{
	"id": "4a2a2aa1-4a2f-48a1-93bb-2bf0c31a228a",
	"created_at": "2026-04-06T00:08:16.49255Z",
	"updated_at": "2026-04-10T03:21:15.383742Z",
	"deleted_at": null,
	"sha1_hash": "6237c4fc6d76872a2fe6133d3cca6e12b18ac888",
	"title": "The Tale of the Pija-Droid Firefinch",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 181195,
	"plain_text": "The Tale of the Pija-Droid Firefinch\r\nBy Paul Burbage\r\nPublished: 2019-12-27 · Archived: 2026-04-05 14:31:05 UTC\r\nFrom the illuminating malware adversaries series.\r\nOne thing that I’ve learned from investigating malware adversaries for over a decade is that they enjoy reusing\r\nnicknames. An adversary that I have been tracking since February 2019 likes to use the moniker “Droid” in their\r\nLokibot command-and-control (C2) addresses. So begins the story of the “Pija-Droid Firefinch”.\r\nThe Pija-Droid Firefinch is a frequent flyer of Lokibot malware — an infostealer once marketed in Russian\r\nunderground forums but nowadays freely available by any ne’er-do-wells brazen enough to infect computers. It\r\nappears that this malware actor mainly targets Spanish speaking communities based on language used in their\r\nmalspam lures. The malicious email attachments are usually obscure file archive formats, perhaps utilized to\r\ncircumvent AV scanners.\r\nTypical malicious email containing Spanish language.\r\nAt MalBeacon.com, we beacon malware adversaries while they are administering botnets, revealing quite a bit of\r\ninformation on attackers. We derived this adversary’s name using the following paradigm:\r\nhttps://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2\r\nPage 1 of 2\n\nPija = The Spanish word for “prick”. Spanish is also the preferred malspam language used by the attacker.\r\nDroid = Our adversary’s moniker and a common directory found in their C2 URLs.\r\nFirefinch = A bird native to Nigeria and our attacker’s location.\r\nSource: https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2\r\nhttps://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2"
	],
	"report_names": [
		"the-tale-of-the-pija-droid-firefinch-4d304fde5ca2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434096,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6237c4fc6d76872a2fe6133d3cca6e12b18ac888.pdf",
		"text": "https://archive.orkl.eu/6237c4fc6d76872a2fe6133d3cca6e12b18ac888.txt",
		"img": "https://archive.orkl.eu/6237c4fc6d76872a2fe6133d3cca6e12b18ac888.jpg"
	}
}