--- title: "QBot Email Attacks Have a New Trick Up Their Sleeve: Using PDF and WSF Combo to Install Malware | Phish Protection" description: "The new QBot email malware attacks are the latest case where threat actors use phishing, PDF, and WSF to deploy malware." image: "https://phishprotection.com/og/blog/qbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware.png" canonical: "https://phishprotection.com/blog/qbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware/" --- Quick Answer The new QBot email \*\*malware attacks\*\* are the latest case where threat actors use \[phishing\](/resources/what-is-phishing), PDF, and WSF to deploy malware. Let us see what QBot is, how it works, and how to protect yourself against QBot malware. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=QBot%20Email%20Attacks%20Have%20a%20New%20Trick%20Up%20Their%20Sleeve%3A%20Using%20PDF%20and%20WSF%20Combo%20to%20Install%20Malware&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware%2F&title=QBot%20Email%20Attacks%20Have%20a%20New%20Trick%20Up%20Their%20Sleeve%3A%20Using%20PDF%20and%20WSF%20Combo%20to%20Install%20Malware "Share on Reddit") [ ](mailto:?subject=QBot%20Email%20Attacks%20Have%20a%20New%20Trick%20Up%20Their%20Sleeve%3A%20Using%20PDF%20and%20WSF%20Combo%20to%20Install%20Malware&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/05/office-365-phishing-protection-4625.jpg) The new QBot email **malware attacks** are the latest case where threat actors use [phishing](/resources/what-is-phishing), PDF, and WSF to deploy malware. Let us see what QBot is, how it works, and how to protect yourself against QBot malware. The cybersecurity world knows QBot as a **banking trojan** software that evolved into malware, providing initial access to enterprise networks for [malicious actors](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails) to drop their payloads. QBot enables malicious software like Cobalt Strike, Brute Ratel, and others to access corporate network devices, spread laterally through the network, steal critical information, and **deploy ransomware** in extortion attacks. Let us see how QBot works and how serious this new threat is. ![Office 365 phishing protection](https://media.mailhop.org/phishprotection/images/2023/05/office-365-phishing-protection-4625.jpg) ### How does QBot Work? QBot initially started as a banking trojan but has evolved into [malware](/content/protection-against-malware/what-is-malware) that can cause harm by infiltrating corporate networks and **dropping payloads** on compromised devices. Here is how QBot works: - **_Initial Access and Lateral Movement:_**QBot provides a foothold to the threat actors by exploiting unpatched software vulnerabilities or [phishing attacks](/content/phishing-prevention/phishing-attack-definition) on an organization’s employees. - **_Distribution Through Phishing:_** QBot relies on [reply-chain](https://quantumpc.com/whats-a-reply-chain-attack/) phishing emails, where threat actors use stolen **email exchanges** and reply to them with links to malware or malicious attachments. These phishing emails are in multiple languages . - **_PDF and WSF Attachment:_**The phishing emails include a PDF file named ‘CancelationLetter-\[number\].pdf,’ which, when opened, displays a message stating that the document contains protected files. When the victim opens the file, a ZIP file containing a [WSF (Windows Script File)](https://docs.fileformat.com/executable/wsf/) is downloaded instead that includes a mixture of JScript and VBScript code executed when the file is double-clicked and **runs a PowerShell script** on the victim’s device. - **_PowerShell Script and DLL Download:_**The PowerShell script attempts to download a DLL (Dynamic Link Library) from a list of URLs (Uniform Resource Locators) until it is executed to **inject the malware** into the legitimate Windows Error Manager program. ### QBot Analysis: How QBot Can Hack Your System in Minutes > “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle QBot is a severe threat as it has the capability to **steal sensitive information** from infected systems. The malware can spread itself across multiple networks and devices and make away with [login credentials](https://www.securitymagazine.com/articles/99003-266-million-login-credentials-obtained-by-cybercriminals-since-2018), personal information, and financial data. _Did you know the QBot malware can take down a system within minutes?_ Researchers at DFIR Report[published](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)a case study on the QBot malware, highlighting that it can establish its presence within a system and take it down in 30 minutes . QBot employs **various techniques** such as password brute-forcing, social engineering, and malicious phishing emails with [PDF attachments](https://securityboulevard.com/2022/07/malicious-pdf-attachments-exploring-the-threats/) to gain access to a network and installs the malware, and **exfiltrates data** by establishing a C2 (Command and Control) server on the victim’s system. ![Spear phishing protection](https://media.mailhop.org/phishprotection/images/2023/05/spear-phishing-protection-3965.jpg) ### What Is the Impact of a QBot Attack | Additional Ransomware Deployment on the Victim Systems? QBot