The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.

In August 2023, an international law-enforcement operation dismantled QakBot, seizing its infrastructure and clawing back millions in cryptocurrency. It was a genuine win, the kind of takedown that makes headlines and disrupts a major malware-distribution operation. Nine months later, Kaspersky reported that actors associated with QakBot were exploiting a fresh Windows zero-day, CVE-2024-30051, to escalate privileges on victim machines. The infrastructure got seized. The people and their tooling did not.

That’s the part of this CVE worth sitting with, because it’s a recurring and uncomfortable truth about how these operations actually end, which is usually that they don’t.

What the bug is

CVE-2024-30051 is a heap-based buffer overflow (CWE-122, an out-of-bounds write) in the Windows Desktop Window Manager Core Library, dwmcore.dll. CVSS 7.8, local vector. A low-privileged user exploits it to gain SYSTEM. Microsoft patched it on May 14, 2024, and CISA added it to the Known Exploited Vulnerabilities catalog the same day with a June 4 deadline and the ransomware-use flag. It affects the full supported Windows line at the time, Windows 10 from 1507, Windows 11 through 23H2, and Windows Server 2016 through 2022.

Like most elevation-of-privilege bugs, it isn’t an entry point. It’s the second stage: something else gets code running as a normal user, and CVE-2024-30051 turns that into full control of the machine. That’s exactly the slot QakBot’s operators, and the ransomware affiliates downstream of them, needed it for.

”Multiple threat actors” had it before the patch

Kaspersky’s reporting included a detail that should shape how you read any EoP zero-day. They assessed that several different threat actors appeared to have access to the exploit, and that it had been circulating since around April 2024, before the May patch. QakBot-linked actors were one user of it, not the sole owner.

This is how privilege-escalation exploits tend to propagate. Once a working primitive exists, it doesn’t stay with one group; it gets shared, sold, and reused, because every intrusion crew needs the same escalation step and a reliable one is valuable to all of them. So by the time a bug like this surfaces in a vendor advisory, the realistic assumption is not “one APT has it” but “it’s in circulation.” That assumption should raise, not lower, the urgency of EoP patches, which are the ones teams most often defer because “the attacker needs local access first.”

The takedown lesson

The QakBot connection is the thread that makes this more than another EoP entry. Takedowns are worth doing, and they impose real cost: rebuilding infrastructure takes time and money, and seized funds are gone. But a takedown removes the plumbing, not the plumbers. The operators retain their skills, their relationships, their access to exploit markets, and frequently their malware source. QakBot’s distribution network being seized in 2023 did not stop the people behind it from acquiring and deploying a Windows zero-day in 2024.

The defensive implication is to not treat a publicized takedown as a threat retiring. The capability that hurt you before the takedown is largely intact after it; only the specific infrastructure changed. Detection content tied to old QakBot command-and-control will go stale, and the same actors will be back under a different botnet name with the same tradecraft. Plan for continuity, not closure.

What to do

• Apply the May 2024 cumulative update across the fleet. This is a broadly-affected local EoP, so workstations matter as much as servers; the endpoint where a loader like QakBot lands is exactly where the escalation happens. There’s no version exception to find.
• Patch EoP bugs on the assumption the exploit is already shared. For elevation-of-privilege flaws, “needs local access” is not a reason to deprioritize. The local access is what the initial-access malware provides, and the exploit is usually in more than one toolkit by disclosure.
• Hunt for the initial-access stage, not just the escalation. QakBot and similar loaders arrive through phishing: malicious attachments, OneNote files, ISO/ZIP droppers, and script-based execution. Detections for that delivery chain catch the intrusion before the privilege escalation matters.
• Refresh threat-intel assumptions after takedowns. When a botnet is dismantled, retire the IOCs but keep the behavioral detections, and assume the operators will resurface. Track the tradecraft, not the brand name.

The reframe is about what victory looks like in this space. A takedown is a disruption, not an ending, and the clearest proof is a bug like CVE-2024-30051: the operation got dismantled, and its people were soon escalating to SYSTEM with a zero-day that several other crews also held. Patch like the exploit is already everywhere, because for elevation-of-privilege flaws it usually is, and treat every “we got them” headline as a pause in the same fight rather than the end of it. We read the KEV escalation entries with that continuity in mind, since the actors behind them rarely stay gone.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2024-30051 — 2024-05-14
• Microsoft MSRC: CVE-2024-30051 — 2024-05-14
• Kaspersky Securelist: QakBot attacks with Windows zero-day (CVE-2024-30051) — 2024-05
• Dark Reading: Microsoft Windows DWM zero-day poised for mass exploit — 2024-05