Full Report
The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks. [...]
Analysis Summary
# Threat Actor: Qakbot Botnet Operator (Allegedly Led by 'Gallyamov')
## Attribution & Identity
The identified individual leader, referred to pseudonymously as 'Gallyamov' in the context of the indictment, is linked to the operation and leadership of the Qakbot botnet. Qakbot is a prolific malware platform with long-standing capabilities.
## Activity Summary
The Qakbot botnet has historically functioned as an initial access mechanism, malware dropper, or backdoor capable of keystroke logging. Starting in 2019, Qakbot became a preferred initial infection vector for numerous high-profile ransomware gangs, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus. The leader allegedly received a portion of the ransom payments in exchange for access provision. Although the Qakbot botnet was dismantled by the FBI in 2023, the indicted leader allegedly continued malicious operations, orchestrating spam bomb attacks against US victims as recently as January 2025.
## Tactics, Techniques & Procedures
- Initial infection vector utilized by various ransomware groups.
- Functions as a malware dropper or backdoor.
- Capabilities include recording keystrokes.
- Used "spam bomb attacks" for recent coordinated infections (as of January 2025).
- *No specific MITRE ATT&CK IDs were explicitly mentioned in the provided text.*
## Targeting
- Sectors: Private companies, healthcare providers, and government agencies.
- Geography: Global victims, with specific mention of attacks against victims in the United States (as of January 2025).
- Victims: Hundreds of victims across the globe resulted in hundreds of millions of dollars in damage.
## Tools & Infrastructure
- Malware families used: Qakbot (also known as Qbot).
- Infrastructure (C2, domains, IPs): The FBI dismantled parts of the Qakbot infrastructure in 2023. Authorities seized over $24 million in cryptocurrency linked to the leader/operation.
## Implications
The Qakbot botnet caused significant financial damage globally, exceeding $58 million in damages within an 18-month period. The persistence of the alleged leader, continuing operations even after the botnet takedown, highlights the resilience of cybercriminal leadership and the persistent threat of initial access brokers feeding major ransomware operations. The associated activity is linked to Operation Endgame, showcasing international cooperation against large-scale malware ecosystems.
## Mitigations
- Defend against initial access by bolstering email security and user awareness, especially against potential spam bombing campaigns.
- Implement robust endpoint detection and response given the malware's capabilities as a dropper and potential keylogger.
- Monitor for indicators related to known affiliates that previously leveraged Qakbot access (e.g., Conti, REvil, Black Basta).