While the Qakbot banking Trojan was eradicated in August by a large-scale law enforcement operation, the people behind it are still active and pose a threat to users, researchers said today.\n\nAccording to a report from Cisco\u2019s Talos threat intelligence group, its experts can say with \u201cmoderate confidence\u201d that the creators and operators of Qakbot are actively working on a new campaign, this time distributing a variant of the Knight malware, which rebranded from Cyclops in July. Knight is a ransomware threat that operates as a service, distributed through phishing and extorting money from victimized companies by threatening to sell exfiltrated data.\n\nThe Talos team based their analysis on identifying drive serial numbers in LNK, or Windows shortcut, file metadata from computers associated with the earlier Qakbot attacks. Despite the Qakbot actors' attempts to clean metadata from the specific files used by Talos, the team was still apparently able to identify one machine as being linked to those attacks.\n\n\u201cSome of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region,\u201d the Talos blog said. \u201cThe LNK files are being distributed inside Zip archives that also contain an XLL file.\u201d\n\nXLL files, the group noted, are a Microsoft Excel-related file format extension, which appear similar to regular .xls files in an Explorer window. The XLL files, if opened, install the Remcos backdoor, which is a remote administration tool that works in concert with Knight malware to gain access to targeted systems.\n\nTalos said that the Qakbot actors are unlikely to be the masterminds behind the Knight ransomware service itself, and are instead probably customers. The FBI-led enforcement action that took down Qakbot\u2019s command-and-control servers in August, therefore, likely didn\u2019t affect the group\u2019s phishing infrastructure. This may also allow the group to simply rebuild its own back-end systems for Qakbot, leading to a potential resurgence.\n\nQakbot, according to Talos, was a serious threat, and one that was delivered in a particularly clever way. Rather than sending unprompted phishing emails to distribute the Trojan, the actors behind Qakbot hijacked Exchange servers at multiple third-party organizations, formatted the text of legitimate emails and added the Qakbot payload, then sent the malicious emails to legitimate message threads in target organizations.