Show threadSelena LarsonFeb 1, 2023
#TA577 returned yesterday from their month long break to deliver #Qbot via URLs to zipped OneNote. #TA570 came back too (after the blog was sent for publishing) with OneNote attachments to deliver Qbot.
Show threadOpalsec Jan 31, 2023

#TA570 and #TA577 actors, distributing #Qakbot/#Qbot #malware have gotten in on the #OneNote action, delivering lures going undetected by many AV engines.

Highest number of flags is 2/60 based on this C2 IP called by malicious OneNote lures:

https://www.virustotal.com/gui/ip-address/103.214.71.45/relations

TA570/Obama Sample: https://bazaar.abuse.ch/sample/b45ace5a35914dcd4beb7486f3ddad4bbd84be245d403b9e6a3f1b907aa4ae03/

TA577/BB## Sample: https://bazaar.abuse.ch/sample/bd040a74f99bd767652abc940a4939361d214ba6407781724fde55e48fa7aecf/

VirusTotal

VirusTotal