Qbot malware switched to stealthy new Windows autostart method


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep. [...]

In recent campaigns, Qbot victims have been infected using phishing emails featuring Excel document attachments pretending to be DocuSign documents.

Starting with November 24, when Binary Defense threat researcher James Quinn says that the new Qbot version was spotted, the malware is using a newer and stealthier persistence mechanism that takes advantage of system shutdown and resume messages to toggle persistence on infected devices.

This tactic is so successful that some researchers have previously thought that the Qbot trojan has removed this persistence mechanism altogether.

"While initial reports by other researchers had stated that the Run key persistence mechanism was removed in the new version of Qakbot, it has instead been added to a more stealthy and interesting persistence mechanism that listens for System Shutdown Messages, along with PowerBroadcast Suspend/Resume messages," Quinn explains.


Level 11
Aug 21, 2018
Just wondering...ZoneAlarm does have an ability called "Timing Attack Prevention" which prevents malicious programs from exploiting kernel timing vulnerabilities for execution of untrusted code. Would this help in this situation?

Kind regards,