Pikabot

Malware updated a day ago (2024-10-22T23:00:59.062Z)

Download STIX

Preview STIX

Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others. Pikabot has been distributed by threat group TA577 and is known to have been used in conjunction with other malware families such as PrivateLoader, RisePro, SmokeLoader. Notably, it was also identified as an agent of the Pikabot botnet, working alongside the IcedID information stealer and Gozi backdoor malware families. Between 27 and 29 May 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers including Pikabot. This operation sought to disrupt the activities of these harmful programs which had been causing significant damage to computer systems worldwide. Despite this action, malicious groups continued to evolve their methods. For instance, Black Basta initially used phishing and vishing to deliver other types of malware, such as Darkgate and Pikabot, but quickly began seeking alternatives for further malicious activity. The use of Pikabot and similar malware has shown the adaptability of cybercriminals. While Qakbot has returned in some limited form, it has been largely supplanted by its successors, Pikabot and DarkGate. The same malvertising technique used to spread Pikabot has been associated with a number of other initial access malware. This ongoing evolution underscores the need for continuous vigilance and up-to-date cybersecurity measures to protect against these ever-evolving threats.

Description last updated: 2024-10-22T17:42:35.428Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
IcedID is a possible alias for Pikabot. IcedID is a prominent malware that has been utilized in various cyber-attacks. It functions as a malicious software designed to infiltrate and damage computer systems, often through suspicious downloads, emails, or websites. Once inside a system, IcedID can steal personal information, disrupt operat	4
TA577 is a possible alias for Pikabot. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall	4
Smokeloader is a possible alias for Pikabot. SmokeLoader is a malicious software (malware) used by threat actors to infect systems and exfiltrate data. It operates in conjunction with other open-source tools like Cobalt Strike and Bloodhound, but most notably with Phobos ransomware. Threat actors often use SmokeLoader as a hidden payload in sp	2
Gozi is a possible alias for Pikabot. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c	2
Blackbasta is a possible alias for Pikabot. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Payload

Ransomware

Trojan

Phishing

Malvertising

Spam

Botnet

Evasive

Exploit

Dropper

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The QakBot Malware is associated with Pikabot. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includin	Unspecified	9
The Darkgate Malware is associated with Pikabot. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	5
The Black Basta Malware is associated with Pikabot. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vul	Unspecified	3
The Qbot Malware is associated with Pikabot. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi	Unspecified	3
The Systembc Malware is associated with Pikabot. SystemBC is a type of malware that has been heavily utilized in various cyber attacks, including those involving the BlackBasta ransomware group in 2023. The Play ransomware actors have also been known to use SystemBC alongside other command and control (C2) applications such as Cobalt Strike and to	Unspecified	2
The Bumblebee Malware is associated with Pikabot. Bumblebee is a sophisticated malware loader first discovered by Google's Threat Analysis Group (TAG) in March 2022. It was named Bumblebee based on a user-agent string it used. The malware has been actively used by cybercriminal groups to distribute various types of malicious payloads such as ransom	Unspecified	2

Source Document References

Information about the Pikabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a day ago	Experts warn of a new wave of Bumblebee malware attacks
DARKReading	3 months ago	Black Basta Develops Custom Malware in Wake of Qakbot Takedown
BankInfoSecurity	4 months ago	Researchers Uncover Chinese Hacking Cyberespionage Campaign
Securityaffairs	5 months ago	Operation Endgame, the largest law enforcement operation ever against botnets
BankInfoSecurity	7 months ago	Sophisticated Latrodectus Malware Linked to 2017 Strain
CERT-EU	7 months ago	Threat actors are turning to novel malware as malicious attacks rise
CERT-EU	7 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	7 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #computerhacker - Am I Hacker Proof
CERT-EU	7 months ago	How new and old security threats keep persisting - Help Net Security
CERT-EU	8 months ago	How new and old security threats keep persisting - Help Net Security
CERT-EU	8 months ago	Kaspersky spam and phishing report for 2023
CERT-EU	8 months ago	Hackers steal Windows NTLM authentication hashes in phishing attacks
CERT-EU	8 months ago	Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework - Help Net Security
CERT-EU	8 months ago	Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Malwarebytes	8 months ago	PikaBot malware on the rise: What organizations need to know \| Malwarebytes
CERT-EU	8 months ago	Pikabot returns with new tricks up its sleeve - Help Net Security
CERT-EU	8 months ago	Pikabot returns with new tricks up its sleeve - Help Net Security
CERT-EU	8 months ago	Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security
CERT-EU	8 months ago	O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks
Malwarebytes	8 months ago	Ransomware review: January 2024