Potential Qakbot Registry Activity

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

Sigma rule (View on GitHub)

 1title: Potential Qakbot Registry Activity
 2id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
 3status: test
 4description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
 5references:
 6    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 7author: Hieu Tran
 8date: 2023-03-13
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - attack.t1112
13logsource:
14    category: registry_event
15    product: windows
16detection:
17    selection:
18        TargetObject|endswith: '\Software\firm\soft\Name'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

  • OneNote | ThreatLabz

    Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.


    Read More

Related rules

to-top