Blogs

Blog

Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations, like Qakbot, can often rebuild infrastructure and return from disruptions in new forms

Qakbot takedown and seizure

A global law enforcement operation has successfully disrupted the infrastructure of the Qakbot botnet, striking a major—though likely temporary—blow to a dominant player in the cybercriminal underground supply chain. 

Qakbot, familiarly Qbot, has been a major cyber threat since 2007, infecting victims’ computers to steal financial information and distribute additional malware payloads like ransomware. As a result of the takedown, more than 700,000 infected devices worldwide were identified and cleaned of the malware. The DOJ also announced the seizure of $8.6M in cryptocurrency in illicit profits.

While there is no doubt that the Qakbot takedown is a major win in the fight against cybercrime, it may only provide short-term relief in the fight against a notoriously resilient cybercriminal ecosystem.

‘Swiss Army knife’

A Swiss Army knife of cybercrime tools, Qakbot was a complex malware that opened remote access to victims’ systems, stole credentials and financial information, and downloaded additional malware payloads. Its modular architecture enabled frequent updates to add new capabilities over its 15+ years of operation.

“The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact..”

Ian Gray, VP Of Intelligence

Qakbot has been a versatile workhorse for cybercriminals. Its banking trojan functionality has been used to pilfer payment information and intercept financial transactions. As a loader, it distributed ransomware such as ProLock to extort victims.

Qakbot has also powered large-scale spam email campaigns and brute force attacks. Its worm-like spreading kept it entrenched in infected networks. By providing the backdoor access and distribution channel for other malware, Qakbot played a key supporting role in the cybercrime ecosystem. Botnets like Emotet and TrickBot operated similarly, loading additional threats onto compromised systems. These jack-of-all-trades botnets have proven lucrative for their criminal operators.

A history of temporary relief

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations can often rebuild infrastructure and return from disruptions in new forms.

In the case of Emotet, the botnet came back online in 2022 using new techniques after its infrastructure was dismantled in 2021. TrickBot also persisted despite takedown attempts and remains an active threat. This resiliency highlights the challenges law enforcement faces in permanently eliminating cyber threats.

While takedowns temporarily degrade capabilities, dedicated cybercriminal groups adapt to avoid further disruption. New malware families also inevitably emerge to fill the gaps left by larger takedowns. For example, BazarLoader and ZLoader rose to prominence as loader malware after the Emotet takedown.

Yet despite their disruptions, resilient botnets often return and new ones emerge. After prior actions against Emotet and TrickBot, the lingering demand in underground markets brought them back in adapted new forms. Bots remain attractive tools for cybercriminals thanks to their versatility, automation, and money generating potential.

While Qakbot’s infrastructure was disrupted, its operators may attempt to rebuild or evolve their techniques. Sustained pressure on botnet financial flows, developer communities, and other aspects of the cybercrime supply chain is needed to deter future attacks. For now, the coordinated Qakbot takedown bought time and degraded the capabilities of a dominant cybercrime player.

The fight against cybercrime must be persistent and comprehensive

The Qakbot takedown was effectively coordinated among global governments, including France, Germany, Latvia, Romania, the Netherlands, the UK, and the US, as well as the private sector. The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact.

Law enforcement and the private sector should to continue coordinating takedowns while also focusing on detecting new malware variants early, disrupting communication channels, and following the money trails of criminal enterprises.

Cyber hygiene and threat awareness across organizations must also improve to reduce vulnerability to malware infections, including loaders and trojans that distribute threats like Qakbot. Technical controls like endpoint detection, network monitoring, and patching are also key.

Ultimately, defeating cybercrime requires comprehensive strategy across law enforcement operations, cybersecurity practices, and international collaboration. The Qakbot takedown represents meaningful progress, but the world must remain vigilant against an adaptable threat landscape.

Get Flashpoint on your side

Flashpoint Ignite enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

The legacy of Raid, Breach, and their ‘successors’ provides an important lens into how data breach communities function and the real-life implications of the information they traffic

Race to the bottom

Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator “pompompurin” in tiny handcuffs—an unprecedented trolling of sorts by authorities. 

Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target. 

The founder and administrator of Raid Forums, Diogo Santos Coelho (aka “omnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.

Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom. 

Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their “successors” provides an important lens into how data breach communities function and the real-life implications of the information they traffic. 

Timeline

Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors. 

• March 17, 2023: Breach Forums administrator “baphomet” decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.

• March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forum’s creator, “Sinistery,” solicited forum administrators and developers to volunteer to operate the site. 
• However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forum’s former main administrators, “Frost,” stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.

• May 29, 2023: “Impotent,” the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.

• June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
• Also on June 4, a user posted an advertisement for the Exposed forum, calling it the “new” Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.

• June 12, 2023: ShinyHunters launches a new forum called Breach Forums—eponymous by name only.

• That very same day, Exposed Forums shut down. Its founders, “Impotent” and “Purism,” share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.

