Security News > 2022 > June > Qbot malware now uses Windows MSDT zero-day in phishing attacks

A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
As Proofpoint security researchers shared today, the TA570 Qbot affiliate has now begun using malicious Microsoft Office.
Docx document will reach out to an external server to load an HTML file that exploits the Follina flaw to run PowerShell code which downloads and executes a different Qbot DLL payload. A collection of indicators of compromise linked to this campaign by malware analyst ExecuteMalware can be found here.
Qbot is a modular Windows banking trojan with worming capabilities for infecting more devices on compromised networks via network share exploits and highly aggressive brute-force attacks against Active Directory admin accounts.
Microsoft has published a report in December 2021 regarding the versatility of Qbot attacks that makes it harder to accurately evaluate the scope of its infections.
The DFIR Report also recently shed light on Qbot light-speed attacks where the malware is able to steal sensitive user data within roughly 30 minutes after the initial infection.
News URL
Related news
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- YouTube warns of AI-generated video of its CEO used in phishing attacks (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)