A little over a month since a multinational task force headed by the U.S. Federal Bureau of Investigation and Dutch police claimed to have taken down prolific malware and botnet operator Qakbot, the threat actors behind Qakbot are back, but in a surprising twist, it appears they never went away to begin with.

The return of Qakbot was discovered by researchers at the Cisco Talos, which detailed in a blog post that the threat actors behind Qakbot have been conducting a campaign since early August in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via emails.

The date is the key here: The campaign started in early August and yet the FBI-led takedown was Aug. 29. As the researchers note, this activity appears before the “takedown” and, more importantly, has been ongoing since.

Although there’s merit in targeting and attempting to take down hacking groups, the process is often said to be like playing a game of Whac-A-Mole: Every time a group is supposedly taken down, others replace them, but in this case, it would appear it was never taken down properly.

Qakbot, also known as QBot and Pinkslipbot, first emerged in 2008 and was historically known as a banking Trojan virus that steals financial data from infected systems. In more recent times, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.

“This goes to show that completely shutting down any cybersecurity threat enterprise is a particularly difficult thing to do,” Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “It’s difficult to do because the offenders can keep doing whatever they want without almost any risk of having to pay for their illegality.”

Grimes compared the Qakbot hackers to a bank robber who never gets arrested and put in jail, noting that being a cybersecurity threat actor is almost all upside until the world agrees on what is and isn’t illegal in the digital realm.

Chris Morgan, senior cyber threat intelligence analyst at cybersecurity company ReliaQuest LLC, agreed, saying that the “news of Qakbot’s resurgence comes as no surprise, given the long list of other prominent malware families returning shortly after a law enforcement operation.” He noted that Emotet and Trickbot both returned following a significant takedown of associated infrastructure by law enforcement or cybersecurity firms.

“The latest Qakbot activity may indicate the recent law enforcement operation only impacted the malware’s command-and-control infrastructure and did not affect the infrastructure associated with Qakbot’s spam delivery,” Morgan added. “It is realistically possible that this indicates the malware’s developers have not been arrested and could have facilitated new command-and-control infrastructure to restart their operations.”

Image: Bing Image Creator