Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they’ve doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn’t available, alongside a button to download the document from “AdobeCloud.”

Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they’ve doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn’t available, alongside a button to download the document from “AdobeCloud.”

Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier – Windows malware that shares many similarities with Qakbot. Both are being associated with attacks from the group Proofpoint tracks as TA577.

Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.

The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.

Two researchers at Proofpoint, Tommy Madjar and Pim Trouerbach, also confirmed they had spotted updated Qakbot activity, but the new features only amount to “minor tweaks.”

They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 – the date Microsoft first spotted it.