Get The Latest Insights

By Jessica Ellis | January 20, 2022

Qbot and ZLoader payloads targeting enterprises contributed to almost 89% of email-based malware volume in Q4. Malware variants attributed to attacks continue to fluctuate from quarter to quarter, often dramatically, as criminal families combine or outsource operations to maximize their odds of lucrative campaigns. Qbot and ZLoader previously led payload volume in Q2 and Q1 (respectively) of 2021.

Phishing lures delivering payloads remain the primary delivery method of ransomware. PhishLabs monitors payload families reported in corporate inboxes to proactively prevent and remediate these threats. Below, we highlight the top payload threats targeting enterprises in Q4.

Top 2021 Payloads


The Qbot banking trojan was the top payload family detected in phishing attacks in Q4, contributing to 59.3% of reports. Qbot led all other payloads in the first half of 2021, before experiencing a dip in volume in Q3. Active since 2008, Qbot is capable of logging keystrokes, stealing financial information, and compromising credentials.

Qbot is also self-spreading and capable of moving laterally within networks. This payload is often associated with Egregor and Sodonikibi ransomware, both frequently sold as Ransomware-as-a-Service (RaaS). Sodonikibi has consistently ranked among the top ransomware variants.

Below is an example of a Qbot lure that was delivered through email thread hijacking, a technique where the malware inserts itself into previously legitimate email threats. Qbot actors commonly apply this technique. In this lure, Qbot is delivered via a malicious link.

Qbot Lure


ZLoader had the second highest payload volume among known families in Q4, contributing to almost 30% of reports. A variant of the Zeus banking trojan, ZLoader is a popular MaaS that maintained a dominant presence throughout 2021.

ZLoader is a multipurpose dropper often associated with the Conti and Ryuk ransomware families. Recent Zloader email campaigns delivered the malware through malicious Google ad campaigns and by exploiting Microsoft’s signature verification.

Below is a phishing lure delivering ZLoader via a malicious attachment.

ZLoader Lure


Trickbot was the third-most reported payload in Q4, contributing to 3.9% of attacks. Trickbot is an advanced banking Trojan frequently used to steal credentials, perform reconnaissance within compromised networks, and drop ransomware into vulnerable systems.

Below is an example of a phishing lure used to deliver Trickbot.

Trickbot Lure

Ransomware is a billion dollar business with a low barrier to entry. The tools used for a campaign and the actors behind them are in a constant state of metamorphosis as pressure to evade detection goes hand-in-hand with a successful attack. This fluidity makes it challenging for enterprises to proactively detect malicious payloads before they culminate in a ransomware attack.

As email phishing continues to be the primary delivery method of payloads facilitating ransomware attacks, organizations should invest heavily in the proactive blocking and detection of suspicious emails.

Additional Resources: