{ "id": "72d46dc0-ed41-486c-91bc-a7e0b99a606f", "created_at": "2026-04-06T00:19:27.240256Z", "updated_at": "2026-04-10T03:30:57.709499Z", "deleted_at": null, "sha1_hash": "a1d7a071657162680fca520a9c9f4a94e08d112f", "title": "#ShortAndMalicious — PikaBot and the Matanbuchus connection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1144477, "plain_text": "#ShortAndMalicious — PikaBot and the Matanbuchus connection\r\nBy DCSO CyTec Blog\r\nPublished: 2023-02-11 · Archived: 2026-04-05 16:56:57 UTC\r\nPress enter or click to view image in full size\r\nPhoto by Timothy Dykes on Unsplash\r\nContinuing our #ShortAndMalicious series, where we aim to briefly highlight new or otherwise noteworthy\r\nmalware, a tweet by Unit 42 Intel caught our attention early February 2023:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398\r\nPage 1 of 4\n\nThank you Unit 42 for sharing!\r\nHaving covered Matanbuchus before, DCSO CyTec jumped in to investigate this new sample, which quickly\r\nturned out to be a new malware family instead.\r\nTwitter user Germán Fernández then identified it as “PikaBot/iPikaBot” so we set out to see what’s under the\r\nhood.\r\nBlog post authored by Johann Aydinbas and Axel Wauer.\r\nWhat we know\r\nIn short, here’s what we know after analyzing the new PikaBot sample:\r\nIt is d̶i̶s̶t̶r̶i̶b̶u̶t̶e̶d̶ ̶b̶y̶ ̶Q̶a̶k̶b̶o̶t (correction: it was distributed similarly to Qakbot — thank you\r\n@malware_traffic for pointing out the misunderstanding!)\r\nIt’s a loader type malware, so the purpose is mainly fetching additional malware (for now)\r\nIt’s split into a loader and a core component\r\nIt features a heavy amount of anti-debug functions… we stopped naming them after identifying the 20th\r\nanti-debug function, and it contains some anti-VM functionality in addition\r\nTraffic consists of exchanging JSON blobs over HTTPS, with the payload encrypted using Base64+AES-CBC\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398\r\nPage 2 of 4\n\nA lot of configuration is hardcoded (C2 servers, request paths)\r\nIt excludes CIS countries based on the configured language ID of the infected system\r\nInitial POSTs to the hardcoded C2 feature the following decrypted payload:\r\n{\r\n \"uuid\": \"542F70A6000008AC43698032133\",\r\n \"stream\": \"bb_d2@T@dd48940b389148069ffc1db3f2f38c0e\",\r\n \"os_version\": \"Win 10.0 19045\",\r\n \"product_number\": 48,\r\n \"username\": \"batman\",\r\n \"pc_name\": \"DESKTOP-BATCAVE\",\r\n \"cpu_name\": \"Intel(R) Xeon(R) CPU E3-1505M v6 @ 3.00GHz\",\r\n \"arch\": \"x86\",\r\n \"pc_uptime\": 1994593,\r\n \"gpu_name\": \"VMware SVGA 3D\",\r\n \"ram_amount\": 4095,\r\n \"screen_resolution\": \"1567x904\",\r\n \"version\": \"0.1.7\",\r\n \"av_software\": \"unknown\",\r\n \"domain_name\": \"\",\r\n \"domain_controller_name\": \"unknown\",\r\n \"domain_controller_address\": \"unknown\"\r\n}\r\nNoteworthy is the version number reported as 0.1.7 so the malware appears to be in the very early stages of\r\ndevelopment.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAnalysis is still ongoing but commands we have identified so far are as follows:\r\ncmd Run shell command\r\nexe Fetch and run EXE\r\ndll Fetch and run DLL\r\nshellcode Run shellcode\r\nadditional Send additional system info (?)\r\nknock_timeout Change C2 check-in interval\r\ndestroy Not implemented yet\r\nNew devil or new clothes?\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398\r\nPage 3 of 4\n\nRegarding the Matanbuchus connection — without further hard evidence we can’t assess a possible relationship\r\nbetween both malware families.\r\nPikaBot is definitely a new malware family in the early stages of development. Based on previous research of\r\nMatanbuchus we’ve noticed some similiarities however:\r\nBoth malware families are written in C/C++\r\nBoth malware families utilize a clear loader/core component split\r\nBoth malware families utilize JSON+Base64+crypto (Matanbuchus: RC4, PikaBot: AES-CBC) for traffic\r\nBoth malware families extensively use hardcoded strings instead of some sort of configuration blob\r\nwhich might hint towards a possible connection of both malware families.\r\nIoCs\r\nSHA256\r\nc666aeb7ed75e58b645a2a4d1bc8c9d0a0a076a8a459e33c6dc60d12f4fa0c01 Loader\r\n59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1 Core\r\nSource: https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398" ], "report_names": [ "shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398" ], "threat_actors": [ { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434767, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1d7a071657162680fca520a9c9f4a94e08d112f.pdf", "text": "https://archive.orkl.eu/a1d7a071657162680fca520a9c9f4a94e08d112f.txt", "img": "https://archive.orkl.eu/a1d7a071657162680fca520a9c9f4a94e08d112f.jpg" } }