highPhishing

QakBot Rises Again: Inside Campaign tchk08's MSI Dropper, Bamboo CI/CD Pipeline, and 100-Node Proxy Botnet

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentto Eastern European/Russian cybercrime ecosystem

phishingdll-sideloadingsocial-engineeringcredential-theftc2botnetransomwarereverse-engineeringaptspearphishing

TL;DR: QakBot (Qbot/Quakbot) continues to operate well after the FBI's August 2023 "Operation Duck Hunt" takedown. Campaign tchk08, first observed February 2024, delivers QakBot via an MSI installer masquerading as Adobe Acrobat. The dropper uses DLL sideloading -- a legitimate Microsoft Office ClickToRun binary loads a trojanized Bitdefender AMSI provider DLL (antimalware_provider64.dll) containing an encrypted configuration resource. Build artifacts reveal a professional Atlassian Bamboo CI/CD pipeline (project CST-DLIN-SOURCES), and the MSI metadata leaks a Russian locale (product language 1049). Infrastructure analysis uncovered three Tier 2 C2 servers on bulletproof hosting in Russia/Armenia, Bulgaria, and Moldova, fronted by a Tier 1 proxy network of 100+ compromised residential hosts spanning 13 countries across four continents. As of March 2026, QakBot remains actively distributed with campaigns targeting military and government entities.

Key Findings

QakBot has been a persistent threat since 2008, evolving from a simple banking trojan into a full-featured initial access broker that sells footholds to ransomware operators. The FBI's Operation Duck Hunt in August 2023 disrupted QakBot's infrastructure, but the operators rebuilt within four months. The tchk campaign series represents this post-takedown resurrection.

Professional Build Infrastructure

The PDB path embedded in the trojanized DLL reveals a sophisticated development operation:

D:\Bamboo\home\xml-data\build-dir\CST-DLIN-SOURCES\bin\x64\ReleaseMT\antimalware_provider64.pdb

This tells us several things:

Atlassian Bamboo CI/CD: The operators use an enterprise-grade continuous integration server for automated builds. This is not a hobbyist compiling malware on a personal workstation.
Project Name CST-DLIN: Likely an abbreviation for "Custom DLL Injection" or a similar internal codename. The structured naming suggests multiple build plans for different malware components.
ReleaseMT Configuration: Multi-threaded static runtime linking, which eliminates external CRT dependencies and produces cleaner, more portable binaries.
x64 Architecture: The build targets 64-bit Windows exclusively, indicating focus on modern enterprise environments.

The existence of a Bamboo CI/CD pipeline implies version control (likely Git), automated testing, and potentially multiple developers collaborating on the codebase. This is an organized cybercrime operation, not a lone actor.

DLL Sideloading: Office Loads "Bitdefender"

The sideloading technique is elegant in its simplicity:

The MSI drops OfficeClickToRun.exe, a legitimate Microsoft Office binary.
In the same directory, it places antimalware_provider64.dll, a DLL that masquerades as Bitdefender's AMSI (Antimalware Scan Interface) provider.
When OfficeClickToRun.exe loads, it attempts to initialize AMSI integration and loads the DLL from its local directory.
The DLL implements legitimate AMSI interfaces (IAmsiStream, MSOAVINFO) to maintain the facade.
The export function CfGetPlatformInfo triggers the malicious code path.
The embedded encrypted resource (184 KB) is decrypted to reveal the QakBot configuration.

This technique is particularly difficult to detect because:

The EXE is genuinely Microsoft-signed and passes all signature validation.
The DLL name matches a real Bitdefender component.
AMSI provider loading is a legitimate Windows operation.
The DLL contains genuine AMSI interface implementations alongside the malicious code.

Russian Origin Indicators

The MSI package metadata contains a telltale error: the ProductLanguage field is set to 1049, which is the Windows locale identifier for Russian. This means the MSI was built on a system configured for Russian language, and the operator forgot to change it to English (1033) or a neutral value before distribution. Combined with the FORTIS-AS C2 server (registered in Armenia, operated from Russia) and historical QakBot attribution to the Eastern European cybercrime ecosystem, this reinforces Russian-speaking operator attribution.

