ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Mallard Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Mallard Spider

NamesMallard Spider (CrowdStrike)
Gold Lagoon (SecureWorks)
MotivationFinancial crime, Financial gain
First seen2008
Description(The Hacker News) First documented in 2008, Qbot (aka QuakBot, QakBot, or Pinkslipbot) has evolved over the years from an information stealer to a 'Swiss Army knife' adept in delivering other kinds of malware, including Prolock ransomware, and even remotely connect to a target's Windows system to carry out banking transactions from the victim's IP address.

Attackers usually infect victims using phishing techniques to lure victims to websites that use exploits to inject Qbot via a dropper.

QakBot has been observed to be distributed by Emotet (operated by Mummy Spider, TA542).
Tools usedEgregor, Mimikatz, ProLock, QakBot.
Operations performedMar 2020PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware
Mar 2020Ransomware Attack Renders LaSalle County Government Computers Unusable
Apr 2020QBot malware is back replacing IcedID in malspam campaigns
May 2020FBI warns of ProLock ransomware decryptor not working properly
May 2020Ransomware Hit ATM Giant Diebold Nixdorf
May 2020ProLock Ransomware teams up with QakBot trojan for network access
Aug 2020Qbot steals your email threads again to infect other victims
Sep 2020FBI issues second alert about ProLock ransomware stealing data
Sep 2020ProLock ransomware increases payment demand and victim count
Oct 2020QBot uses Windows Defender Antivirus phishing bait to infect PCs
Nov 2020QBot phishing lures victims using US election interference emails
Nov 2020QBot partners with Egregor ransomware in bot-fueled attacks
Dec 2020Qbot malware switched to stealthy new Windows autostart method

Last change to this card: 10 August 2021

Download this actor card in PDF or JSON format

Previous: MalKamak
Next: Mikroceen

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]