{
	"id": "1fa85458-7928-4ee9-8f71-477d18622e8b",
	"created_at": "2026-04-06T00:19:16.363618Z",
	"updated_at": "2026-04-10T03:24:31.399524Z",
	"deleted_at": null,
	"sha1_hash": "b2c37ecc3545933fa4b0212db237c514010e9824",
	"title": "Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1123460,
	"plain_text": "Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign\r\nPublished: 2024-01-09 · Archived: 2026-04-05 14:08:23 UTC\r\nPhishing\r\nA threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has\r\nbeen actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.\r\nBy: Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua\r\nCastillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot, Ian\r\nKenefick Jan 09, 2024 Read time: 8 min (2105 words)\r\nPikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the\r\nIntrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the\r\nstart of September 2023. Other researchers have previously noted its strong similarities to Qakbot, the latter of\r\nwhich was taken downnews article by law enforcement in August 2023. An increase in the number of phishing\r\ncampaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot —\r\nhinting at the possibility that Pikabot might be a replacement for the latter (with DarkGate being another\r\ntemporary replacement in the wake of the takedown).\r\nPikabot’s operators ran phishing campaigns, targeting victims via its two components — a loader and a core\r\nmodule — which enabled unauthorized remote access and allowed the execution of arbitrary commands through\r\nan established connection with their command-and-control (C\u0026C) server. Pikabot is a sophisticated piece of\r\nmulti-stage malware with a loader and core module within the same file, as well as a decrypted shellcode that\r\ndecrypts another DLL file from its resources (the actual payload).\r\nIn general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike,\r\nleading to Black Basta ransomware attacksnews article (coincidentally, Black Basta also returned to operations in\r\nSeptember 2023). The threat actor conducted several DarkGate spam campaigns and a small number of\r\nIcedIDnews- cybercrime-and-digital-threats campaigns in the early weeks of the third quarter of 2023, but has\r\nsince pivoted exclusively to Pikabot.\r\nPikabot, which gains initial access to its victim’s machine through spam emails containing an archive or a PDF\r\nattachment, exhibits the same behavior and campaign identifiers as Qakbot. \r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 1 of 11\n\nFigure 1. Our observations from the infection chain based on Trend’s investigation\r\nInitial access via email\r\nThe malicious actors who send these emails employ thread-hijacking, a technique where malicious actors use\r\nexisting email threads (possibly stolen from previous victims) and create emails that look like they were meant to\r\nbe part of the thread to trick recipients into believing that they are legitimate. Using this technique increases the\r\nchances that potential victims would select malicious links or attachments. Malicious actors send these emails\r\nusing addresses (created either through new domains or free email services) with names that can be found in\r\noriginal email threads hijacked by the malicious actor. The email contains most of the content of the original\r\nthread, including the email subject, but adds a short message on top directing the recipient to open the email\r\nattachment.\r\nThis attachment is either a password-protected archive ZIP file containing an IMG file or a PDF file. The\r\nmalicious actor includes the password in the email message. Note that the name of the file attachment and its\r\npassword vary for each email.\r\nFigure 2. Sample email with a malicious ZIP attachment\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 2 of 11\n\nFigure 3. Sample email with a malicious PDF attachment\r\nThe emails containing PDF files have a shorter message telling the recipient to check or view the email\r\nattachment.\r\nThe first stage of the attack\r\nThe attached archive contains a heavily obfuscated JavaScript (JS) with a file size amounting to more than 100\r\nKB. Once executed by the victim, the script will attempt to execute a series of commands using conditional\r\nexecution.\r\nFigure 4. Files extracted to the attached archive (.zip or .img)\r\nFigure 5. Deobfuscated JS command\r\nThe script attempts command execution using cmd.exe. If this initial attempt is unsuccessful, the script proceeds\r\nwith the following steps: It echoes a designated string to the console and tries to ping a specified target using the\r\nsame string. In case the ping operation fails, the script employs Curl.exe to download the Pikabot payload from an\r\nexternal server, saving the file in the system's temporary directory.\r\nSubsequently, the script will retry the ping operation. If the retry is also unsuccessful, it uses rundll32.exe to\r\nexecute the downloaded Pikabot payload (now identified as a .dll file) with \"Crash\" as the export parameter. The\r\nsequence of commands concludes by exiting the script with the specified exit code, ciCf51U2FbrvK.\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 3 of 11\n\nWe were able to observe another attack chain where the malicious actors implemented a more straightforward\r\nattempt to deliver the payload. As before, similar phishing techniques were performed to trick victims into\r\ndownloading and executing malicious attachments. In this case, password-protected archive attachments were\r\ndeployed, with the password contained in the body of the email.