{
	"id": "eac81411-8d72-4936-8dcc-1a41354abf41",
	"created_at": "2026-04-06T01:31:07.553073Z",
	"updated_at": "2026-04-10T03:21:30.456489Z",
	"deleted_at": null,
	"sha1_hash": "a045326546a4cdbc3acc7dc3c7899c21616c9821",
	"title": "Pulsedive Blog | Pikabot Rising",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 773672,
	"plain_text": "Pulsedive Blog | Pikabot Rising\r\nBy Pulsedive Threat Research\r\nPublished: 2024-01-22 · Archived: 2026-04-06 01:26:49 UTC\r\nPikabot is an emerging loader that has been active since early 2023. The malware provides access to\r\nenvironments with the ability to remotely execute commands for reconnaissance or the ingress of additional tools.\r\nOver the past year, security researchers have observed Pikabot distributed through malspam and malvertising. Its\r\nusage became more prevalent following the takedown of Qakbot by law enforcement agencies in 2023.\r\nFigure 1. Pulsedive's Pikabot threat page\r\nThis blog provides an overview of the distribution mechanisms and features of Pikabot with to highlight its\r\ncapabilities which include:\r\nAnti-analysis checks\r\nLoading junk libraries\r\nExecuting commands\r\nGathering system information\r\nDistribution Mechanisms\r\nPikabot has been distributed primarily through spam emails. Following the takedown of Qakbot in August 2023,\r\nthere was an increase in campaigns using Pikabot. Similar to campaigns spreading other malware, these emails are\r\noften part of a hijacked thread containing either an attachment or a link to download the file.\r\nSpam Campaigns\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 1 of 11\n\nTrend Micro Research identified a spam campaign used to deliver Pikabot. The campaign leveraged thread\r\nhijacking, where threat actors inject themselves into existing email threads and send emails as if the malicious\r\nentity was always part of the thread. Typically, Pikabot intrusions start through a JavaScript file that is used to\r\ndownload and execute the second stage payload. In other observed intrusions, instead of a Javascript file, the ZIP\r\narchive contained either an IMG or PDF file. In the case of an IMG, it consists of a LNK file masquerading as a\r\nWord document and the Pikabot DLL. The LNK file is used to execute the Pikabot DLL. For PDFs, the PDF\r\nserves as a lure that is used to download the DLL sample. The LOLBIN, rundll32.exe, is used to execute the DLL\r\nfile.  \r\nFigure 2: Execution flow observed in spam campaigns delivering Pikabot.\r\nMalvertising\r\nThreat researchers have also identified cases where Pikabot was distributed through malicious advertising. In one\r\nexample, Pikabot impersonated the remote access tool AnyDesk in a malvertising campaign (Malwarebytes). The\r\ncampaign used paid advertisements for the phishing sites to appear at the top of a user’s Google search results and\r\nrely on a user clicking the sponsored link instead of the actual AnyDesk URL. After users clicked the malvertising\r\nlink, they were redirected to a page mimicking the AnyDesk webpage.\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 2 of 11\n\nFigure 3: A web page masquerading as the official AnyDesk download source (Malwarebytes)\r\nThe page hosts a malicious .msi file used to run Pikabot. The MSI uses process hollowing to execute the malicious\r\ncode in a SearchProtocolHost.exe process, by creating the process in a suspended state, unmapping the process\r\nmemory, writing the malicious code to memory, and then resuming the thread. \r\nFigure 4: Execution flow observed in Pikabot intrusions originating from malvertising campaigns. \r\nFeatures of Pikabot\r\nDynamic API Resolving\r\nPikabot samples resolve APIs at runtime. This means that some of the necessary APIs needed for the sample to\r\nexecute are loaded during its execution and not when the program is compiled. This is an attempt by the malware\r\nauthor to make it more difficult to determine functionality through static analysis of imported APIs. Three\r\nfunctions are resolved through API hashing and once GetProcAddress and LoadLibraryA are resolved, they can be\r\nused to resolve other APIs that are stored as decrypted strings. \r\nOALabs developed Python