Security News > 2021 > April > QBot malware is back replacing IcedID in malspam campaigns
In one case, the tango seems to be with QBot and IcedID, two banking trojans that are often seen delivering various ransomware strains as the final payload in the attack.
Return to initial payload. Earlier this year, researchers observed a malicious email campaign spreading weaponized Office documents that delivered QBot trojan, only to change the payload after a short while.
In February, IcedID was the new malware coming from the URLs that used to serve QBot.
IcedID started as a banking trojan in 2017 and adjusted its functionality for malware delivery.
After about a gap of a month and a half, the malware distributor switched the payload back to QBot, which has been seen delivering ProLock, Egregor, and DoppelPaymer ransomware in the past.
The same trick is seen in the analysis from both Binary Defense and Brad Duncan on the malware distributor's switch to delivering IcedID in February 2021.