\r\nHowever, instead of a malicious script, an IMG file was extracted from the attachment. This file contained two\r\nadditional files — an LNK file posing as a Word document and a DLL file, which turned out to be the Pikabot\r\npayload extracted straight from the email attachment:\r\nFigure 6. The content of the IMG file\r\nContrary to the JS file observed earlier, this chain maintained its straightforward approach even during the\r\nexecution of the payload.\r\nOnce the victim is lured into executing the LNK file, rundll32.exe will be used to run the Pikabot DLL payload\r\nusing an export parameter, “Limit”.\r\nThe content of the PDF file is disguised to look like a file hosted on Microsoft OneDrive to convince the recipient\r\nthat the attachment is legitimate. Its primary purpose is to trick victims into accessing the PDF file content, which\r\nis a link to download malware.\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 4 of 11\n\nFigure 7. Malicious PDF file disguised to look like a OneDrive attachment; note the misspelling of\r\nthe word “Download”\r\nWhen the user selects the download button, it will attempt to access a malicious URL, then proceed to download a\r\nmalicious JS file (possibly similar to the previously mentioned JS file).\r\nThe delivery of the Pikabot payload via PDF attachment is a more recent development, emerging only in the\r\nfourth quarter of 2023.\r\nWe discovered an additional variant of the malicious downloader that employed obfuscation methods involving\r\narray usage and manipulation:\r\nopen on a new tab\r\nFigure 8. Elements of array “_0x40ee” containing download URLs and JS methods used for further\r\nexecution\r\nNested functions employed array manipulation methods using “push” and “shift,” introducing complexity to the\r\ncode's structure and concealing its flow to hinder analysis. The presence of multiple download URLs, the dynamic\r\ncreation of random directories using the mkdir command, and the use of Curl.exe, as observed in the preceding\r\nscript, are encapsulated within yet another array. \r\nThe JavaScript will run multiple commands in an attempt to retrieve the malicious payload from different external\r\nwebsites using Curl.exe, subsequently storing it in a random directory created using mkdir.\r\nFigure 9. Payload retrieval commands using curl.exe\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 5 of 11\n\nThe rundll32.exe file will continue to serve as the execution mechanism for the payload, incorporating its export\r\nparameter.\r\nFigure 10. Payload execution using rundll32.exe\r\nThe Pikabot payload\r\nWe analyzed the DLL file extracted from the archive shown in Figure 6 and found it to be a sample of a 32-bit\r\nDLL file with 1515 exports. Calling its export function “Limit”, the file will decrypt and execute a shellcode that\r\nidentifies if the process is being debugged by calling the Windows API NtQueryInformationProcess twice with the\r\nflag 0x7 (ProcessDebugPort) on the first call and 0x1F ProcessDebugFlags on the second call. This shellcode\r\nalso decrypts another DLL file that it loads into memory and then eventually executes.\r\nFigure 11. The shellcode calling the entry point of the decrypted DLL file\r\nThe decrypted DLL file will execute another anti-analysis routine by loading incorrect libraries and other junk to\r\ndetect sandboxes. This routine seems to be copied from a certain GitHub article.\r\nSecurity/Virtual Machine/Sandbox DLL files Real DLL files Fake DLL files\r\ncmdvrt.32.dll kernel32.dll NetProjW.dll\r\ncmdvrt.64.dll networkexplorer.dll Ghofr.dll\r\ncuckoomon.dll NlsData0000.dll fg122.dll\r\npstorec.dll    \r\navghookx.dll    \r\navghooka.dll    \r\nsnxhk.dll    \r\napi_log.dll    \r\ndir_watch.dll    \r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 6 of 11\n\nwpespy.dll    \r\nTable 1. The DLL files loaded to detect sandboxes\r\nAfter performing the anti-analysis routine, the malware loads a set of PNG images from its resources section\r\nwhich contains an encrypted chunk of the core module and then decrypts them. Once the core payload has been\r\ndecrypted, the Pikabot injector creates a suspended process (%System%\\SearchProtocolHost) and injects the core\r\nmodule into it. The injector uses indirect system calls to hide its injection.\r\nFigure 12. Loading the PNG images to build the core module\r\nResolving the necessary APIs is among the malware's initial actions. Using a hash of each API (0xF4ACDD8,\r\n0x03A5AF65E, and 0xB1D50DE4), Pikabot uses two functions to obtain the addresses of the three necessary\r\nAPIs, GetProcAddress, LoadLibraryA, and HeapFree. This process is done by looking through kernel32.dll\r\nexports. The rest of the used APIs are resolved using GetProcAddress with decrypted strings. Other pertinent\r\nstrings are also decrypted during runtime before they are used.\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 7 of 11\n\nFigure 13. Harvesting the GetProcAddress and LoadLibrary API\r\nThe Pikabot core module checks the system’s languages and stops its execution if the language is any of the\r\nfollowing:\r\nRussian (Russia)\r\nUkrainian (Ukraine)\r\n  \r\nIt will then ensure that only one instance of itself is running by creating a hard-coded mutex, {A77FC435-31B6-\r\n4687-902D-24153579C738}.