On May 26th at around 14:37-14:47 UTC, Qakbot’s tier two distribution server was “mysteriously” taken down. However, it seems that the threat group that runs Qakbot, which Binary Defense tracks as Durak Group, didn’t notice that their server was gone until they began gearing up for their new campaign early in the morning of May 27th. Because of this, there was no malicious spam distribution campaign on May 27th. However, it only took Durak Group a day to spin up a new server, and malware distribution through email resumed on May 28th in a campaign that the threat actors labeled as spx128.
Detecting Backdoor Attacks By Sean Fernandez | Threat Researcher | Binary Defense In part 3