Multi-Layer Encryption

The configuration resource uses at least two encryption layers:

Layer 1: XOR with a 20-byte key: 546e6145583c0048553033214d6d213f71594843
- ASCII representation: TnaEX<\x00HU03!Mm!?qYHC
- A fragment of this key (Mm!?qYHC) appears as a readable string in the DLL binary
Layer 2+: Additional encryption (likely RC4 or AES) prevents direct config extraction after XOR decryption

The key fragment leaking into the binary's string table is an OPSEC failure -- it provides analysts a starting point for encryption analysis without requiring full reverse engineering.

Attack Chain

[1] Phishing Email / Web Download
         |
         v
[2] 3d043d.msi -- MSI installer masquerading as "Acrobat"
    |-- Product Language: 1049 (Russian)
    |-- Builder: Advanced Installer 21.2.2
    |-- Product Version: 14.3.12
         |
         v
[3] disk1.cab -- Embedded cabinet extraction
    |-- OfficeClickToRun.exe (legitimate Microsoft, sideload host)
    |-- IntegratedOffice.exe (identical copy, redundancy)
    |-- dll_1 (trojanized antimalware_provider64.dll)
         |
         v
[4] DLL Sideloading
    |-- OfficeClickToRun.exe loads antimalware_provider64.dll
    |-- AMSI interface facade maintained
    |-- CfGetPlatformInfo export triggers malicious path
         |
         v
[5] Config Decryption
    |-- Resource rsrc_ID=928 (184 KB encrypted blob)
    |-- XOR Layer: 20-byte key 546e6145583c0048553033214d6d213f71594843
    |-- Additional encryption layers
         |
         v
[6] C2 Communication
    |-- Connects to Tier 1 proxy network
    |-- Ports: 443 (HTTPS), 995 (IMAPS), 2078, 2222
         |
         v
[7] Tier 1 Proxies (100+ compromised residential hosts, 13 countries)
         |
         v
[8] Tier 2 C2 Servers (bulletproof hosting: FORTIS-AS, EuroHoster, MivoCloud)

Infrastructure Analysis

Tier 2 C2 Servers

The command-and-control backend consists of three servers on well-known bulletproof hosting providers:

IP	Port	ASN	Provider	Country	Reverse DNS	Status
`77[.]105[.]162[.]176`	995	AS41745	FORTIS-AS	RU/AM	(no PTR)	OFFLINE
`31[.]210[.]173[.]10`	443	AS207728	EuroHoster	BG	hosting.hosted-by-eurohoster[.]org	OFFLINE
`5[.]252[.]177[.]195`	443	AS39798	MivoCloud	MD	no-rdns.mivocloud[.]com	OFFLINE

All three providers have established reputations in the threat intelligence community:

FORTIS-AS (AS41745): Registered in Armenia but widely reported as operating from Russia. Frequently hosts banking trojans, stealers, and ransomware C2.
EuroHoster (AS207728): Bulgarian hosting provider with a history of slow abuse response. The hosted-by-eurohoster.org reverse DNS is a known indicator.
MivoCloud (AS39798): Moldovan hosting provider. The no-rdns.mivocloud.com default PTR record is seen across numerous malware C2 servers.

TLS connections to all three servers timed out during investigation, indicating they have been rotated offline. This is consistent with QakBot's operational pattern of regularly cycling C2 infrastructure.

Tier 1 Proxy Botnet

The Tier 1 layer consists of 100+ compromised residential and consumer hosts acting as reverse proxies to relay traffic between victims and the Tier 2 C2 servers. This architecture provides:

IP diversity: Connections appear to originate from residential ISPs, not bulletproof hosting.
Resilience: Losing individual proxy nodes does not disrupt the overall C2 channel.
Attribution resistance: The proxy layer separates victim traffic from the actual C2 infrastructure.