code that can be used to decrypt the strings. The figure below shows some of the\r\ndecrypted strings from the sample 39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206 \r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 3 of 11\n\nFigure 5: Python code showing the decrypted strings. Screenshot from OALabs\r\nAnti-Analysis Techniques\r\nThe sample leverages several anti-analysis techniques to make analysis of the malware more difficult, which\r\ninclude:\r\nUsing INT2D and INT3 to raise exception handlers\r\nINT3 is a software breakpoint that is used to trigger an interrupt. When a debugger is not in use, the\r\nexception handler is called after an INT3 exception is raised. When a debugger is present, control of\r\nthe program is not handed to the exception handler.\r\nFor INT2D, Windows uses the EIP register as the exception address and then increments the EIP\r\nregister value. This instruction may cause issues for debuggers since increasing the EIP may cause\r\ninstructions to be skipped.\r\nChecking the BeingDebuggedFlag in the PEB\r\nCalling the APIs CheckRemoteDebuggerPresent() and IsDebuggerPresent()\r\nLoading junk libraries\r\nDelaying execution using the beep() function\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 4 of 11\n\nThis is used in a similar fashion to the sleep function and is intended to delay execution. The beep\r\nfunction generates a noise that is played on speakers. The execution of the program waits until the\r\nsound stops to resume execution.\r\nChecking the value of the NtGlobalFlag in the process environment block to see if a debugger is attached\r\nCalling NtQueryInformationProcess() with the flag 0x7 (ProcessDebugPort)\r\nUsing the GetWriteWatch() to get addresses of the allocated pages written\r\nChecking if the number of processors is less than or equal to 2\r\nUsing the rdtsc instruction to detect single steps taken in a debugger\r\nChecking memory size with GlobalMemoryStatusEx() to see if it is less than 2GB\r\nFigure 6: The anti-analysis techniques used by Pikabot\r\n💡\r\nCheckpoint Research\r\nhas a helpful resource covering several anti-debug tricks observed within Pikabot samples.\r\nLanguage Checks\r\nApart from the checks outlined above which cause the program to terminate, Pikabot samples also check the\r\nlanguage of the system to avoid infecting CIS countries. ZScaler identified that the samples check for the\r\nfollowing languages:\r\nGeorgian\r\nKazakh\r\nUzbek\r\nTajik\r\nRussian\r\nUkrainian\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 5 of 11\n\nBelarusian\r\nSlovenian\r\nFigure 7: Pikabot uses the GetUserDefaultLangID function to return the language identifier of the\r\nRegion set for the current user. Screenshot from 0DAY IN {REA_TEAM}.\r\nThe API function GetUserDefaultLandID returns the language for the current user. This information can also be\r\ndetermined from Control Panel -\u003e Clock, Language, and Region -\u003e Change date, time, or number formats -\u003e\r\nFormats (Microsoft). \r\n❗\r\nLanguage identifiers are numerical abbreviations for languages. \r\nIf any of these languages are identified, then the program terminates. This type of check to avoid infecting\r\nendpoints in CIS countries is not unique to Pikabot and has also been observed in several ransomware variants. \r\nCapabilities\r\nOnce the anti-analysis checks are complete, the malware initiates connections with a Command and Control\r\nserver. The malware also executes several commands to gather additional information about the compromised\r\nhost. The commands include collecting network information using the ipconfig.exe binary and collecting user\r\ninformation through the whoami.exe /all command. \r\nApart from using native binaries to collect system information, researchers at Zscaler identified the following\r\ncapabilities that the malware can perform. \r\ncmd\r\ndestroy\r\nshellcode\r\ndll\r\nExe\r\nknock_timeout\r\nInformation collection\r\nscreenshot\r\nwhoami\r\nipconfig\r\nprocesses\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 6 of 11\n\nConclusion\r\nPikabot is a relatively recent loader that increased in popularity from August 2023 onwards. As of January 2024,\r\nthere