Pikabot - SparTech Software

Pikabot is a sophisticated, modular malware family that first emerged in early 2023 and has rapidly evolved into a major threat in the cybercrime landscape. It is primarily known as a loader and backdoor trojan, enabling attackers to deliver additional payloads—including ransomware, spyware, and remote access tools—while also providing extensive remote control capabilities over compromised systems. Pikabot has filled a gap left by the takedown of QakBot, with many of its tactics, techniques, and procedures (TTPs) closely mirroring those of QakBot and other loader malware like DarkGate and IcedID.

Technical Architecture and Functionality
• Pikabot consists of two main components: a loader and a core backdoor module.
• The loader is responsible for initial infection, unpacking, and injecting the core module into legitimate system processes using advanced code injection techniques.
• The core module handles command execution, payload delivery, system reconnaissance, data exfiltration, and interaction with the attacker’s command-and-control (C2) infrastructure.

Key Capabilities
• Arbitrary command execution via C2.
• Download and execution of additional payloads (malware, ransomware, Cobalt Strike beacons).
• Process injection into legitimate Windows binaries (e.g., ctfmon.exe) to evade detection.
• System and network reconnaissance to assist in lateral movement and privilege escalation.
• Collection and exfiltration of sensitive information (credentials, banking data, personal information).
• Persistence mechanisms and lateral movement across networks.

Evasion and Anti-Analysis Techniques
Pikabot employs an array of advanced evasion tactics to avoid detection and hinder analysis:
• Anti-VM and anti-debugging checks: Detects virtual environments and debugging tools, terminating itself if found.
• Language checks: Self-terminates if the system language matches those of CIS countries (e.g., Russian, Ukrainian, Belarusian), avoiding infection in those regions.
• Code obfuscation: Uses encrypted strings, junk code, and indirect system calls to complicate static and dynamic analysis.
• Delayed execution: Postpones malicious actions to outlast sandbox analysis windows.
• Dynamic configuration: Newer versions download configuration files from C2 servers rather than relying on hardcoded settings, increasing adaptability.

Operation Endgame takes a serious cut out of the hacking tools market.
Operation Endgame is a major, ongoing international law enforcement initiative targeting the infrastructure and services that enable ransomware and other forms of cybercrime. Launched in May 2024, the operation is coordinated by agencies including the FBI, Europol, Eurojust, and law enforcement from multiple countries such as the United States, Denmark, France, Germany, the Netherlands, and the United Kingdom.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related