• June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
• OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, members’ last visits and posts, number of posts, last activity, and social media handles with profile links.

• June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums. 

Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venues—a perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying … even if it means leaking the databases of their competitors.

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism

Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war

Putin Vs. Prigozhin

The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.

Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.

Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.

June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews

On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.

In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”

Round 2: #Shoigu hits back.

"All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc

— Jason Corcoran (@jason_corcoran) June 23, 2023

The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.

June 24: Prigozhin’s March To Moscow

On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.

In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.” 

Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.

Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.

Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.

Concluding thoughts

In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities. 

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

5 Reasons Taiwan Is a Growing Source of US-China Tension

Five key indicators that may represent current and future escalations in US-China tensions related to Taiwan. 

Introduction

At the end of last year, Flashpoint correctly forecasted that Taiwan would prove critical to US-China relations. In the same way its asserted authority over Hong Kong, recovering Taiwan, we wrote, would also continue to be a primary pillar of China’s geopolitical strategy.

Fast forward to the present-day, as US-China tensions around the Taiwan Strait are elevated—buttressed by observed trends that may indicate that an increase in Chinese aggression around the Taiwan Strait is likely within the next 6-12 months. 

Here are five key indicators that may represent current and future escalations in US-China tensions related to Taiwan. 

1) Xi’s Third Term and the NPC

China’s National People’s Congress (NPC), scheduled for October 16, is held by the Chinese Communist Party every 5 years. It is considered to be the largest and most important time period for the CCP—this is when it typically announces political priorities as well as senior leadership appointments. This year’s NPC will be the 20th conference since the Party’s founding in 1921; without a planned successor, President Xi will take a third term—a first in CCP history since term limits were officially abolished by President Xi himself.

President Xi has remained vocal about his desire to complete reunification with Taiwan, which was most recently outlined in China’s most recent whitepaper, “The Taiwan Question and China’s Reunification in the New Era.” Notably, this is the first whitepaper that omits China’s desire to reunify with Taiwan peacefully, suggesting that an attempt to forcefully reunify is possible.

2) China’s Show of Might in the Taiwan Strait

Directly following the Speaker Pelosi’s August trip to Taipei, China’s military, the PLA, scheduled a series of live-fire drills around Taiwan, the most impactful particularly occurring from August 4-7 that included short, unprecedented incursions into the “median line” dividing Taiwan from China.

China’s air and sea exercises included several frigates, fighter jets, drones, and cyber attacks, and from the Chinese perspective, demonstrated China’s ability to encircle Taiwan swiftly and effectively on the world stage. The 22 ballistic missiles fired around Taiwan—five of which landed in Japan’s Exclusive Economic Zone (EEZ)—were the first launched near Taiwan since 1996. Additional military exercises around Taiwan occured on August 15, coinciding with the visit of five senior lawmakers from the US Congress.

3) US-Taiwan Economic Partnership

On August 17, the US government announced its intention to begin formal trade negotiations with Taiwan to support US trade facilitation, including its support of state-owned small to medium enterprises in Taiwan. Though the US has maintained that its policy towards Taiwan remains unchanged, the Biden administration has unveiled new initiatives like these to suggest a deepening of the US-Taiwan partnership due to mutually perceived threats to democracy in the Indo-Pacific region. 

On August 30, the Biden administration introduced another lever to its cooperation with Taiwan, announcing a planned $1B arms package with the island nation that will reportedly include “60 anti-ship missiles and 100 air-to-air missiles.” The package, officially approved by Congress on September 2, signals a commitment by the US to help Taiwan defend itself in the event of conflict with China. 

4) Taiwan Ups Fefense Spending

Taiwan continues to prepare its military for an increased likelihood of conflict with China, including a sharp increase in its announced FY2023 defense budget. On August 25, Taiwan said that it will increase its military budget by 13.9 percent—approximately triple its usual four-to-five percent increase year over year. Several aspects of Taiwan’s military are set to be modernized as well, including its naval capabilities, which will be a key component in any kinetic conflict with China.

5) China Cutting Key Diplomatic Channels with US 

China has made a handful of quiet, diplomatic moves that signal its unhappiness with the current state of US-China relations, including severing cooperation with the US on key mutually beneficial touchpoints, such climate change and counternarcotics. 

On August 25, US Deputy Secretary of State Wendy Sherman met with China’s Ambassador to the US, Qin Gang, to discuss China’s moves to cut diplomatic communication with the US. According to Chinese officials in Beijing, these moves were a series of “demarches” made by China regarding several recent US CODEL visits to Taiwan, including US Indiana Governor Holcomb’s August visit to Taiwan to discuss US-Taiwan semiconductor cooperation.

APAC Intelligence that Drives Decision-Making

To ​see firsthand how Flashpoint can help your organization leverage APAC-centric intelligence to protect critical assets and stakeholders, sign up for a free trial today.

Request a demo today.