Operation Endgame: Going After Tools, Going After People... Qakbot Is Next on the Red Carpet!
Written by Anastasia Sentsova
📌 On May 22, 2025, as part of #OperationEndgame, authorities dismantled key infrastructure related to multiple botnets and publicly identified some individuals, including the Qakbot operator as Gallyamov Rustam Rafailevich. Qakbot, which emerged around 2008, became a critical tool in ransomware campaigns, enabling initial access into victims' networks for multiple groups, including ProLock, DoppelPaymer, Egregor, REvil, Conti, LockBit, Cactus, and Black Basta.
📌 With the addition of newly published documents to previously discovered information, a few key points come to mind.
Point #1: We need to look beyond the RaaS narrative. The success of ransomware doesn’t solely rely on the widely accepted belief that RaaS is the main driving force. With cooperation between ransomware groups and other illicit actors such as TrickBot and Qakbot, the traditional concept of operator-affiliate cooperation doesn’t accurately reflect the reality for the groups driving the most activity. An affiliate isn’t just a random person with an access; it is a criminal enterprise involving powerful piece of malware that lurks for access to the victims' networks at scale. Therefore, to effectively combat ransomware, taking down the entire supply chain is essential.
Point #2: Gaining a foothold in victims’ networks largely starts with exploiting human vulnerabilities and then technical ones. To deliver malicious payloads, threat actors use various techniques to deceive their targets. This includes phishing campaigns with socially engineered emails that trick victims into clicking on malicious files. It also includes spam bomb attacks on employees of targeted companies, followed by the attackers posing as IT support staff to manipulate victims into executing malicious code or otherwise granting access to company systems. Investing in raising awareness among employees about potential deception and the overall threat of ransomware is crucial.
Point #3: Keep targeting actors' core vulnerabilities: their anonymity and access to illicit financial gainsBy exposing their identities and seizing cryptocurrency, authorities are striking at their most vulnerable points. The impact is visible in their communications, actors are expressing fear, spreading it among their peers, reducing activity, and ultimately contributing to a noticeable decline in overall morale.
📌 “No matter how shadowed the road may seem, you can always pause, turn back, and walk toward the light once more,” the narrator says in the latest episode of #OperationEndgame. Will they? Probably not, at least not the majority of them. However, whatever choice they make, they are no longer walking their path in secrecy and the shadows they once hid in are no longer safe. The myth of the untouchable, anonymous hacker is fading, and with it, the illusion of invincibility.
Stay informed, stay secured with Analyst1 🦅