BIPI
BIPI

Qakbot Dismantled: Inside Operation Duck Hunt

Threat Intelligence

The FBI-led Operation Duck Hunt in August 2023 severed Qakbot's command infrastructure and removed the implant from 700,000 infected machines. Here is how the botnet worked and why the takedown mattered.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 2, 2024 · 9 min read

#qakbot#botnet#malware#fbi#threat-intelligence

Qakbot, also tracked as QBot and Pinkslipbot, began life in 2007 as a credential-stealing banking trojan. By 2023 it had mutated into one of the most prolific initial access brokers in the ransomware ecosystem, handing off footholds to Black Basta, REvil, Conti, and a rotating cast of affiliates. The August 2023 law-enforcement operation changed that calculus overnight.

Infrastructure Architecture

Qakbot operated a three-tier command-and-control hierarchy. Tier 1 consisted of compromised SOHO routers, mostly residential MikroTik and Netgear devices that acted as proxies. Tier 2 was a layer of victim machines running the Qakbot implant in supernode mode. Tier 3 held the true C2 servers, often hosted on bulletproof providers in Russia and Eastern Europe. This onion-style architecture made infrastructure attribution slow and takedowns expensive, because burning one tier rarely exposed the next.

  • Tier 1 (proxies): 700,000+ infected endpoints at peak, mostly Windows 7/10 small-business machines
  • Tier 2 (supernodes): roughly 2,000 nodes that routed traffic between bots and real C2
  • Tier 3 (C2): operators-controlled servers that issued tasks and received exfiltrated credential stores
  • Protocol: HTTPS over non-standard ports, RC4-encrypted payloads, dynamic config updates via encrypted XML blobs

Infection Chain

The typical Qakbot delivery chain in 2022-2023 started with a phishing email carrying either a malicious Office document (macro-enabled .xlsm or .docm) or, after Microsoft disabled macros by default in July 2022, a .zip or .iso container. The ISO mount trick allowed attackers to bypass the Mark-of-the-Web NTFS alternate data stream that Windows appends to downloaded files, meaning the embedded LNK or DLL would execute without a SmartScreen prompt.

  1. Phishing email delivered with thread-hijacking to appear legitimate
  2. Victim opens attached .zip or mounts .iso file
  3. LNK shortcut executes regsvr32.exe or rundll32.exe to side-load Qakbot DLL
  4. Qakbot injects into explorer.exe or wermgr.exe and achieves process hollowing
  5. Bot enumerates credentials, browser cookies, email contacts for further spreading
  6. Operator sells or leases access: Cobalt Strike beacon or Brute Ratel C4 dropped within hours
Qakbot's thread-hijacking emails had open rates that security teams reported at three to four times higher than generic phishing. Familiarity is a more reliable exploit than any CVE.

Operation Duck Hunt

The FBI gained visibility into Qakbot's network by compromising a Tier 2 supernode and recovering the AES-256 keys used to encrypt the bot's configuration file. With those keys, agents were able to push a custom uninstaller module through the legitimate Qakbot update channel. The module, signed with a certificate that passed Qakbot's own validation checks, instructed each bot to terminate Qakbot services, delete scheduled tasks, and remove registry persistence entries without touching any other user data.

700,000+
Infected hosts cleaned
$8.6M
Cryptocurrency seized
36
Countries with affected infrastructure
0
Arrests made in Aug 2023 action

Detection and Hunting

  • Hunt for regsvr32.exe or rundll32.exe spawned by explorer.exe with no parent command line context
  • Alert on wermgr.exe or AtBroker.exe with outbound HTTPS to non-Microsoft IPs on port 443 or 2078
  • Yara rule: Qakbot config blob starts with 4-byte XOR key followed by 0x10 null bytes after decryption
  • Network: look for beaconing to IPs in the 185.220.0.0/16 and 194.165.0.0/16 ranges (historically Qakbot-heavy)
  • SIGMA: process injection into explorer.exe followed by DNS queries to freshly registered domains (less than 30 days old)

Remediation Steps

  1. Audit all SOHO routers for firmware updates and default credential usage
  2. Enable Microsoft Office macro blocking via Group Policy or Intune, block all macros not signed by your internal CA
  3. Enforce MOTW by ensuring .iso and .vhd files trigger SmartScreen (requires Windows 11 22H2 or later patch)
  4. Deploy Sysmon with a mature configuration (SwiftOnSecurity or Olaf Hartong template) to capture process injection events
  5. Rotate credentials for any account that touched a host with a Qakbot IOC, including email passwords and browser-saved credentials

Operation Duck Hunt was one of the most technically sophisticated law-enforcement cyber operations on record. It demonstrated that with the right legal authorities and technical access, the update channel of a botnet can become its undoing. The broader lesson: resilient C2 architecture is only as strong as the key management practices protecting it.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.