\r\nThe next stage of the core module involves obtaining details about the victim’s system and forwarding them to a\r\nC\u0026C server. The collected data uses a JSON format, with every data item  using the wsprintfW function to fill its\r\nposition. The stolen data will look like the image in Figure 13 but with the collected information before\r\nencryption:\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 8 of 11\n\nFigure 14. Stolen information in JSON format before encryption\r\nPikabot seems to have a binary version and a campaign ID. The keys 0fwlm4g and v2HLF5WIO are present in the\r\nJSON data, with the latter seemingly being a campaign ID.\r\nThe malware creates a named pipe and uses it to temporarily store the additional information gathered by creating\r\nthe following processes: \r\nwhoami.exe /all\r\nipconfig.exe /all\r\nnetstat.exe -aon\r\nEach piece of information returned will be encrypted before the execution of the process.\r\nA list of running processes on the system will also be gathered and encrypted by calling\r\nCreateToolHelp32Snapshot and listing processes through Process32First and Process32Next.\r\nOnce all the information is gathered, it will be sent to one of the following IP addresses appended with the specific\r\nURL, cervicobrachial/oIP7xH86DZ6hb?vermixUnintermixed=beatersVerdigrisy\u0026backoff=9zFPSr: \r\n70[.]34[.]209[.]101:13720\r\n137[.]220[.]55[.]190:2223\r\n139[.]180[.]216[.]25:2967\r\n154[.]61[.]75[.]156:2078\r\n154[.]92[.]19[.]139:2222\r\n158[.]247[.]253[.]155:2225\r\n172[.]233[.]156[.]100:13721\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 9 of 11\n\nHowever, as of writing, these sites are inaccessible.\r\nC\u0026C servers and impact\r\nAs previously mentioned, Water Curupira conducts campaigns to drop backdoors such as Cobalt Strike, which\r\nleads to Black Basta ransomware attacks.It is this potential association with a sophisticated type of ransomware\r\nsuch as Black Bastanews article that makes Pikabot campaigns particularly dangerous.\r\nThe threat actor also conducted several DarkGate spam campaigns and a small number of IcedIDnews-cybercrime-and-digital-threats campaigns during the early weeks of the third quarter of 2023, but has since\r\npivoted exclusively to Pikabot.\r\nLastly, we have observed distinct clusters of Cobalt Strike beacons with over 70 C\u0026C domains leading to Black\r\nBasta, and which have been dropped via campaigns conducted by this threat actor.\r\nSecurity recommendations\r\nTo avoid falling victim to various online threats such as phishing, malware, and scams, users should stay vigilant\r\nwhen it comes to emails they receive. The following are some best practices in user email security:\r\nAlways hover over embedded links with the pointer to learn where the link leads.\r\nCheck the sender’s identity. Unfamiliar email addresses, mismatched email and sender names, and spoofed\r\ncompany emails are signs that the sender has malicious intent.\r\nIf the email claims to come from a legitimate company, verify both the sender and the email content before\r\ndownloading attachments or selecting embedded links.\r\nKeep operating systems and all pieces of software updated with the latest patches.\r\nRegularly back up important data to an external and secure location. This ensures that even if you fall\r\nvictim to a phishing attack, you can restore your information.\r\nA multilayered approach can help organizations guard possible entry points into their system (endpoint, email,\r\nweb, and network). Security solutions can detect malicious components and suspicious behavior, which can help\r\nprotect enterprises.  \r\nTrend Vision Oneone-platform™ provides multilayered protection and behavior detection, which helps\r\nblock questionable behavior and tools before ransomware can do any damage. \r\nTrend Cloud One™ – Workload Securityproducts protects systems against both known and unknown\r\nthreats that exploit vulnerabilities. This protection is made possible through techniques such as virtual\r\npatching and machine learning.  \r\nTrend Micro™ Deep Discovery™ Email Inspector productsemploys custom sandboxing and advanced\r\nanalysis techniques to effectively block malicious emails, including phishing emails that can serve as entry\r\npoints for ransomware.  \r\nTrend Micro Apex Oneone-platform™ offers next-level automated threat detection and response against\r\nadvanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\n \r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 10 of 11\n\nIndicators of Compromise (IOCs)The indicators of compromise for this blog entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html"
	],
	"report_names": [
		"a-look-into-pikabot-spam-wave-campaign.html"
	],
	"threat_actors": [
		{
			"id": "90c6b15c-19e3-4f98-b3fc-9936083a4349",
			"created_at": "2024-01-12T02:00:04.325918Z",
			"updated_at": "2026-04-10T02:00:03.515925Z",
			"deleted_at": null,
			"main_name": "Water Curupira",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Curupira",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434756,
	"ts_updated_at": 1775791471,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2c37ecc3545933fa4b0212db237c514010e9824.pdf",
		"text": "https://archive.orkl.eu/b2c37ecc3545933fa4b0212db237c514010e9824.txt",
		"img": "https://archive.orkl.eu/b2c37ecc3545933fa4b0212db237c514010e9824.jpg"
	}
}