“Operation Duck Hunt” Shuts Down QakBot Botnet

Author Avatar


Posted on September 26, 2023

Do you want to interview James Lui?


The US Department of Justice (DoJ) recently announced that it disrupted the QakBot botnet infrastructure and freed over 700,000 victims’ computers from the hands of cybercriminals. QakBot has been around since at least 2008 and was responsible for hundreds of millions of dollars in ransomware attacks.

What is QakBot?

QakBot – also known as Pinkslipbot, Qbot, Quakbot, and other names – is a piece of malware that combines features of a banking trojan, a worm, and a remote access trojan (RAT).

It appears to have started out as a banking trojan, meaning its purpose was stealing financial data from infected systems. But its main use in recent years has been as a remote access trojan, a piece of malware residing on computers that allows cybercriminals to remotely execute commands on infected systems. As a RAT, it is commonly used to deploy other malware, such as ransomware. It is also a worm, meaning that it attempts to self-propagate to other devices.

QakBot mostly infects computers by way of spam emails that contain malicious attachments or links. QakBot has been used by many leading ransomware gangs such as Conti (the gang responsible for an attack on Ireland’s healthcare system) and REvil (the gang behind a supply chain attack on an IT management company).

According to the DoJ, QakBot was responsible for 40 ransomware attacks that netted the hackers $58 million over just the last 18 months. Victims included an engineering firm, financial services firms, a food distribution company, and a defense contractor.

Operation Duck Hunt

Operation Duck Hunt is the code name given to the operation that took down the botnet. Led by the FBI with support from the US Cybersecurity and Infrastructure Security Agency (CISA), it was a multinational operation with actions taken not only in the US, but also in France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.

In addition to deleting the malware from 700,000 computers, the operation seized nearly $9 million in cryptocurrency, which will be made available to victims. The agencies seized 52 servers around the world.

No arrests have been reported in connection with the operation, presumably because the perpetrators are believed to be in countries beyond the reach of the US and its partners in the operation.

Only a Temporary Setback

The owners of the 700,000 infected computers (including 200,000 in the US) are no doubt breathing a sigh of relief to have this malware removed from their computers — after the initial alarm at discovering it was there. For the cybercriminals, however, this will be only a short-term hiccup in the pace at which ransomware and other forms are malware are deployed. It’s a safe bet that the cybercriminals behind QakBot are already hard at work building a new botnet.

It will take some time to rebuild a network with 700,000 bots. But to put that in perspective, this wasn’t even one of the largest botnets. Mariposa infected 23 million computers in two outbreaks in 2009-2011.

Avoid Falling Victim to the Next QakBot

Human nature being what it is, the same people who opened those infected attachments before – or who clicked through to infected links – will likely do the same thing again. And if not those specific individuals, plenty others will be tricked to triggering the malware.

The clear message is that you can’t consistently rely on end-users’ awareness to protect you from a malware infection. Nor can you rely on detection-based solutions that cannot catch malware that is as-yet unknown, aka zero-day exploits.

The best way to protect against becoming a victim to the next RAT that comes along is by moving to a Zero Trust-based approach to cybersecurity, and especially web browsing.

Remote Browser Isolation (RBI) is a key technology that air-gaps your devices from malware. Ericom Web Security executes web code in an isolated cloud-based container. Sanitized rendering data is streamed to the user’s browser, delivering a fully interactive user experience that is indistinguishable from un-isolated browsing – only secure.

If the user clicks on an infected link the malware remains isolated in the cloud. It cannot reach the user’s device and is harmlessly deleted when the user ends their session. If the user downloads files from the web or email attachments, Content Disarm and Reconstruction (CDR) sanitizes them within the isolated container, eliminating any malware before downloading the file to the user, with desired functionality intact.


The FBI’s recent success does not mean that the cyber roadways are now safe. Cybercrime is a large and growing business, estimated at over $1 trillion per year. The next QakBot is no doubt already in circulation. And there are many other kinds of cyberthreats besides ransomware, including hackers who want to steal your data or hijack your computers for their own purposes.

A comprehensive Zero Trust security approach is your best bet for keeping your organization secure. Ericom’s Security Service Edge (SSE) platform provides a broad set of capabilities to secure your users wherever they are – in the office, on the road, or at home – in an affordable, easy to manage solution.

Share this on:

Author Avatar

About James Lui

Ericom Software Group CTO, Americas

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.