This document provides guidance to critical infrastructure on specific indicators of compromise (IOCs) for QakBot-related activity. QakBot was originally used as a banking trojan to steal banking credentials. In most cases, QakBot was delivered via a phishing campaign with malicious attachments or links. OakBot has grown to deploy various types of malware, trojans, and ransomware that target multiple government services, including emergency services. This CSA provides several IOCs and mitigation strategies for ECCs to implement.
