Security News > 2022 > June > Qbot malware now uses Windows MSDT zero-day in phishing attacks

A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
As Proofpoint security researchers shared today, the TA570 Qbot affiliate has now begun using malicious Microsoft Office.
Docx document will reach out to an external server to load an HTML file that exploits the Follina flaw to run PowerShell code which downloads and executes a different Qbot DLL payload. A collection of indicators of compromise linked to this campaign by malware analyst ExecuteMalware can be found here.
Qbot is a modular Windows banking trojan with worming capabilities for infecting more devices on compromised networks via network share exploits and highly aggressive brute-force attacks against Active Directory admin accounts.
Microsoft has published a report in December 2021 regarding the versatility of Qbot attacks that makes it harder to accurately evaluate the scope of its infections.
The DFIR Report also recently shed light on Qbot light-speed attacks where the malware is able to steal sensitive user data within roughly 30 minutes after the initial infection.
News URL
Related news
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)