- 783
- 211
Started with a banking Trojan, ended with an international manhunt — the story of Qakbot in one virus.
American authorities have brought charges against Rustam Galliamov, named as the organizer of the large-scale Qakbot botnet, which was used to infect more than 700,000 computers around the world and provided access to systems for ransomware attacks.
According to the case materials, work on the Qakbot malware, also known as Qbot or Pinkslipbot, began back in 2008. Initially, Galliamov used it as a banking Trojan with the ability to self-propagate, keylogger functions, a downloader of other malware, and a backdoor. Gradually, a team of developers formed around the project, also involved in the creation of other types of malware.
By 2019, Qakbot had begun to be actively used as a primary infection vector in ransomware attacks carried out by such well-known groups as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus. In exchange for providing access to compromised systems, Gallyamov received a share of the ransom, the amount of which depended on the terms of cooperation with each specific group.
According to the investigation, hundreds of organizations around the world — from private companies and medical institutions to government agencies — suffered hundreds of millions of dollars in damage due to Qakbot infections. In just a year and a half, the recorded losses exceeded 58 million.
In 2023, the FBI managed to partially neutralize Qakbot's infrastructure by hacking its components and gaining control over one of the botnet operator's key computers. However, Galliamov continued to coordinate malicious activity until January 2025, including organizing large-scale spam campaigns against users in the United States.
During the investigation, digital assets worth more than $24 million were seized from Galliamov. This included cryptocurrencies, including 30 bitcoins and $700,000 in USDT tokens, which at the current exchange rate is more than four million dollars. These funds were the subject of a separate forfeiture lawsuit filed by the US Department of Justice.
The measures to suppress Qakbot's activities were carried out as part of the international Operation Endgame , which seized more than 100 servers that supported the functioning of several botnets and malware loaders, such as IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader and SystemBC.
American authorities have brought charges against Rustam Galliamov, named as the organizer of the large-scale Qakbot botnet, which was used to infect more than 700,000 computers around the world and provided access to systems for ransomware attacks.
According to the case materials, work on the Qakbot malware, also known as Qbot or Pinkslipbot, began back in 2008. Initially, Galliamov used it as a banking Trojan with the ability to self-propagate, keylogger functions, a downloader of other malware, and a backdoor. Gradually, a team of developers formed around the project, also involved in the creation of other types of malware.
By 2019, Qakbot had begun to be actively used as a primary infection vector in ransomware attacks carried out by such well-known groups as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus. In exchange for providing access to compromised systems, Gallyamov received a share of the ransom, the amount of which depended on the terms of cooperation with each specific group.
According to the investigation, hundreds of organizations around the world — from private companies and medical institutions to government agencies — suffered hundreds of millions of dollars in damage due to Qakbot infections. In just a year and a half, the recorded losses exceeded 58 million.
In 2023, the FBI managed to partially neutralize Qakbot's infrastructure by hacking its components and gaining control over one of the botnet operator's key computers. However, Galliamov continued to coordinate malicious activity until January 2025, including organizing large-scale spam campaigns against users in the United States.
During the investigation, digital assets worth more than $24 million were seized from Galliamov. This included cryptocurrencies, including 30 bitcoins and $700,000 in USDT tokens, which at the current exchange rate is more than four million dollars. These funds were the subject of a separate forfeiture lawsuit filed by the US Department of Justice.
The measures to suppress Qakbot's activities were carried out as part of the international Operation Endgame , which seized more than 100 servers that supported the functioning of several botnets and malware loaders, such as IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader and SystemBC.