Tracking 15 Years of Qakbot Development

This report analyzes Qakbot's evolution and operational TTPs, covering its HTTP-based C2 protocol changes (from RC4 to AES and from form-encoded to JSON payloads), DGA behavior and anti-analysis fake-domain generation, use of compromised FTP servers and later direct exfiltration to C2, transitioning to using compromised hosts as relays, command obfuscation (string-to-integer mappings), and the addition of RSA signature verification to prevent tampering — providing configuration formats and artefacts useful for detection and response.