--- title: "The QBot Malware Operators Use DLL Hijacking to Sideload Malicious Files in Windows Computers | Phish Protection" description: "The QBot Malware Operators Use DLL Hijacking to Sideload Malicious Files in Windows Computers: Taking advantage of how Windows handles Dynamic Link Libraries." image: "https://phishprotection.com/og/blog/qbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers.png" canonical: "https://phishprotection.com/blog/qbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers/" --- Quick Answer Taking advantage of how Windows handles Dynamic Link Libraries (DLLs), attackers are creating a \*\*malicious version of DLLs\*\* required by the program and infecting victims' computers. Read on to know how it happens and ways you can protect yourself. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20QBot%20Malware%20Operators%20Use%20DLL%20Hijacking%20to%20Sideload%20Malicious%20Files%20in%20Windows%20Computers&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers%2F&title=The%20QBot%20Malware%20Operators%20Use%20DLL%20Hijacking%20to%20Sideload%20Malicious%20Files%20in%20Windows%20Computers "Share on Reddit") [ ](mailto:?subject=The%20QBot%20Malware%20Operators%20Use%20DLL%20Hijacking%20to%20Sideload%20Malicious%20Files%20in%20Windows%20Computers&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fqbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/08/anti-phishing-protection-7943.jpg) Taking advantage of how Windows handles Dynamic Link Libraries (DLLs), attackers are creating a **malicious version of DLLs** required by the program and infecting victims’ computers. Read on to know how it happens and ways you can protect yourself. QBot or Qakbot is a malware strain in Windows that began as a banking trojan and later evolved as a **malware dropper**. In the early stages of the attack, the [malicious actors](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails) used it to drop Cobalt Strike beacons. Recently, the ransomware gangs that operated the QBot malware started infecting computers by exploiting a [DLL hijacking](https://www.okta.com/identity-101/dll-hijacking/) flaw in the **Windows Calculator** application. Besides infecting the system, the weakness also helps them evade detection from the security software. Security researchers at ProxyLife discovered that since July 11 , Qakbot was abusing the Windows 7 Calculator app to launch DLL hijacking attacks. Attackers keep using this method in various **malspam campaigns**. Before studying the modus operandi of the attack, let us first see what DLLs are. ### What Are DLL Files? Dynamic Link Library files, or DLL files, contain all the resources an application requires to run successfully. They include a **library and images** of executable functions. [End-users](https://www.investopedia.com/terms/e/end-user.asp) cannot open the DLL files, and the associated application can only open them during the application’s start-up. _[Windows systems](https://www.bleepingcomputer.com/news/microsoft/microsoft-iranian-hackers-encrypt-windows-systems-using-bitlocker/) need DLL files because it helps them understand how to use the resources, hard drive space, and the host computer memory more **efficiently**_. DLL files usually have a **.dll extension**, but some can have the .drv, .drov and .exe extension too. A single DLL file can run multiple programs so multiple programs can get compromised during a DLL hijacking attack. ### What is DLL Hijacking? > “over 90% of ransomware attacks begin with a phishing email ([Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)) email. Blocking the phishing email is the most effective ransomware prevention strategy available - it stops the attack at the earliest possible stage, before any malware reaches your network. Every ransomware incident we’ve investigated started with an email that should have been caught.” - **Vasile Diaconu**, Operations Lead, DuoCircle DLL hijacking is a method attackers use to inject [malicious code](https://snyk.io/learn/malicious-code/) into a Windows application. They achieve this by exploiting the **vulnerabilities** in Windows applications in the way they search and load DLLs (Dynamic Link Libraries). Only the systems running Microsoft OS are susceptible to DLL hijacking. After the attackers replace a required DLL file with a malicious version and place it within the search parameters of the application, the application will call the [infected](https://thehackernews.com/2022/11/new-icexloader-malware-loader-variant.html) file when it loads, **activating** its infectious operations. If a DLL hijack needs to be successful, the victim must load the malicious DLL file from the targeted application’s directory. If applications that automatically load on start-up get compromised with an infected DLL file, malicious actors can access the infected computer whenever it restarts. ![Anti phishing protection](https://media.mailhop.org/phishprotection/images/2022/08/anti-phishing-protection-7943.jpg) DLL hijacking is not a new [cyberattack](https://cybernews.com/news/cyberattack-us-railroad-critical-infrastructure/) method and has been circulating since Windows 2000’s launch. ### How Does the New QBot Infection Chain Work? Researchers at ProxyLife and[Cyble](https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/)documented the latest QBot infection chain to assist users in **mitigating the risk**. Attackers use electronic mail in the newest marketing campaign, including an **HTML file attachment**. If a user clicks on it, a password-protected ZIP file containing an [ISO file](https://www.howtogeek.com/356714/what-is-an-iso-file-and-how-do-i-open-one/) is downloaded. The HTML file contains the password to open the ZIP file. Malicious actors **lock the file** to avoid antivirus detection. The ISO file includes a .LNK file and a duplicate ‘calc.exe’ (Windows Calculator). Additionally, it contains two **DLL records** data named payload 7533.dll and WindowsCodecs.dll. When the victim mounts the ISO file, it will only display the .LNK file, which [threat actors](/phishing-awareness/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails) mask to **appear like a PDF** with vital info or a file that the user can open with the Microsoft Edge