Connect with us

Hi, what are you looking for?


Current Ransomware Threats Persist as Qakbot Actors Resurface with Knight Malware

Even though Qakbot was eradicated in August, Talos has revealed that threat actors are disseminating the Knight malware, contributing to the existing landscape of ransomware threats. This activity includes regional targeting and the possibility of a resurgence. (Photo: bleepingcomputer)

Unveiling the Persistence of Current Ransomware Threats, The Qakbot and Knight Malware Connection

Despite the Qakbot’s elimination in August, Talos reports that threat actors are distributing Knight malware, adding to current ransomware threats, with regional targeting and the potential for a resurgence. (Photo: blackberry)

Analyzing the Persistence of Qakbot Threat Actors and Their Shift to Knight Ransomware

According to, despite a successful law enforcement operation that effectively eliminated the Qakbot banking Trojan in August, the individuals responsible for this threat continue to pose a danger to users. Cisco’s Talos threat intelligence group has reported with “moderate confidence” that these threat actors are actively engaged in a new campaign, where they are distributing a variant of the Knight malware, which underwent a rebranding as Cyclops in July.

Knight, functioning as ransomware, extorts money from companies by menacingly threatening to sell stolen data, thereby perpetuating its role in current ransomware threats. Talos conducted their analysis by examining drive serial numbers within LNK file metadata from computers linked to previous Qakbot attacks. Despite the threat actors’ attempts to erase metadata, Talos successfully identified a machine connected to these attacks.

Interestingly, some of the filenames were in Italian, suggesting a regional targeting strategy in the context of current ransomware threats. These LNK files are disseminated within Zip archives containing XLL files. Upon opening these XLL files, the Remcos backdoor is installed, working in tandem with the Knight malware to gain access to systems and further contribute to current ransomware threats.

READ ALSO: Girl Detained in Dubai, Elizabeth Polanco De Los Santos, Returns Safely to the US After Ordeal

Qakbot Actors as Knight Ransomware Customers: Assessing the Ongoing Threat Landscape

It’s important to note that the Qakbot actors are likely not the creators of the Knight ransomware service itself; rather, they are customers of this service. The FBI-led operation that dismantled Qakbot’s command-and-control servers in August did not affect the group’s phishing infrastructure, potentially allowing for a resurgence of the threat and adding to the landscape of current ransomware threats.

Qakbot initially posed a significant and ingenious threat, infiltrating Exchange servers at third-party organizations to modify legitimate emails and insert the Qakbot payload into legitimate message threads, effectively contributing to the landscape of current ransomware threats. In summary, despite the law enforcement operation in August, the Qakbot threat remains as the threat actors pivot to distributing the Knight malware, persistently posing a risk to users and highlighting the ongoing landscape of current ransomware threats.

Talos’ analysis indicates regional targeting and the potential for a resurgence due to the unaffected phishing infrastructure, further emphasizing the evolving nature of current ransomware threats. Qakbot’s initial method of infiltration through hijacked Exchange servers showcased its significant and clever nature, which continues to be a significant factor in the realm of current ransomware threats to organizations and individuals alike.

READ ALSO: Living in Tucson’s Fairfield Community, Cacti Theft Wave Sparks Vigilance and Concern

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


A convicted felon in California was arrested after he tortured and hostage two women and staged it as burglary. Convicted Felon Tortured and Kidnapped...


The application for the program, Rise Up Cambridge, in Massachusetts will begin on June 1 and will end on July 31 and qualified residents...


Police authorities arrested a man in Oklahoma after he was accused of raping and killing his 18-year-old graduate who was about to graduate from...

Us News

News from Springfield, Illinois is that a bill that would require public restrooms in Illinois to be available to both genders is coming under...