Malware operators often keep switching their malware, over a period of time, for miscellaneous reasons. In February, researchers observed that the IcedID malware had replaced QBot malware. However, in a new twist, QBot malware has again replaced the IcedID malware as an intermediary stage payload in a long infection chain attack.

How the tables have turned

A malware researcher discovered the reverse switching of the two malware, almost a month and a half after the first switch.
  • In the recent campaign, QBot was used to deliver the later stage payloads, including Egregor, DoppelPaymer, and ProLock ransomware.
  • In the past, IcedID was distributing other malware, including RansomExx, Maze, and Egregor ransomware.
  • In addition, QakBot has been updated with changed decryption algorithms for the internal configuration.
  • For infection, a malicious Office file poses as a DocuSign document to trick users into enabling a macro to fetch the payload. In February, this same trick was spotted by researchers from Binary Defense.

Similar trick was discovered a few days back

According to Intel 471, several cybercriminal groups are deploying known to be using the EtterSilent tool for running their malware campaigns.
  • The tool can create malicious documents that mimic DocuSign or DigiCert-protected files requiring user interaction for decryption.
  • The tool has the ability to bypass various security mechanisms such as AMSI, Windows Defender, and email services.


Cybercriminals are continuously updating their malware and replacing them according to their convenience. In addition, tools like EtterSilent further increase the risks by helping the malware bypass security barriers with ease. Therefore, organizations and users should be extra cautious with such threats, and check and scan email attachments carefully before opening them.

Cyware Publisher