Description: The QakBot (or Qbot) malware has resurfaced, targeting the hospitality industry in a new phishing campaign. The campaign involves an email purportedly sent by an IRS employee, which includes a PDF download that, when clicked, launches the QakBot malware DLL into memory.

Context: This revival comes months after the botnet was disrupted by law enforcement in an operation referred to as Operation Duck Hunt. The botnet had been silenced since August, but recent activity indicates a new distribution of QakBot malware that began just this past Monday.

Importance: QakBot, which originated as a banking trojan, has evolved into a powerful malware delivery service, allowing other threat actors to gain initial access to networks for nefarious activities like ransomware attacks, espionage, or data theft. The resurfacing of QakBot indicates potential threats to businesses, particularly in the hospitality industry.

Key Points: • The phishing campaign involves an email appearing to come from an IRS employee with a PDF attachment.

Urgency: Given the high-risk factor associated with this malware and its recent resurgence, this situation is of high urgency. Businesses, especially in the hospitality industry, should act quickly to secure their systems.

Recommended Actions: • Businesses should educate staff on the dangers of phishing emails and how to identify them.

Distribution: This report is relevant to IT departments, cybersecurity companies, and businesses in the hospitality industry. It should also be shared with cybersecurity agencies and law enforcement for further investigation and action.