- FBI’s huge Qakbot -buste paused only Malware’s reign; it returned stronger and stealthis
- Qakbot’s new spambomb attack fools employees to loosen ransomware inside their own businesses
- Despite billions seized, Qakbot Mastermind remains free in Russia, far from US law enforcement
In a major cybercrime crash, the FBI and international partners declared victory against Qakbot – also known as QBOT – back in August 2023.
The malware operation, which infected over 700,000 computers globally (including about 200,000 in the US), was linked to $ 58 million in ransomware-related losses.
Described by US lawyer Martin Estrada as “the most significant technological and economic operation ever led by the Department of Justice against a botnet,” Operation Duck Hunt led to the seizure of 52 servers, and the $ 8.6 million confiscation in cryptocurrency – but as with many suspected knockouts in cybercrime was the celebration of early.
Qakbot reappears
Within just three months, Qakbot reappeared and demonstrated that even coordinated, resource -intensive law enforcement measures may have disappointingly limited long -term influence.
After the removal of 2023, alleged Ring Leader Rustam Rafailevich Gallyamov and his crew did not retire, they adapted – rather than relying on traditional phishing to distribute malware, they reportedly switched to more misleading tactics.
And according to RegisteredRecently unespired charges reveal a new strategy involving “spam bomb attacks” -overwhelming employees’ inbox with unwanted subscriptions -e emails.
The attackers would then make up what staff offer to help, fool victims to run malicious code.
This tactic enabled the group to regain access to business systems, encrypted files and exfilter sensitive data.
“Defendant Gallyamov and co -conspirators would launch targeted spam bomb attacks with employees of victims,” says the court, “and then contacts these employees who make up as information technology workers.”
When access was given, the consequences were quick and serious: Data theft, encryption and ransom require.
Qakbot Malware allows attackers to back door systems, install additional threats and harvest credentials.
Operators behind ransomware -tribes such as Revil, Black Basta and Conti allegedly paid Gallyamov and his employees for access or even shared some of their blackmailed revenue.
In April 2025, additional illegal funds were seized, over 30 Bitcoin and USD 700,000 from Gallyamov, but he remains in Russia out of the reach of US law enforcement.
As federal officials expressed it, “unless he foolly decides to leave the protection of the motherland,” Gallyamov will probably remain untouched.
To remain protected from these kinds of threats, organizations need to invest in the best antivirus – in addition, using a leading endpoint protection platform can help detect and isolate suspicious activity before escalating to a data violation or ransomware attack.
