QBot, aka Qakbot, has been discovered using the Windows 7 Calculator software by spoofing as a legitimate application. The malware operators are using the calculator for DLL side-loading attacks since July 11, according to security researcher ProxyLife.

What is side-loading?

  • DLL side-loading is a common type of attack that takes advantage of how DLLs are managed in Windows.
  • It entails creating a fake version of a valid DLL file and storing it in a folder where the operating system will load it instead of the real file.

Why Windows Calculator?

  • Malicious actors avoid detection by installing the QBot malware in trusted apps such as the Windows Calculator. Another advantage is that QBot frequently avoids detection by security tools.
  • Furthermore, threat actors use Windows 7 because the DDL sideloading vulnerability is no longer exploitable in Windows 10 Calc.exe and later versions.

How the attack unfolds?

The recent attack used emails with an HTML file attachment that downloads a password-protected ZIP archive containing an ISO file.
  • To avoid antivirus detection, the password for opening the ZIP file is displayed in the HTML file.
  • The ISO file contains two DLL files - the payload 7533.dll and WindowsCodecs.dll, as well as the Windows calculator app calc.exe.
  • When a user installs this ISO file, the.LNK file is displayed, which presents itself as a PDF containing important data or a file that opens in the Microsoft Edge browser.
  • When the file is opened, users are directed to the Windows Calculator app. Clicking the app causes the infection to be activated on their devices via Command Prompt.
  • When Windows 7 Calculator is launched, it searches for and attempts to load the genuine WindowsCodecs DLL file.
  • However, the Calculator does not look for the DLL in certain hard-coded paths and will load any DLL with the same name if it is in the same folder as the Calc.exe executable.

How to avoid a QBot attack?

Users should avoid opening any software or files from an unknown or suspicious sender, whether via email or websites.
  • It is recommended that users check to see if a file is legitimate before opening it.
  • Users are advised to use multi-factor authentication, in addition to having a strong password and regularly updating their password.
  • Using reputable anti-virus and internet security software on all connected devices.


The Qakbot (QBot) malware, which began as a banking trojan but evolved into a malware dropper to drop Cobalt Strike beacons, is highly active and is constantly adapting its strategies to gain a greater influence. This malware steals credentials and personal data from victims' for financial gains, which might result in identity theft, fraud, and other consequences.
Cyware Publisher