Threat Response: Mail spam campaign dropping QBot & TrickBot malware




During the last months of 2020, the Northwave CERT has seen an increase in email spam campaign activity[1] coming from a certain known threat actor, delivering the QBot Trojan as an attachment to companies across the globe. In recent months, the Northwave CERT has been deployed on several large-scale ransomware incidents where the initial attack vector was a phishing mail with a malicious attachment. As of Thursday 21 January 2021, Northwave sees a new campaign resulting in new infections with the possibility of the actors selling the access to their victims to ransomware groups. The campaign uses an old excel sheet embedded in a Zip archive to deliver its content. Often, emails that were stolen in a previous attack are used as a basis, so that they look like part of an ongoing conversation. The excel sheet contains macro’s that download and install the malware from hacked websites. The actors try to lure the user to click by using the DocuSign logo[2], tricking their victims into thinking they need to enable macros in order to be able to access the contents of the file.

Apart a new campaign that uses QBot, Northwave sees a strong increase in email spam campaign activity that uses Emotet malware [3], with the TrickBot Trojan as attachment inside a Word document. This campaign often results in Ransomware-infections very quickly.

Phishing attacks are a continues risk for any organisation. Northwave sends you this threat response because of a specifically elevated risk for high-impact attacks such as ransomware infections, and because it is wise to be extra alert at this time and take extra precautions.


A successful infection with the QBot or TrickBot trojan often leads to a Ransomware infection, usually Egregor or DoppelPaymer of QBot and Conti or Ryuk for TrickBot, but other variants have been observed.


Northwave judges the risk of a click on the macro-enabled excel document to be high. In one of the recent CERT cases that Northwave was involved in it only took two hours from the initial click on the phishing email to the complete take over of the network, and only 2 days until ransomware was deployed on the network of the victim.


There are several measures that you can take to prevent or limit impact:

  • Inform your users on the risk of clicking on these types of phishing emails and provide them with the knowledge and tools to protect themselves from these kinds of attacks.
  • Do not allow zipfiles to be delivered via mail and disable the use of Excel Macro’s in your environment.
  • Make sure your users have a way to quickly report these kinds of emails to your security personnel to quickly prevent further spread if an infection does occur.
  • Be alert for these kinds of emails and be prepared to start an investigation or deploy a CERT-team when you detect an attack.


Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.


[1] Spam campaign according to

[2] SANS QBOT Spam Example:

[3] Emotet trends:

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.