In late August 2023, in a major operation named Operation Duck Hunt, the FBI, along with international partners announced they dismantled the QakBot malware infrastructure. The botnet has been known to be used by different ransomware gangs, such as Ryuk, ProLock, Egregor, REvil, MegaCortex, Doppelpaymer and Black Basta for their malware delivery. While most of them are no longer active, some continue to operate — such as Black Basta. As seen by KELA, the botnet takedown could have affected their operations but it seems that two months after the dismantling, the group is back in business, possibly with a new initial infection vector. On the other hand, Black Basta may choose to persist in collaborating with threat actors linked to QakBot, given their ability to continue distributing the Knight ransomware (formerly known as Cyclops) successfully in recent months. This blog details the two operations’ collaboration with QakBot and how the takedown affected their activities.