Qakbot-Affiliated Actors Distribute Ransom Knight Malware Despite Infrastructure Takedown

The Qakbot malware threat actors have been conducting a campaign since early August 2023, distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. This campaign started before the FBI seized Qakbot infrastructure, indicating that the takedown only affected their command and control servers. The Qakbot affiliates are still active and have been using metadata in LNK files to track their activities. The LNK files are being distributed in phishing emails, primarily targeting users in Italy. The campaign includes Zip archives with XLL files that serve as the Remcos backdoor, while the LNK files download the Ransom Knight ransomware payload. The Qakbot threat actors are likely customers of the ransomware-as-a-service, and despite the infrastructure takedown, they continue to pose a significant threat.