The US authorities and partners have dismantled the notorious Qakbot botnet that infected more than 700,000 computers globally and was linked to multiple attacks involving ransomware, financial fraud and other cybercriminal activity. The Qakbot operation is estimated to have caused nearly $60 million in losses from victims around the world.

The Qakbot (aka QBot, QuackBot, and Pinkslipbot) malware infected victim machines primarily via spam emails with malicious attachments or links. Initially designed as a banking trojan, QakBot has received new capabilities over time. Other than permitting initial access to targeted networks, QakBot delivers other remote-access payloads, steals sensitive data, and helps lateral movement and remote code execution.

Qakbot has been used by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. According to recent research, Qakbot was the most popular malware loader during the first seven months of 2023.

Dubbed “Operation Duck Hunt,” the police action involved law enforcement agencies from France, Germany, the Netherlands, Romania, Latvia and the United Kingdom.

As part of the operation, the infrastructure of QakBot was dismantled and more than $8.6 million in cryptocurrency in illicit profits was seized. The FBI also identified over 700,000 machines infected with QakBot across the globe.

To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed the infected computers to download an uninstaller file designed to remove the Qakbot malware. This file severed compromised machines from the botnet and prevented the installation of any additional malware.