This appears to be a widespread #TR #Qakbot #Qbot campaign today that could lead to Cobalt Strike, Bloodhound, and things that look very "pre-ransomware-y." The domains/hashes change, but the detection opps mentioned here are more durable. I highly recommend looking for this NOW.
Over the past few hours, we’ve observed malicious phishing emails associated with the delivery affiliate TR in multiple customer environments. The infection scheme was consistent, executing in the following pattern: OneDrive phishing page -> ZIP download -> malicious XLSB -> Qbot
5
58
3
135
Sounds like another fun weekend…NOT!
Feb 19, 2022 · 2:47 AM UTC
2