Qakbot Resurfaces with Stealthier Tactics After FBI Takedown
In August 2023, the FBI and international partners dismantled Qakbot (also known as Qbot), a notorious malware operation linked to over 700,000 global infections—including 200,000 in the U.S.—and $58 million in ransomware losses. Dubbed "Operation Duck Hunt," the crackdown seized 52 servers and $8.6 million in cryptocurrency, marking one of the Justice Department’s most significant botnet takedowns. However, the victory was short-lived.
By November 2023, Qakbot resurfaced with a more deceptive strategy. Instead of traditional phishing, the group—allegedly led by Russian national Rustam Rafailevich Gallyamov—adopted "spam bomb attacks." These floods of unwanted subscription emails overwhelmed employees, after which attackers posed as IT staff, tricking victims into executing malicious code. Once inside, the malware enabled data theft, encryption, and ransomware deployment, often in collaboration with groups like REvil, Black Basta, and Conti.
In April 2025, authorities seized an additional $700,000 and 30 bitcoins tied to Gallyamov, but he remains at large in Russia, beyond U.S. jurisdiction. The case underscores the resilience of cybercriminal operations, even after high-profile disruptions. Qakbot’s evolution highlights the persistent threat of malware-as-a-service models, where attackers continuously adapt to evade law enforcement.
Fraud-Sense cybersecurity rating report: https://www.rankiteo.com/company/fraud-sense
Continental cybersecurity rating report: https://www.rankiteo.com/company/continental
Black & Veatch - Environmental cybersecurity rating report: https://www.rankiteo.com/company/black-&-veatch---environmental
"id": "FRACONBLA1766997330",
"linkid": "fraud-sense, continental, black-&-veatch---environmental",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Global', 'US (200,000 systems)'],
'type': 'Businesses (Various Industries)'}],
'attack_vector': ['Phishing (Spam Bomb Attacks)', 'Social Engineering'],
'data_breach': {'data_encryption': 'Yes (Ransomware)',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive data',
'Credentials',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2023-11',
'date_publicly_disclosed': '2025-04',
'description': "Qakbot malware resurfaced with new 'spam bomb' attack tactics "
"after the FBI's Operation Duck Hunt dismantled its "
'infrastructure in August 2023. The malware, linked to $58 '
'million in ransomware losses, evolved to trick employees into '
'executing malicious code, leading to data encryption, '
'exfiltration, and ransom demands.',
'impact': {'data_compromised': 'Sensitive data exfiltrated and encrypted',
'financial_loss': '$58 million (ransomware-related losses)',
'identity_theft_risk': 'High (PII and credentials harvested)',
'operational_impact': 'Data encryption, system backdoors, '
'credential harvesting',
'systems_affected': 'Over 700,000 computers globally (200,000 in '
'the US)'},
'initial_access_broker': {'backdoors_established': 'Yes',
'data_sold_on_dark_web': 'Yes (Access sold to '
'ransomware groups)',
'entry_point': 'Spam bomb attacks followed by '
'social engineering'},
'investigation_status': 'Ongoing (Threat actor remains at large)',
'lessons_learned': 'Even high-profile law enforcement takedowns may only '
'temporarily disrupt cybercriminal operations. Attackers '
'adapt quickly, necessitating proactive defense strategies '
'like endpoint protection and employee training.',
'motivation': ['Financial Gain', 'Cybercrime'],
'post_incident_analysis': {'corrective_actions': ['Enhanced employee training',
'Deployment of advanced '
'threat detection tools',
'Continuous monitoring for '
'malware resurgence'],
'root_causes': ['Insufficient employee awareness '
'of social engineering tactics',
'Lack of robust endpoint '
'protection',
'Cybercriminal adaptability '
'post-law enforcement action']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': ['REvil', 'Black Basta', 'Conti']},
'recommendations': ['Invest in advanced antivirus and endpoint protection '
'platforms',
'Implement employee training to recognize social '
'engineering tactics',
'Enhance monitoring for suspicious activity',
'Prepare incident response plans for ransomware and data '
'breaches'],
'references': [{'source': 'The Register'},
{'source': 'U.S. Department of Justice'},
{'source': 'TechRadar Pro'}],
'regulatory_compliance': {'legal_actions': 'Indictments unsealed (2025)'},
'response': {'containment_measures': 'Seizure of 52 servers, $8.6 million in '
'cryptocurrency confiscated (2023)',
'law_enforcement_notified': 'Yes (FBI and international '
'partners)'},
'threat_actor': 'Qakbot Operators (Allegedly led by Rustam Rafailevich '
'Gallyamov)',
'title': 'Qakbot Malware Resurgence Post-FBI Takedown',
'type': 'Malware / Ransomware'}