GOLD LAGOON

GOLD LAGOON is a financially motivated cybercriminal threat group active since 2007 that operated the Qakbot (aka Qbot) malware. Qakbot is a modular malware framework that supports numerous capabilities such as credential theft, spam delivery, interception and manipulation of web traffic with webinjects, and remote access.

Qakbot was frequently distributed through spam campaigns and until February 2020 as a second-stage download from the Emotet botnet. An optional email collection module enables additional infections by replying to a victim's existing email threads with a malicious attachment or link leading to the download of Qakbot. It can also self-spread using an SMB brute force module that contains a list of commonly used passwords. A universal plug-and-play (UPnP) module is able to transform infected hosts without direct Internet connectivity into intermediate command and control (C2) servers used for the botnet.

At 23:27 UTC on August 25, CTU researchers detected the Qakbot botnet distributing shellcode to infected devices containing code that cleanly terminates the running Qakbot process on the host, and concluded it constituted an attempt to take the botnet offline. On August 29, 2023, U.S. law enforcement announced a takedown of the botnet under international Operation Duck Hunt.

The takedown, led by the U.S. Federal Bureau of Investigation (FBI), represents a significant disruption to the cybercrime ecosystem. The FBI estimates that Qakbot's use in the initial stages of ransomware deployment has resulted in losses to global businesses in the hundreds of millions of dollars. Third-party reports suggest the botnet has facilitated the delivery of Conti, DoppelPaymer, ProLock, Egregor, and MegaCortex. CTU researchers have observed it used to deploy REvil, and, more recently, Black Basta ransomware. It may also have been used for the deployment of Clop.

The takedown was comprehensive, and appeared focused on preventing GOLD LAGOON reacquiring infected systems in the current Qakbot botnet, making its reconstitution very challenging. In late December 2023, third-party researchers observed Qakbot used in a small-scale phishing campaign, and CTU researchers confirmed in January 2024 that Qakbot was circulating again after months of inactivity. Changes to the malware's code suggested that GOLD LAGOON may have been attempting to shift from a monolithic network to smaller, campaign-specific botnets that are harder to track and takedown. However, its reemergence was brief; CTU researchers have not observed any Qakbot activity since then.