Geographic Distribution

Country	Count	Primary ASN	Ports
Saudi Arabia	4	STC (AS25019)	443
Greece	4	Forthnet (AS1241)	995
USA	4	Various (Frontier, Charter, Time Warner, Sprint)	443
Pakistan	3	PTCL (AS17557)	995
Mexico	3	Uninet (AS8151)	995
Canada	3	Bell Canada (AS577)	2078
Chile	2	Telefonica Chile (AS7418)	443
Taiwan	2	HiNet (AS3462)	443
UK	1	BT (AS2856)	2222
Belgium	1	Proximus (AS5432)	995
Romania	1	RCS & RDS (AS8708)	443
Tunisia	1	Topnet (AS37705)	443
Costa Rica	1	ICE (AS11830)	443

Port Strategy

The port selection is strategic:

Port 443 (60+ nodes): HTTPS -- blends with normal encrypted web traffic.
Port 995 (25+ nodes): IMAPS -- disguises C2 as email client traffic. Many enterprise firewalls allow outbound 995 for email.
Port 2078 (10+ nodes): cPanel alternate port -- blends with web hosting management traffic.
Port 2222 (5+ nodes): SSH alternate -- appears as legitimate remote administration.

All four ports are commonly allowed through corporate firewalls, and the traffic is encrypted (TLS/SSH), making content inspection difficult.

Activity Window

Earliest observed: September 28, 2025
Most recent: January 20, 2026
Active period: Approximately 4 months of continuous operation

Infrastructure Hierarchy

                  [Internet]
                      |
        +-------------+-------------+
        |             |             |
   [FORTIS-AS]  [EuroHoster]  [MivoCloud]
   AS41745 RU    AS207728 BG   AS39798 MD
   :995          :443          :443
        |             |             |
        +------+------+------+-----+
               |
    ========================
    |  Tier 1 Proxy Layer  |
    |  100+ residential    |
    |  13 countries        |
    |  16 ASNs             |
    |  Ports: 443/995/     |
    |         2078/2222    |
    ========================
               |
        [Victim Machines]

Detection

YARA Summary

Detection rules target three components:

QakBot MSI Dropper: Matches MSI files containing the combination of OfficeClickToRun.exe embedded within a cabinet, the antimalware_provider64.dll filename, and Advanced Installer metadata strings. Also detects the MSI ProductLanguage=1049 (Russian) as an additional indicator.
Trojanized AMSI Provider DLL: Matches PE DLLs exporting CfGetPlatformInfo that contain AMSI interface strings (IAmsiStream, MSOAVINFO, CAntimalwareProvider::Scan) combined with the Bamboo PDB path pattern (\Bamboo\home\xml-data\build-dir\). A broader variant matches any DLL with the antimalware_provider64 export name that is not located in a Bitdefender installation directory.
QakBot Encrypted Config Resource: Matches PE files containing resource sections larger than 100 KB with the specific XOR key fragment Mm!?qYHC or the full 20-byte key pattern in the binary.

Suricata Summary

Network detection rules cover:

QakBot Proxy Communication: Alerts on TLS connections to residential IP ranges on ports 995, 2078, and 2222, which are unusual for enterprise traffic. Port 443 connections to the specific Tier 1 proxy IPs are also covered.
Bulletproof Hosting C2: Alerts on any outbound connections to IP ranges belonging to FORTIS-AS (AS41745), EuroHoster (AS207728), and MivoCloud (AS39798), regardless of port.
MSI Download with Acrobat Lure: Detects HTTP/HTTPS downloads of MSI files where the Content-Disposition or URL contains "Acrobat" or "Adobe" strings, matching the social engineering lure.

IOCs (Defanged)

Network Indicators -- Tier 2 C2 (High Confidence)

77[.]105[.]162[.]176:995     # FORTIS-AS (RU/AM) - bulletproof hosting
31[.]210[.]173[.]10:443      # EuroHoster (BG) - bulletproof hosting
5[.]252[.]177[.]195:443      # MivoCloud (MD) - bulletproof hosting

Network Indicators -- Tier 1 Proxies (Medium Confidence)

