Qakbot has reappeared, demonstrating that the very coordinated and high intensity actions can have a disappointing long -term impact.
After the withdrawal in 2023, the alleged leader Rustam Rafailevich Gallyamov and his crew did not withdraw, they adapted – rather than relying on traditional phishing to distribute malicious software, they would have exceeded more misleading tactics.
And according to The registerThe newly non -sealed accusation acts reveal a new strategy involving “spam bombs attacks” – overwhelming reception boxes with unwanted subscription emails.
The attackers would then present themselves as the staff offering to help, encouraging the victims to manage a malicious code.
This tactic allowed the group to resume access to business systems, encrypt files and exfiltrate sensitive data.
“The defendant Gallyamov and the co-conspirators would launch attacks of spam bombs targeted among employees of victim companies”, according to court documents, “then contact these employees, poses as workers in information technology”.
Once the access has been granted, the consequences have been rapid and serious: data theft, encryption and ransom requirements.
The QAKBOT malware allows attackers of the stolen door systems, to install additional threats and to collect identification information.
The operators behind ransomware strains such as Revil, Black Basta and Conti would have paid Gallyamov and its associates for access, or even shared part of their extorted product.
In April 2025, additional illicit funds, more than 30 bitcoins and US $ 700,000 were seized from Gallyamov, but it remains in Russia, out of reach of the American police.
As federal officials said, “unless it stupidly decides to leave the protection of the fatherland”, Gallyamov is likely to remain untouchable.
To remain protected from these types of threats, organizations must invest in the best antivirus – in addition, using a main termination protection platform can help detect and isolate suspicious activity before degenerating into a data violation or ransomware attack.