email attacks are a **significant threat** to corporate networks as they provide threat actors a gateway to establish a system presence and carry out all malicious activities. The QBot email malware attacks also lead to **further ransomware** attacks as QBot acts as a conduit for notorious [RaaS (Ransomware-as-a-Service)](https://www.cloudflare.com/learning/security/ransomware/ransomware-as-a-service/) operatives, such as REvil, ProLock, MegaCortex, PwndLocker, Egregor, and BlackBasta. It is paramount for individuals and organizations to **stay vigilant** against QBot and take all necessary precautions to keep this novel threat at bay. Some approaches you can adopt include exercising caution when opening malicious emails, implementing robust security mechanisms, and **regularly updating** and patching all systems. ### How to Protect Against a QBot Attack? The QBot email malware attack is a severe threat that **must be detected** and stopped immediately. To safeguard against QBot attacks, [organizations](https://www.securityweek.com/organizations-notified-of-remotely-exploitable-vulnerabilities-in-aveva-hmi-scada-products/) and individuals need to pay attention to its distribution methodology. Since the malware spreads quickly and can invite multiple ransomware models to the victim’s system, organizations should take a system **offline** if a QBot infection is detected. By halting all systems, organizations can **control the spread of malware** and execute all security protocols to take care of the incident. Organizations will be able to prevent any damage to the network and will be able to take steps to detect, contain, and remediate the [QBot](https://cybersecuritynews.com/qbot-malware/) attack effectively. ### Final Words [Cybercriminals](https://www.bleepingcomputer.com/news/security/cybercriminals-charge-5k-to-add-android-malware-to-google-play/) keep improvising their **attack methodologies** to gain the upper hand over cybersecurity strategies adopted by enterprise networks. The latest QBot email attacks have proved innovative because they use the reply-chain mechanism to launch malware. However, reply-chain mechanisms are usually **trustworthy** because of the continuity in the conversation chain. Therefore, cybersecurity experts should be wary of the latest QBot email [attack vectors](http://www.tradearabia.com/news/IT%5F408733.html) employed by malicious actors to enable access to more harmful malware and cripple the entire enterprise network. By understanding the new threats as they emerge, **organizations will be better prepared** with the latest [phishing protection](/) solutions to handle such an incident if it occurs. ## Topics [ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 14m 12 Real-World Spear Phishing Examples And The Red Flags You Missed Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[ Foundational 2m 8 million Android users fell prey to SpyLoan malware on Google Play Store Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[ Foundational 1m A Big Part of the Phishing Problem is You Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"QBot Email Attacks Have a New Trick Up Their Sleeve: Using PDF and WSF Combo to Install Malware","description":"The new QBot email malware attacks are the latest case where threat actors use phishing, PDF, and WSF to deploy malware.","url":"https://phishprotection.com/blog/qbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware/","datePublished":"2023-05-02T07:34:45.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-05-02T07:34:45.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/qbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":811,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/05/office-365-phishing-protection-4625.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"How does QBot Work?","acceptedAnswer":{"@type":"Answer","text":"QBot initially started as a banking trojan but has evolved into [malware](/content/protection-against-malware/what-is-malware) that can cause harm by infiltrating corporate networks and **dropping payloads** on compromised devices. Here is how QBot works:"}},{"@type":"Question","name":"What Is the Impact of a QBot Attack | Additional Ransomware Deployment on the Victim Systems?","acceptedAnswer":{"@type":"Answer","text":"QBot email attacks are a **significant threat** to corporate networks as they provide threat actors a gateway to establish a system presence and carry out all malicious activities. The QBot email malware attacks also lead to **further ransomware** attacks as QBot acts as a conduit for notorious [..."}},{"@type":"Question","name":"How to Protect Against a QBot Attack?","acceptedAnswer":{"@type":"Answer","text":"The QBot email malware attack is a severe threat that **must be detected** and stopped immediately. To safeguard against QBot attacks, [organizations](https://www.securityweek.com/organizations-notified-of-remotely-exploitable-vulnerabilities-in-aveva-hmi-scada-products/) and individuals need to ..."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"QBot Email Attacks Have a New Trick Up Their Sleeve: Using PDF and WSF Combo to Install Malware","item":"https://phishprotection.com/blog/qbot-email-attacks-now-use-pdf-and-wsf-combo-to-install-malware/"}]} ```