67[.]71[.]45[.]160:2078      # Bell Canada (CA)
67[.]71[.]45[.]109:2078      # Bell Canada (CA)
69[.]157[.]7[.]136:2078      # Bell Canada (CA)
39[.]40[.]138[.]32:995       # PTCL (PK)
39[.]40[.]143[.]246:995      # PTCL (PK)
39[.]40[.]159[.]238:995      # PTCL (PK)
77[.]49[.]86[.]113:995       # Forthnet (GR)
77[.]49[.]110[.]218:995      # Forthnet (GR)
187[.]170[.]185[.]89:995     # Uninet (MX)
187[.]170[.]215[.]10:995     # Uninet (MX)
1[.]161[.]90[.]202:443       # HiNet (TW)
1[.]161[.]78[.]121:443       # HiNet (TW)
142[.]247[.]214[.]105:443    # STC (SA)
142[.]247[.]230[.]177:443    # STC (SA)
149[.]109[.]127[.]122:443    # STC (SA)
186[.]105[.]125[.]41:443     # Telefonica (CL)
191[.]112[.]6[.]229:443      # Telefonica (CL)
47[.]149[.]234[.]149:443     # Frontier (US)
98[.]4[.]242[.]9:443         # Charter (US)
109[.]145[.]252[.]142:2222   # BT (GB)

Full list of 100 Tier 1 proxy nodes available in the investigation data.

File Indicators

MSI Dropper (3d043d.msi):

SHA256: 73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
SHA1:   e76211f214c1bcd7eb4ab21478d11a50c31d5da7
MD5:    483b57478ab379546ae9fbab1c0185fa

Trojanized DLL (antimalware_provider64.dll):

SHA256: a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a
SHA1:   ce261d1f31bed80417009fbeb5230be37c34e374
MD5:    af7364f14a56ae4234d449ff89a2bb7d

Legitimate EXE (OfficeClickToRun.exe -- sideload host):

SHA256: 51023131c42ea9af4347f7484a3d4ac713c5115e12dcf14cafc08eed10b2d9fb

Encrypted Config Resource:

SHA256: 8f7699432d57f29ffb72c5812c16525043ed15d45e6ca300a0adeaa0b13c49da

Related tchk08 Samples:

SHA256: 49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0  (02.dll payload)
SHA256: 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d  (u2.bat dropper)

Behavioral Indicators

PDB path:       D:\Bamboo\home\xml-data\build-dir\CST-DLIN-SOURCES\bin\x64\ReleaseMT\antimalware_provider64.pdb
DLL export:     antimalware_provider64.dll -> CfGetPlatformInfo
MSI ProductCode:  {A4FB3C4D-62C3-4A77-8F15-9540AD72B793}
MSI UpgradeCode:  {606FF783-6BB4-4D8D-B737-B1CA4F452411}
XOR key (hex):  546e6145583c0048553033214d6d213f71594843
Imphash (02.dll): 13904d1cc18631217d0dcb5bf82fbc09

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Attachment	T1566.001	MSI dropper delivered via email or web download
Execution	System Binary Proxy Execution: Msiexec	T1218.007	MSI installer as execution vector
Execution	Command and Scripting Interpreter: Windows Command Shell	T1059.003	BAT file dropper variant (u2.bat)
Persistence	Hijack Execution Flow: DLL Side-Loading	T1574.002	OfficeClickToRun.exe loads trojanized AMSI DLL
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	DLL named antimalware_provider64.dll (Bitdefender)
Defense Evasion	Obfuscated Files or Information	T1027	Multi-layer XOR + RC4/AES encrypted config blob
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Leverages legitimate Microsoft-signed OfficeClickToRun binary
Credential Access	OS Credential Dumping	T1003	Mimikatz techniques identified in payload DLL
Discovery	Process Discovery	T1057	EnumeratesProcesses behavior in sandbox analysis
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTPS (443) and IMAPS (995) C2 channels
Command and Control	Proxy: External Proxy	T1090.002	Tier 1 residential proxy botnet (100+ nodes)
Resource Development	Acquire Infrastructure: Virtual Private Server	T1583.003	Bulletproof hosting on FORTIS-AS, EuroHoster, MivoCloud
Exfiltration	Exfiltration Over C2 Channel	T1041	Data exfiltration through the proxy network

