Pikabot

Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives. Pikabot Distribution February 2024 utilized obfuscated JavaScript files for initial Pikabot payload download.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

In mid-February, TA577 experimented with a Java Archive (JAR) dropper to deliver Pikabot to their victims... The Main-Class entry in the manifest confirms that the JAR will execute the code in kzFRaQVe.class when clicked.

Examples include 'Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands', 'Orz can execute commands with JavaScript', 'Patchwork used JavaScript code and .SCT files on victim machines', and 'Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.'

Latrodectus ... Native API; Pikabot ... Native API; QakBot ... Native API

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

"...compiled code is obfuscated... prior to delivery..." / "...Base64 obfuscated scripts and commands." / "...distributed as an obfuscated JavaScript launcher file."

Lazarus Group has distributed malicious payloads embedded in PNG files.

Creates a file at %TEMP%\317631.png ... Executes the 317631.png using regsvr32.exe, which indicates the PNG file is likely really a DLL

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Runtime.getRuntime().exec ( "regsvr32 /s " + System.getProperty ( "java.io.tmpdir" ) + "\\317631.png" );

Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.

"Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging"; "AsyncRAT ... CheckRemoteDebuggerPresent"; "Pikabot ... CheckRemoteDebuggerPresent, NtQueryInformationProcess, ProcessDebugPort, and ProcessDebugFlags"

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

This JAR file is signed... The keytool utility shows the signing certificate was issued to Talk Invest ApS... This certificate has already been revoked by the issuer

Latrodectus ... System Network Configuration Discovery; Pikabot ... System Network Configuration Discovery; QakBot ... System Network Configuration Discovery

"InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname" and "Pikabot performs a variety of system checks and gathers system information, including commands such as whoami."

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging"; "AsyncRAT ... CheckRemoteDebuggerPresent"; "Pikabot ... CheckRemoteDebuggerPresent, NtQueryInformationProcess, ProcessDebugPort, and ProcessDebugFlags"

Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.

Cobian RAT obfuscates communications with the C2 server using Base64 encoding... Daserf uses custom base64 encoding to obfuscate HTTP traffic... Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.

International law enforcement agencies and their partners have once again joined forces to disrupt and dismantle botnet infrastructure and their operators. | This effort targeted multiple botnets, such as IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee, as well as their operators.

Searches for a file in the JAR named 317631 and opens it using getResourceAsStream ... Copies the bytes from that file into 317631.png

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.