browser. However, the shortcut opens the Calculator software on Windows. After the user chooses the shortcut, it begins an infection chain by operating the **Calc.exe** using [Command Prompt](https://www.techtarget.com/whatis/definition/command-prompt). After loading, Windows 7 Calculator detects and attempts to load the original WindowsCodecs DLL file. However, it doesn’t use specific encoded paths to test DLLs, and if the DLL with an **identical title** is positioned in the same folder Calc.exe executable, it will load it. The malicious actors exploit this vulnerability and create a **malicious** WindowsCodecs.dll file that will launch the other \[numbered\].dll file (QBot malware). The antivirus will not detect it if the user installs the QBot [malware](/content/protection-against-malware/what-is-malware) using a trusted application (Windows Calculator). It is worth noting that the flaw mentioned above does not work with Windows 10 Calc.exe and later. Hence, the attackers bundle the earlier **Windows 7** version. ![Spear phishing prevention](https://media.mailhop.org/phishprotection/images/2022/08/spear-phishing-prevention-6368.jpg) The QBot has been around for over a decade, with origins going back as early as 2009\. While malicious actors did not carry out frequent campaigns to deliver it, they used the **Emotet botnet** for dropping [ransomware](/resources/ransomware-attack-why-organizations-pay-ransom) payloads. ### How to Prevent DLL Hijacking? [Software developers](https://cybernews.com/news/software-developers-secrets-slip-github/) are the first line of defense against DLL hijacking attacks. They must follow **secure coding practices** and determine the exact directory for all associated DLL files. It will prevent Windows from executing its DLL search path protocol. Additional measures that organizations and individuals can take to **prevent** DLL hijacking are: - **\_Keeping the antivirus software up-to-date: \_**While some sophisticated [supply chain attacks](https://www.cpomagazine.com/cyber-security/supply-chain-attack-on-voip-firm-3cx-puts-600000-businesses-at-risk-including-fortune-500-companies/) can skip detection, up-to-date antivirus software can detect and block malicious DLL injection attempts to an extent. - **_Educating the staff about social engineering and phishing warning signs:_**DLL hijacking is successful only if the attackers successfully introduce a malicious DLL file into the ecosystem. If the organization mitigates the possibility of injection, it can prevent DLL hijacks. - **_Restrict library loading:_**You can prevent remote DLLs from loading by enabling **DLL-safe search mode**. It restricts the system when searching for DLL files. - **_Execution prevention:_**Use robust application control solutions for identifying and blocking any potentially malicious software that gets executed through DLL search order hijacking. \*\* \*\* Other best practices include: Enforcing an accessible Information Security Policy. Implementing [multi-factor authentication](https://www.onelogin.com/learn/what-is-mfa). ### Final Words The QBot malware that started its journey as a banking trojan quickly evolved into a malware dropper for Cobalt Strike beacons. It is **highly infectious** and constantly adapts its strategies to gain a greater influence. The malware steals **personal data** and credentials from victims for financial gain and may result in fraud, identity theft, and other consequences. Thus, organizations need to ensure they have robust [protection from phishing](/) by adopting adequate [anti-phishing tools](/content/anti-phishing-solution/anti-phishing-tools) and providing relevant training to the employees, so they **don’t** accidentally compromise the organization’s critical information. ## Topics [ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 14m 12 Real-World Spear Phishing Examples And The Red Flags You Missed Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[ Foundational 2m 8 million Android users fell prey to SpyLoan malware on Google Play Store Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[ Foundational 1m A Big Part of the Phishing Problem is You Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"The QBot Malware Operators Use DLL Hijacking to Sideload Malicious Files in Windows Computers","description":"The QBot Malware Operators Use DLL Hijacking to Sideload Malicious Files in Windows Computers: Taking advantage of how Windows handles Dynamic Link Libraries.","url":"https://phishprotection.com/blog/qbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers/","datePublished":"2022-08-12T11:39:31.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-08-12T11:39:31.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/qbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":1055,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/08/anti-phishing-protection-7943.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What Are DLL Files?","acceptedAnswer":{"@type":"Answer","text":"Dynamic Link Library files, or DLL files, contain all the resources an application requires to run successfully. They include a **library and images** of executable functions. [End-users](https://www.investopedia.com/terms/e/end-user.asp) cannot open the DLL files, and the associated application ..."}},{"@type":"Question","name":"What is DLL Hijacking?","acceptedAnswer":{"@type":"Answer","text":"> \"over 90% of ransomware attacks begin with a phishing email ([Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)) email. Blocking the phishing email is the most effective ransomware prevention strategy available - it stops the attack at the..."}},{"@type":"Question","name":"How Does the New QBot Infection Chain Work?","acceptedAnswer":{"@type":"Answer","text":"Researchers at ProxyLife and"}},{"@type":"Question","name":"How to Prevent DLL Hijacking?","acceptedAnswer":{"@type":"Answer","text":"[Software developers](https://cybernews.com/news/software-developers-secrets-slip-github/) are the"}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"The QBot Malware Operators Use DLL Hijacking to Sideload Malicious Files in Windows Computers","item":"https://phishprotection.com/blog/qbot-malware-operators-dll-hijacking-sideload-malicious-files-windows-computers/"}]} ```