Campaign Timeline and Evolution

Date	Event
2023-08	FBI Operation "Duck Hunt" disrupts QakBot infrastructure
2023-10-06	Trojanized DLL compiled (Bamboo CI/CD build)
2023-12	QakBot operators resume with new infrastructure
2024-02-06	tchk08 MSI dropper first observed (MalwareBazaar, reported by pr0xylife)
2024-03-20	Campaign timestamp in config (1710958492)
2024-04-18	Updated DLL payload (02.dll) and BAT dropper (u2.bat) variants appear
2025-09-28	Earliest Tier 1 proxy activity in ThreatFox dataset
2026-01-20	Most recent Tier 1 proxy activity observed
2026-03-03	Russian government document lures (Predstavlenie_na_naznachenie.zip)
2026-03-04	Military targeting (Weapons requirements for the Kuwait Air Force.zip)
2026-03-04	LNK-based delivery (IMG-463417090.png.lnk)
2026-03-10	Investigation date

Post-Takedown Evolution

QakBot's resurrection after Operation Duck Hunt demonstrates the resilience of organized cybercrime operations. Key adaptations since the takedown include:

Delivery diversification: MSI installers, LNK files, batch scripts, and ZIP archives
Lure sophistication: Military procurement documents, government appointment letters, software installer spoofs
Tooling expansion: Association with RClone-Stealer-Mega (data exfiltration), SkyCloak (evasion toolkit), and VortexWerewolf (APT group attribution)
Infrastructure hardening: Tiered proxy architecture with 100+ nodes provides resilience against individual takedowns

Threat Actor Assessment

Attribution

Confidence: MEDIUM
Region: Russia / Eastern Europe
Evidence: ProductLanguage=1049 (Russian), FORTIS-AS C2 hosting (Russian-operated), Bamboo CI/CD naming conventions, historical QakBot attribution, recent Russian-language lure documents
Motivation: Financial -- banking credential theft, ransomware deployment, initial access brokering

Sophistication Level: Expert

The combination of professional CI/CD infrastructure, multi-layer encryption, legitimate binary abuse, AMSI provider masquerading, and tiered C2 architecture places this operation in the expert category. The QakBot operators maintain what amounts to a software development organization, complete with automated builds, versioned releases, and distributed infrastructure.

OPSEC Failures

Despite the high sophistication, several operational security mistakes were made:

PDB path: The Bamboo build path in the DLL reveals infrastructure details that aid attribution.
Russian locale: ProductLanguage=1049 was not neutralized, providing a language indicator.
Build tool fingerprint: Advanced Installer 21.2.2 (build a099d476) is identifiable and version-specific.
XOR key fragment: The Mm!?qYHC string in the DLL body provides a starting point for encryption analysis.
Redundant EXEs: Two identical copies of OfficeClickToRun.exe increase the detection surface without providing operational benefit.

Defensive Recommendations

Immediate Actions

Block all Tier 2 C2 IPs at firewall/proxy level.
Search SIEM and EDR for historical connections to listed C2 IPs on ports 443, 995, 2078, and 2222.
Hunt for antimalware_provider64.dll not located in Bitdefender installation directories.
Search for OfficeClickToRun.exe running from non-standard paths (outside Program Files).
Review email gateway logs for inbound MSI attachments.

Policy Changes

Block MSI execution from user temp and download directories.
Implement DLL allow-listing for AMSI providers (restrict to legitimate AV vendor paths).
Deploy ASR (Attack Surface Reduction) rules to block DLL sideloading from non-standard directories.
Audit DLL loading behavior for all Office applications.

Long-Term Monitoring

Subscribe to ThreatFox QakBot feeds (campaign tags: drb-ra, tchk).
Monitor for new QakBot C2 entries on MalwareBazaar.
Consider blocking known BPH ASNs (AS41745, AS207728, AS39798) at the network perimeter.
Track Bamboo CI/CD PDB path patterns across new samples for build infrastructure correlation.

Published by Breakglass Intelligence -- GHOST automated analysis pipeline. Investigation ID: qakbot-march10 | TLP:WHITE | 2026-03-10