Hibernating Qakbot

This report analyzes Qakbot campaigns from March–May 2023, describing evolving attack chains that use malspam and diverse file formats (PDF, HTML, OneNote, XLL, ZIP, MSI) to deliver staged loaders (obfuscated JS, WSF/HTA, PowerShell, XMLHTTP) which fetch and execute the Qakbot payload; it also documents advanced evasion techniques (DLL side-loading, conhost.exe indirect execution, scheduled tasks) and observes similarities between Qakbot and recently seen Pikabot samples.