Pikabot

Malware updated a month ago (2024-10-22T23:00:59.062Z)

Download STIX

Preview STIX

Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others. Pikabot has been distributed by threat group TA577 and is known to have been used in conjunction with other malware families such as PrivateLoader, RisePro, SmokeLoader. Notably, it was also identified as an agent of the Pikabot botnet, working alongside the IcedID information stealer and Gozi backdoor malware families. Between 27 and 29 May 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers including Pikabot. This operation sought to disrupt the activities of these harmful programs which had been causing significant damage to computer systems worldwide. Despite this action, malicious groups continued to evolve their methods. For instance, Black Basta initially used phishing and vishing to deliver other types of malware, such as Darkgate and Pikabot, but quickly began seeking alternatives for further malicious activity. The use of Pikabot and similar malware has shown the adaptability of cybercriminals. While Qakbot has returned in some limited form, it has been largely supplanted by its successors, Pikabot and DarkGate. The same malvertising technique used to spread Pikabot has been associated with a number of other initial access malware. This ongoing evolution underscores the need for continuous vigilance and up-to-date cybersecurity measures to protect against these ever-evolving threats.

Description last updated: 2024-10-22T17:42:35.428Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
IcedID is a possible alias for Pikabot. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	4
TA577 is a possible alias for Pikabot. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall	4
Smokeloader is a possible alias for Pikabot. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its funct	2
Gozi is a possible alias for Pikabot. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c	2
Blackbasta is a possible alias for Pikabot. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Payload

Ransomware

Trojan

Phishing

Malvertising

Spam

Botnet

Evasive

Exploit

Dropper

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The QakBot Malware is associated with Pikabot. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	9
The Darkgate Malware is associated with Pikabot. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	5
The Black Basta Malware is associated with Pikabot. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	3
The Qbot Malware is associated with Pikabot. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi	Unspecified	3
The Systembc Malware is associated with Pikabot. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	2
The Bumblebee Malware is associated with Pikabot. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee hav	Unspecified	2

Source Document References

Information about the Pikabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Experts warn of a new wave of Bumblebee malware attacks
DARKReading	4 months ago	Black Basta Develops Custom Malware in Wake of Qakbot Takedown
BankInfoSecurity	5 months ago	Researchers Uncover Chinese Hacking Cyberespionage Campaign
Securityaffairs	6 months ago	Operation Endgame, the largest law enforcement operation ever against botnets
BankInfoSecurity	8 months ago	Sophisticated Latrodectus Malware Linked to 2017 Strain
CERT-EU	8 months ago	Threat actors are turning to novel malware as malicious attacks rise
CERT-EU	8 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	8 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #computerhacker - Am I Hacker Proof
CERT-EU	8 months ago	How new and old security threats keep persisting - Help Net Security
CERT-EU	9 months ago	How new and old security threats keep persisting - Help Net Security
CERT-EU	9 months ago	Kaspersky spam and phishing report for 2023
CERT-EU	9 months ago	Hackers steal Windows NTLM authentication hashes in phishing attacks
CERT-EU	9 months ago	Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework - Help Net Security
CERT-EU	9 months ago	Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Malwarebytes	9 months ago	PikaBot malware on the rise: What organizations need to know \| Malwarebytes
CERT-EU	9 months ago	Pikabot returns with new tricks up its sleeve - Help Net Security
CERT-EU	9 months ago	Pikabot returns with new tricks up its sleeve - Help Net Security
CERT-EU	9 months ago	Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security
CERT-EU	9 months ago	O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks
Malwarebytes	9 months ago	Ransomware review: January 2024