After a brief hiatus, Pikabot, a notorious loader malware, has resurfaced with notable enhancements to its capabilities and strategies, accompanied by a fresh delivery campaign. Originally identified in early 2023, Pikabot functions primarily as a vehicle for transporting other malware payloads, including but not limited to Cobalt Strike and various ransomware strains. Following the disruption of the Quakbot botnet, Pikabot emerged as a prominent alternative and saw heightened activity in the latter half of 2023.
Initially disseminated through malspam and malvertising campaigns disguised as legitimate software offerings such as AnyDesk, Slack, and Zoom, Pikabot's activity abruptly ceased in December 2023, likely in response to the resurgence of a new iteration of Qakbot. However, it has recently made a comeback, boasting substantial modifications to its code base and components.
Elastic Security Labs researchers observed a fresh Pikabot campaign commencing on February 8, 2024, characterized by its utilization of phishing emails as the primary means of initial access. These emails contained hyperlinks leading recipients to ZIP archive files housing obfuscated JavaScript code. Upon execution, the JavaScript invokes PowerShell to facilitate the downloading and execution of the Pikabot loader.
This resurgence underscores the adaptability and persistence of malicious actors in the cyber landscape. Despite temporary setbacks, threat actors continuously refine and repackage their tactics to evade detection and maintain efficacy. As such, cybersecurity professionals and organizations must remain vigilant and proactive in fortifying their defences against evolving threats like Pikabot and its ilk.
