Malware distributors are rotating payloads once again, switching between trojans that are often an intermediary stage in a longer infection chain. In February, IcedID was the new malware coming from the URLs that used to serve QBot. After about a gap of a month and a half, the malware distributor switched the payload back to QBot (a.k.a. QakBot), which has been seen delivering ProLock, Egregor, and DoppelPaymer ransomware in the past.
Source: https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/