Pikabot

Malware Profile Updated a month ago
Download STIX
Preview STIX
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom data. The malware acts as a trojan, providing initial access to infected computers, which facilitates ransomware deployments, remote takeovers, and data theft. Its infection chain has been distributed by threat group TA577, known for its distribution of Qbot before shifting back to PikaBot. This malicious software has been associated with other notable malware families such as IcedID, Gozi, DarkGate, AsyncRAT, JinxLoader, and BlackBasta Ransomware. Between May 27 and 29, 2024, an international law enforcement operation named Operation Endgame, coordinated by Europol, targeted malware droppers like PikaBot, along with IcedID, SystemBC, Smokeloader, Bumblebee, and Trickbot. The same malvertising technique used in connection with PikaBot has also been linked to other initial access malware, including the IcedID information stealer and Gozi backdoor malware families. While Qakbot, another malware, has made some return, it has largely been replaced by successors such as PikaBot and DarkGate. Blackberry researchers have noted an increased use of specific malware families, including PrivateLoader, RisePro, SmokeLoader, and PikaBot. PikaBot's ability to bypass Endpoint Detection and Response (EDR) systems has been highlighted, raising concerns about its potential to cause significant harm. Despite these challenges, efforts to combat the spread and impact of PikaBot continue, with ongoing investigations and initiatives aimed at understanding and mitigating this threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
IcedID
4
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
TA577
4
TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall
Gozi
2
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Blackbasta
2
BlackBasta is a highly malicious software, or malware, known for its damaging effects on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it has gained access, BlackBasta can steal personal information, disrup
Smokeloader
2
Smokeloader is a notorious malware that has been utilized extensively by Phobos actors to carry out ransomware attacks. The malware, often delivered through suspicious downloads, emails, or websites, embeds itself into the victim's system as a hidden payload. Once inside, it enables threat actors to
Truebot
1
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Omcloader
1
OMCLoader is a type of malware, malicious software designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. This harmful program can steal personal information, disrupt operations, or hold data for ransom once it has infected a system. O
Formbook
1
Formbook is a type of malware, or malicious software, that can infiltrate your computer or device through suspicious downloads, emails, or websites. Once it has infected a system, it can steal personal information, disrupt operations, and potentially hold data for ransom. The individual behind the R
Privateloader
1
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
Latrodectus
1
Latrodectus, a new type of malware discovered in late 2023, is being used by Initial Access Brokers (IABs) in email threat campaigns. Initially mistaken for a variant of the well-known IcedID malware due to similar characteristics, researchers at Proofpoint and Team Cymru S2 Threat Research Team hav
Ta544
1
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Ransomware
Payload
Trojan
Phishing
Spam
Malvertising
Botnet
Evasive
Exploit
Dropper
Windows
Flashpoint
Injector
Loader Malware
Cobalt Strike
Reconnaissance
Blackberry
Cybercrime
Proofpoint
Curl
Crypter
Backdoor
Remcos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QakBotUnspecified
9
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
DarkgateUnspecified
5
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
Black BastaUnspecified
3
Black Basta is a notorious malware group known for its malicious software, specifically ransomware attacks. Since early 2022, the Black Basta Ransomware gang has been actively involved in cybercrimes, amassing at least $107 million in Bitcoin ransom payments. The group's modus operandi involves expl
QbotUnspecified
3
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
BumblebeeUnspecified
2
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
SystembcUnspecified
2
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
MatanbuchusUnspecified
1
Matanbuchus is a malicious software (malware) that has been actively used in various cyberattacks since July 16, 2022. Initially identified as part of a malspam campaign by Unit 42 in February 2023, it was believed to be a possible drop from the PikaBot malware. However, subsequent analysis revealed
TrickBotUnspecified
1
TrickBot is a form of malware, or malicious software, that infiltrates systems to exploit and damage them. It can enter your system via dubious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot can steal personal information, disrupt operations, or even hold d
CutwailUnspecified
1
Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Sn
Lummac2Unspecified
1
LummaC2 is a relatively new information-stealing malware, first discovered in 2022. The malicious software has been under active development, with researchers identifying LummaC2 4.0 as a dynamic malware strain in November 2023. It's been used by threat actors for initial access or data theft, often
PushdoUnspecified
1
Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks.
ForestUnspecified
1
The "Forest" is a type of malware that exploits vulnerabilities in the domain authentication process, specifically targeting the Golden Ticket, an authentication ticket used throughout a domain. By manipulating Security Identifier (SID) values, this malware can spoof Enterprise Admin rights across t
Lummac2 StealerUnspecified
1
LummaC2 Stealer is a prominent malware that has been increasingly utilized for initial access or information stealing over the past year. This malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or devices by
PinkslipbotUnspecified
1
Pinkslipbot, also known as Qakbot, QBot or QuackBot, is a modular information-stealing malware that has been active since 2008. Initially emerging in 2007 as a banking trojan, it targeted financial institutions to steal sensitive data. Over the years, however, its functionality evolved and diversifi
BlacksuitUnspecified
1
BlackSuit is a malicious software (malware) that was introduced in May 2023, believed to be a rebranding of the Royal ransomware operation, which itself was a branch of the now-defunct Conti ransomware operation. Various sources have reported similarities in code between Royal and BlackSuit, further
Qakbot (QbotUnspecified
1
None
FakebatUnspecified
1
FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or we
Narwal SpiderUnspecified
1
None
Blackbasta RansomwareUnspecified
1
BlackBasta is a ransomware-type malware, designed to infiltrate systems undetected and hold data hostage in exchange for ransom. Originating from Russian-speaking regions, this malicious software has been linked to numerous high-profile cyber attacks. The group behind BlackBasta has demonstrated its
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
VidarUnspecified
1
Vidar is a Windows-based malware written in C++, known as an infostealer due to its ability to steal personal information from infected systems. It has been leveraged by cybercriminals alongside other malicious software like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoade
Brute RatelUnspecified
1
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. On
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sdc/omcloaderUnspecified
1
None
Ta544 Narwal SpiderUnspecified
1
None
Source Document References
Information about the Pikabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
a month ago
Researchers Uncover Chinese Hacking Cyberespionage Campaign
Securityaffairs
a month ago
Operation Endgame, the largest law enforcement operation ever against botnets
BankInfoSecurity
3 months ago
Sophisticated Latrodectus Malware Linked to 2017 Strain
CERT-EU
4 months ago
Threat actors are turning to novel malware as malicious attacks rise
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
CERT-EU
4 months ago
How new and old security threats keep persisting - Help Net Security
CERT-EU
4 months ago
How new and old security threats keep persisting - Help Net Security
CERT-EU
4 months ago
Kaspersky spam and phishing report for 2023
CERT-EU
4 months ago
Hackers steal Windows NTLM authentication hashes in phishing attacks
CERT-EU
4 months ago
Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework - Help Net Security
CERT-EU
4 months ago
Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Malwarebytes
4 months ago
PikaBot malware on the rise: What organizations need to know  | Malwarebytes
CERT-EU
5 months ago
Pikabot returns with new tricks up its sleeve - Help Net Security
CERT-EU
5 months ago
Pikabot returns with new tricks up its sleeve - Help Net Security
CERT-EU
5 months ago
Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security
CERT-EU
5 months ago
O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks
Malwarebytes
5 months ago
Ransomware review: January 2024
Flashpoint
5 months ago
The Emerging Threat of PikaBot Malware
InfoSecurity-magazine
5 months ago
Ransomware Incidents Hit Record High, But Law Enforcement Takedowns Sl