Top malware in Q1-2023: Qbot, Formbook, Emotet

Top malware in Q1-2023: Qbot, Formbook, Emotet

Share post

Check Point's Spring 2023 Global Threat Index shows Qbot, Formbook, and Emotet malware as the most threatening, HTTP Headers Remote Code Execution vulnerability on the rise, and retail as an industry most under attack.

Check Point has published its Global Threat Index for January 2023. Qbot, a sophisticated Trojan that steals banking information and keystrokes, remains at the top. Emotet slips to third place in Germany. With regard to sectors and areas, retail was attacked in Germany in particular.


Maya Horowitz, VP Research at Check Point Software, also discusses the dangers of phishing and fake websites: "I can't stress enough the importance of paying attention to the links you click to make sure that they are legitimate URLs. Look for the padlock that indicates an up-to-date SSL certificate, and look out for hidden typos that could indicate the site is malicious.”

Top 3 malware for Germany

Qbot – Qbot, also known as Qakbot, is a banking Trojan that first appeared in 2008. It is designed to steal a user's banking information and keystrokes. Commonly distributed via spam emails, Qbot uses multiple anti-VM, anti-debugging, and anti-sandbox techniques to complicate analysis and evade detection.


Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month

By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.


This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at:

Data processing

We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

Formbook – Formbook is an info-stealer targeting the Windows operating system and was first discovered in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums due to its strong evasion techniques and relatively low price. Formbook collects login credentials from various web browsers, takes screenshots, monitors and logs keystrokes, and can download and run files on instruction from its C&C.

Emotet – Emotet is an advanced, self-propagating and modular trojan horse that was once used as a banking trojan and currently proliferates other malware or malicious campaigns. Emotet uses multiple persistence methods and evasion techniques to avoid detection and can be distributed via phishing spam emails with malicious attachments or links.

Top 3 vulnerabilities

In December, Web Server Exposed Git Repository Information Disclosure remained the top exploited vulnerability, affecting 46 percent of organizations worldwide, followed by newcomers HTTP Headers Remote Code Execution at 42 percent and MVPower DVR Remote Code Execution at 39 percent.

 Web Servers Exposed Git Repository Information Disclosure – An information disclosure vulnerability was reported in Git Repository. Successful exploitation of this vulnerability could allow unintentional disclosure of account information.

HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - HTTP headers allow the client and server to include additional information with an HTTP request to transfer. An attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.

MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. An attacker can exploit this vulnerability to execute arbitrary code on the affected router via a manipulated request.

Top 3 of the attacked sectors and areas in Germany:

– Retail/Wholesale

– Education/Research

 – Healthcare

Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development department of Check Point Software Technologies.

Top 3 Mobile Malware:

Over the past month, Anubis continued to be the most prevalent mobile malware, followed by Hiddad and newcomer AhMyth.

 Anubis – Anubis is a banking Trojan developed for Android phones. Since its initial detection, it has gained additional features including remote access trojan (RAT), keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different applications on the Google Store.

 Hiddad - Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important operating system security details.

AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed via Android apps found in app stores and various websites. When a user installs one of these infected apps, the malware can gather sensitive information of the device and perform dangerous actions like keylogging, taking screenshots, sending SMS messages or activating the camera, which usually lead to stealing sensitive ones information is used.

More at


About check point

Check Point Software Technologies GmbH ( is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.


Matching articles on the topic

Vulnerabilities in Netgear Nighthawk RAX30 routers

A combination of five vulnerabilities in Netgear Nighthawk RAX30 routers allows attackers to monitor, manipulate and take over Internet traffic ➡ Read more

EU Cyber ​​Solidarity Law: Building a protective shield

In April, the European Commission put forward a proposal for the EU's Cyber ​​Solidarity Law, a multi-billion dollar plan to strengthen cybersecurity ➡ Read more

German companies: 84 percent expect a cyber attack

The Trend Micro Cyber ​​Risk Index (CRI) for the second half of 2022 is here. 84 percent of Germans expect ➡ Read more

Well-known vulnerabilities remain unnoticed

Earlier this week, CISA announced that it had added new Linux vulnerabilities to its catalog, warning that ➡ Read more

New corporate email phishing tactics

Cyber ​​criminals are constantly introducing new techniques and tactics in their phishing attacks to fool victims and bypass security measures. Barracuda ➡ Read more

Ransomware analysis for Germany: Black Basta leading

Malwarebytes' threat intelligence team analyzed the activities of ransomware groups in Germany from April 2022 to March 2023 and in ➡ Read more

Cyber ​​espionage: Fileless Malware DownEX discovered

Bitdefender Labs experts have discovered a new malware family. The demanding and very targeted attack under the name ➡ Read more

Despite ransomware ransom: Only 24 percent receive all data 

As a study shows, despite paying a ransom, only 24 percent of German companies are able to recover all their data after a ransomware attack. The ➡ Read more