QakBot Defensive Triage Notes

QakBot has historically been associated with loader activity, credential theft, and follow-on intrusion enablement. Defensive triage focuses on delivery chain evidence and command execution.

Loader / Botnet

• Uses scripted or document-driven delivery chains in many reported cases.
• May establish persistence, inject into processes, and communicate with remote infrastructure.
• Can enable follow-on hands-on-keyboard intrusion activity.

• T1059 Command and Scripting Interpreter
• T1055 Process Injection
• T1105 Ingress Tool Transfer

IOCs vary by campaign and should be validated before use. Add confirmed hashes, domains, URLs, IPs, registry paths, file paths, or mutexes from authorized investigations only.

• Hunt for script interpreters launching unusual binaries from user-writable paths.
• Review process injection, scheduled task, and persistence telemetry.
• Correlate suspicious email delivery artifacts with endpoint execution.

• Preserve email, endpoint, and proxy evidence for delivery-chain reconstruction.
• Identify follow-on payloads or remote access tooling.
• Reset exposed credentials and review lateral movement signals.

Educational and defensive use only. These notes support authorized analysis and detection engineering. They are not attribution claims and should not be treated as a complete malware verdict by themselves.