, , ,

PIKABOT: The Malware That Stepped Into QakBot’s Shoes

thumb2_pikabot-1

When law enforcement took down QakBot in August 2023, many in the security community wondered what would fill the void. The answer came quickly: PIKABOT, a modular malware loader that shares QakBot’s role in the cybercriminal ecosystem and has been steadily gaining ground ever since.

Background: Why QakBot’s Fall Created an Opportunity

QakBot (also known as QBot or Pinkslipbot) had been one of the most prolific malware loaders for over a decade. It was the go-to tool for initial access brokers — criminals who break into organisations and then sell that access to ransomware groups. When the FBI’s Operation Duck Hunt dismantled QakBot’s infrastructure in August 2023, it created a gap in the market. PIKABOT moved in to fill it.

What Is PIKABOT?

Diagram

PIKABOT is a modular malware family consisting of two main components:

  • A loader — responsible for initial execution, anti-analysis checks, and injecting the core module
  • A core module (backdoor) — handles communication with the command-and-control (C2) server and executes received commands

Once installed, PIKABOT gives attackers a persistent foothold that can be used to deliver additional payloads — including ransomware, credential stealers, or remote access tools like Cobalt Strike.

How PIKABOT Gets In: Initial Access

PIKABOT primarily spreads through email phishing campaigns. The delivery chain typically looks like this:

  1. Victim receives a phishing email, often a reply-chain hijack (a stolen legitimate email thread with a malicious reply added)
  2. Email contains a link to a malicious ZIP or a direct attachment
  3. ZIP contains a JavaScript file, LNK file, or Office document with a malicious macro
  4. Executing the file drops and runs the PIKABOT loader
  5. Loader injects the core module into a legitimate Windows process

Anti-Analysis Techniques

Diagram

PIKABOT puts significant effort into making analysis difficult:

  • Heavy obfuscation — the code is deliberately scrambled with junk instructions and string encryption
  • Anti-debugging checks — it detects common debugging tools and behaves differently (or exits) when it thinks it’s being analysed
  • Sandbox evasion — it checks for signs of a sandboxed environment (low process count, short uptime, virtual machine artefacts) and won’t execute its payload if it suspects analysis
  • Geolocation filtering — some campaigns only execute the payload if the victim’s IP resolves to a specific country, avoiding researchers outside the target region

C2 Communication

PIKABOT uses encrypted HTTPS for C2 communication, making it harder to detect with simple network monitoring. The C2 infrastructure uses rotating domains and IP addresses to stay ahead of blocklists. Researchers have noted similarities between PIKABOT’s TLS certificate patterns and those previously used by QakBot — suggesting possible infrastructure overlap or operators who worked with both families.

Connection to Ransomware Operations

PIKABOT has been observed delivering post-exploitation frameworks like Cobalt Strike and Brute Ratel, which are the tools ransomware operators use once they have access to a network. Several incidents in late 2023 and 2024 showed PIKABOT as the initial loader in attacks that eventually led to ransomware deployment.

Detection Tips

For defenders and threat hunters, here are indicators and behaviours to watch for:

  • Suspicious process injection — a non-browser process making outbound HTTPS connections on unusual ports
  • JavaScript or LNK files in ZIP attachments received via email
  • Processes like wscript.exe or mshta.exe spawning network activity
  • Registry run keys or scheduled tasks created by non-standard processes
  • IOCs published by threat intelligence teams — PIKABOT’s infrastructure is regularly tracked by Sekoia, Elastic, and others

What Happened in 2024?

In May 2024, international law enforcement agencies conducted Operation Endgame, targeting several major botnet infrastructures simultaneously. PIKABOT was among the targets, along with IcedID, SystemBC, SmokeLoader, and BumbleBee. While the operation disrupted PIKABOT’s infrastructure, the malware family — like most — has shown resilience, and operators have adapted and continued campaigns.

Final Thoughts

PIKABOT represents exactly the kind of threat that keeps defenders busy: technically sophisticated, actively developed, and tied to serious downstream consequences like ransomware. The pattern of QakBot being replaced by PIKABOT is a reminder that taking down one piece of the cybercriminal ecosystem rarely eliminates the underlying demand — it just shifts it elsewhere. Staying on top of emerging loaders like PIKABOT is essential for anyone defending networks in 2024 and beyond.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Author

Subhash Thapa

Security Analyst (SOC, AI, MDR & IR) | CEH | CCSP | CCIO | CSFPC

Weekly threat intel, straight to your inbox

Free. No noise. Unsubscribe anytime.

Categories