The US Justice Department on Thursday announced the indictment of a Russian cybercriminal said to be the mastermind behind the notorious Qakbot malware loader, as well as the decade-long global ransomware campaign he ran along with it.
US authorities say 48-year-old Rustam Rafailevich Gallyamov, a resident of Moscow, is responsible for not only developing the Qakbot malware but also for leading a group of cybercriminals who deployed the malware against hundreds of thousands of victims.
The indictment is yet another piece of the international anti-botnet effort known as Operation DuckHunt, which dismantled the Qakbot platform in 2023.
Gallyamov – also known as “Cortes,” “Tomperz,” and “Chuck” and his gang infected hundreds of thousands of victims' devices over the years with the Qakbot malware – all to establish "a network, or 'botnet,' of infected computers.
Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme https://t.co/wfq7gc7453
undefined US Attorney L.A. (@USAO_LosAngeles) May 22, 2025
According to the 16-page indictment, once in control of the computers using a Command and Control (C2) server, the bad actors would then reinfect the victims’ devices – this time with ransomware to steal the victim’s data.
Gallymov was said to have given the ransomware groups – including Prolock, Doppelpaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus – access to the infected computers so they could deploy their variants. The affiliate groups would give Gallyamov a cut of the profits extorted from the victims.
The DoJ said they seized over $24 million worth of cryptocurrency throughout the investigation.
And even after the 2023 disruption, the indictment states that Gallymov and his cohorts continued to “seek and gain unauthorized access to victim computers using means other than the Qakbot botnet,” using other tactics, such as spam bomb attacks.
In spam bombing attacks, the conspirators would “trick employees at victim companies by posing as IT workers and convince them to either execute malicious code into or grant access to computer systems,” it said.
The US attorneys on the case additionally filed a civil forfeiture on Thursday to distribute the seized funds and compensate Qakbot victims.
undefined US Attorney L.A. (@USAO_LosAngeles) May 22, 2025
What is Qakbot?
Originally developed as a banking trojan, Qakbot has been used by cybercriminals and ransomware groups since 2008. Malware loaders are used as a vehicle to deliver and execute other forms of malware, such as ransomware, viruses, trojans, or worms.
They’re also one of the most common tools for attackers to drop payloads in the initial cyber-attack stage. In fact, in 2023, security researchers found that Qakbot was one of only three malware loaders responsible for 80% of all incidents (SocGholish and Raspberry Robin were the other two).
In its heyday, QakBot malware “had infected more than 700,000 victim computers, facilitated ransomware deployments, and caused hundreds of millions of dollars in damage to businesses, healthcare providers, and government agencies,” US officials stated at the time.
Commonly used by threat actors to steal financial data and banking credentials, the malware loader was often spread via spear phishing campaigns.
Also known as QBot or Pinkslipbot, authorities say the malware was continuously upgraded with new capabilities over the years and was able to deliver remote-access payloads, steal sensitive data, allow lateral movement within targeted networks, and carry out remote code execution.
Thursday’s indictment is additionally connected to Operation Endgame, considered one of the most significant global anti-botnet operations ever, leading to multiple arrests, the shutdown of hundreds of servers, and the seizure of thousands of domains, the DoJ said.
Your email address will not be published. Required fields are markedmarked