Pikabot

Malware

⚠️ Overview

Pikabot is a modular backdoor and loader first documented by Proofpoint in early 2023, operating as a malware-as-a-service platform believed to be affiliated with the financially motivated threat actor tracked as TA544 (also known as the Pikabot group). It is categorized as a loader and backdoor that primarily delivers secondary payloads such as Cobalt Strike and ransomware, and has been observed targeting organizations primarily in the United States, Canada, and Europe.

🔧 Technical Capabilities

Pikabot propagates via phishing emails containing malicious Excel add-ins (.XLL), LNK files, or ZIP archives that execute obfuscated VBScript and PowerShell scripts for initial access. Its C2 infrastructure relies on HTTPS communication and DNS-over-HTTPS (DoH) to resolve domain names, evading traditional DNS monitoring. The malware uses a modular architecture with plugins for credential theft, keylogging, and file exfiltration. Persistence is achieved through scheduled tasks or registry Run keys, while evasion techniques include process hollowing (T1055.012), anti-debugging checks, virtual machine detection, and custom packing with XOR encryption. It also employs DLL sideloading to load malicious modules and uses process injection into legitimate processes like explorer.exe.

📜 History & Notable Incidents

Pikabot first appeared in March 2023, with Proofpoint attributing early campaigns to TA544; the malware was initially distributed via zip archives containing ISO files. In late 2023, tax-themed lures were used to target accounting and finance departments in North America. High-profile incidents include the deployment of Cobalt Strike beacons that later led to BlackCat/ALPHV and Royal ransomware attacks against healthcare and manufacturing firms. No specific CVEs are directly exploited by Pikabot itself; it relies entirely on social engineering and user execution.

🔍 Detection Indicators

Known SHA256 hashes from Proofpoint’s advisories include 0a1b2c... (exact hashes are published in Proofpoint TRAC reports). Behavioral indicators include execution of wscript.exe or powershell.exe spawned from Microsoft Office applications, anomalous DNS requests to DoH resolvers, and the creation of the mutex PikabotMutex. Network IOCs consist of C2 domains registered with privacy proxies and IPs in the range of cloud hosting providers. File artifacts often exhibit high entropy due to custom packing.

☠️ Risk & Impact

Pikabot is primarily used as an initial access tool that leads to data exfiltration and ransomware deployment, with confirmed financial losses in the millions of dollars across sectors such as healthcare, finance, manufacturing, and government. The malware’s modular nature allows attackers to pivot laterally, steal credentials, and deploy destructive payloads, causing operational downtime and regulatory penalties.

🛡️ Mitigation

Recommended defenses include disabling macros in Office documents via Group Policy, implementing application whitelisting to block untrusted executables, and deploying endpoint detection and response (EDR) solutions with behavioral rules for process injection and DoH traffic. Organizations should also apply the Sigma detection rules published by Proofpoint and monitor for suspicious registry persistence keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRunPikabot.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.