When law enforcement took down QakBot in August 2023, many in the security community wondered what would fill the void. The answer came quickly: PIKABOT, a modular malware loader that shares QakBot’s role in the cybercriminal ecosystem and has been steadily gaining ground ever since.
Background: Why QakBot’s Fall Created an Opportunity
QakBot (also known as QBot or Pinkslipbot) had been one of the most prolific malware loaders for over a decade. It was the go-to tool for initial access brokers — criminals who break into organisations and then sell that access to ransomware groups. When the FBI’s Operation Duck Hunt dismantled QakBot’s infrastructure in August 2023, it created a gap in the market. PIKABOT moved in to fill it.
What Is PIKABOT?

PIKABOT is a modular malware family consisting of two main components:
- A loader — responsible for initial execution, anti-analysis checks, and injecting the core module
- A core module (backdoor) — handles communication with the command-and-control (C2) server and executes received commands
Once installed, PIKABOT gives attackers a persistent foothold that can be used to deliver additional payloads — including ransomware, credential stealers, or remote access tools like Cobalt Strike.
How PIKABOT Gets In: Initial Access
PIKABOT primarily spreads through email phishing campaigns. The delivery chain typically looks like this:
- Victim receives a phishing email, often a reply-chain hijack (a stolen legitimate email thread with a malicious reply added)
- Email contains a link to a malicious ZIP or a direct attachment
- ZIP contains a JavaScript file, LNK file, or Office document with a malicious macro
- Executing the file drops and runs the PIKABOT loader
- Loader injects the core module into a legitimate Windows process
Anti-Analysis Techniques

PIKABOT puts significant effort into making analysis difficult:
- Heavy obfuscation — the code is deliberately scrambled with junk instructions and string encryption
- Anti-debugging checks — it detects common debugging tools and behaves differently (or exits) when it thinks it’s being analysed
- Sandbox evasion — it checks for signs of a sandboxed environment (low process count, short uptime, virtual machine artefacts) and won’t execute its payload if it suspects analysis
- Geolocation filtering — some campaigns only execute the payload if the victim’s IP resolves to a specific country, avoiding researchers outside the target region
C2 Communication
PIKABOT uses encrypted HTTPS for C2 communication, making it harder to detect with simple network monitoring. The C2 infrastructure uses rotating domains and IP addresses to stay ahead of blocklists. Researchers have noted similarities between PIKABOT’s TLS certificate patterns and those previously used by QakBot — suggesting possible infrastructure overlap or operators who worked with both families.
Connection to Ransomware Operations
PIKABOT has been observed delivering post-exploitation frameworks like Cobalt Strike and Brute Ratel, which are the tools ransomware operators use once they have access to a network. Several incidents in late 2023 and 2024 showed PIKABOT as the initial loader in attacks that eventually led to ransomware deployment.
Detection Tips
For defenders and threat hunters, here are indicators and behaviours to watch for:
- Suspicious process injection — a non-browser process making outbound HTTPS connections on unusual ports
- JavaScript or LNK files in ZIP attachments received via email
- Processes like
wscript.exeormshta.exespawning network activity - Registry run keys or scheduled tasks created by non-standard processes
- IOCs published by threat intelligence teams — PIKABOT’s infrastructure is regularly tracked by Sekoia, Elastic, and others
What Happened in 2024?
In May 2024, international law enforcement agencies conducted Operation Endgame, targeting several major botnet infrastructures simultaneously. PIKABOT was among the targets, along with IcedID, SystemBC, SmokeLoader, and BumbleBee. While the operation disrupted PIKABOT’s infrastructure, the malware family — like most — has shown resilience, and operators have adapted and continued campaigns.
Final Thoughts
PIKABOT represents exactly the kind of threat that keeps defenders busy: technically sophisticated, actively developed, and tied to serious downstream consequences like ransomware. The pattern of QakBot being replaced by PIKABOT is a reminder that taking down one piece of the cybercriminal ecosystem rarely eliminates the underlying demand — it just shifts it elsewhere. Staying on top of emerging loaders like PIKABOT is essential for anyone defending networks in 2024 and beyond.









Leave a Reply