A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep. Qbot is a Windows banking trojan with worm features active since at least 2009 and used to steal banking credentials, personal information, and financial data. The malware has also been used for logging user keystrokes, dropping backdoors on compromised computers, and deploying Cobalt Strike beacons used by ransomware operators to deliver ProLock and Egregor ransomware payloads.
Source: https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/