has been just 1 sample shared on Malware Bazaar uploaded on January 3rd, 2024. The malware adopts\r\nseveral anti-analysis techniques which make it difficult to detect and analyse. Pikabot binaries resolve APIs using\r\nAPI hashing and decrypted strings, meaning looking at imports during static analysis may not provide insight into\r\nthe malware’s functionality. The malware also can execute commands on the infected host, using this to conduct\r\nsystem information discovery activities. \r\nRecommendations\r\nContinued User Awareness Training\r\nBoth of Pikabot’s dissemination mechanisms require user execution. Continued user awareness\r\ntraining may help mitigate the risk from spam and malvertising by teaching users how these threats\r\nwork and what to look out for. \r\nMonitor and block the execution of cmd or curl from scripting interpreters\r\nTo alert on potentially malicious VBScript or JavaScript files attempting to download additional\r\npayloads or launching recently downloaded executable content. \r\nSome security products contain rules to block this type of activity. An example is the Block\r\nJavaScript or VBScript from launching downloaded executable content attack surface reduction rule\r\nin Microsoft Defender for Endpoint.\r\nIndicators of Compromise\r\nThe table below contains a list of Pikabot network IoCs identified and added to the Pulsedive platform. IoCs can\r\nbe queried in Pulsedive using the Explore query threat=\"Pikabot\" and is available for export in multiple formats\r\n(CSV, STIX 2.1, JSON).\r\nPikabot IOCs\r\nhttps://104.200.28.75:2222/\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 7 of 11\n\nhttps://139.162.147.197:2225/\r\n51.68.147.114\r\n104.200.28.75\r\n65.20.82.17\r\n172.234.16.175\r\nhttps://139.99.216.90:13720/nastier/YaEq5oFpdVHuvOuYK\r\nhttp://65.108.216.128/l9yvUH/arcti\r\nhttp://95.216.204.145/K2n/Churo\r\nhttps://9jaflaverstore.com/uss/\r\nAnd more, retrieve all indicators here \r\nThe table below shows some fingerprints for Pikabot C2 infrastructure:\r\nFingerprint Type Fingerprint Value\r\nJARM 21d19d00021d21d21c21d19d21d21dd188f9fdeea4d1b361be3a6ec494b2d2\r\nJA4+ 1a59268f55e5_1a59268f55e5_795797892f9c\r\nMITRE ATT\u0026CK TTPs\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 8 of 11\n\nTechnique Tactic\r\nCollection\r\nArchive Collected Data (T1560)\r\nInput Capture (T1056)\r\nCommand and Control\r\nEncrypted Channel (T1573)\r\nNon-Standard Port (T1571)\r\nCredential Access Input Capture (T1056)\r\nDefense Evasion Hijack Execution Flow: DLL Side-Loading (T1574.002)\r\nImpair Defenses: Disable or Modify Tools (T1574.002)\r\nImpair Defenses: File Deletion (T1070.004)\r\nMasquerading (T1036)\r\nModify Registry (T1112)\r\nNative API (T1106)\r\nObfuscated Files or Information (T1027)\r\nProcess Hollowing (T1055.012)\r\nSystem Binary Proxy Execution: Regsvr32 (T1218.010)\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 9 of 11\n\nSystem Binary Proxy Execution: Rundll32 (T1218.011)\r\nVirtualization/Sandbox Evasion (T1497)\r\nDiscovery\r\nFile and Directory Discovery (T1083)\r\nProcess Discovery (T1057)\r\nSoftware Discovery: Security Software Discovery (T1518)\r\nSystem Information Discovery (T1082)\r\nSystem Owner/User Discovery (T1033)\r\nVirtualization/Sandbox Evasion (T1497)\r\nEvasion Masquerading (T1036)\r\nExecution\r\nNative API (T1106)\r\nSystem Binary Proxy Execution: Regsvr32 (T1218.010)\r\nSystem Binary Proxy Execution: Rundll32 (T1218.011)\r\nShared Modules (T1129)\r\nPersistence Hijack Execution Flow: DLL Side-Loading (T1574.002)\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 10 of 11\n\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder (T1547.001)\r\nSource: https://blog.pulsedive.com/pikabot/\r\nhttps://blog.pulsedive.com/pikabot/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.pulsedive.com/pikabot/"
	],
	"report_names": [
		"pikabot"
	],
	"threat_actors": [],
	"ts_created_at": 1775439067,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a045326546a4cdbc3acc7dc3c7899c21616c9821.pdf",
		"text": "https://archive.orkl.eu/a045326546a4cdbc3acc7dc3c7899c21616c9821.txt",
		"img": "https://archive.orkl.eu/a045326546a4cdbc3acc7dc3c7899c21616c9821.jpg"
	}
}