S1145: Pikabot
Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]
Analyst context for executives and security teams
Pikabot matters because ATT&CK describes it as a Windows backdoor used for initial access and follow-on tool deployment, with extensive encoding, encryption, and defense-evasion behavior. For leaders, the practical risk is not only the first infected endpoint; it is whether the organization can quickly prove containment before additional tools such as Cobalt Strike or ransomware variants are deployed.
Executive priority
Treat Pikabot as a readiness test for malware-driven intrusion response: email-borne initial access context is present in the related Water Curupira campaign, and the malware’s ATT&CK-linked behaviors emphasize stealth, discovery, persistence, command-and-control, and exfiltration over C2. Executives should ask whether SOC, endpoint, identity, and network teams can correlate suspicious Windows execution, registry persistence, process injection, host/domain discovery, and encrypted or non-standard C2 quickly enough to support containment decisions and audit-quality incident evidence.
Technical view
ATT&CK provides no official detection guidance for S1145, so defenders should validate coverage from the related techniques rather than rely on a single malware signature. For Windows environments, prioritize detection and investigation logic around command shell execution, native API use, PE injection, thread execution hijacking, reflective code loading, registry run key or startup folder persistence, local account and domain trust discovery, system and network configuration discovery, anti-analysis checks, fileless or embedded payload storage, standard encoding, symmetric cryptography, non-standard C2 ports, and exfiltration over the C2 channel. Relationship context also links Pikabot to TA577 distribution and the Water Curupira Pikabot Distribution campaign, so campaign-aware triage should preserve email, endpoint, and network evidence when available.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and suspicious child-process chains
- Endpoint memory and behavioral telemetry capable of surfacing process injection, thread hijacking, reflective loading, and native API abuse
- Windows Registry and startup folder change events for Run Key or startup persistence
- Host discovery evidence, including system information, network configuration, local account, and domain trust enumeration activity
- Network connection metadata, DNS/proxy/firewall logs, and TLS/session metadata for C2 over unusual protocol-port pairings
Detection direction
- Build detections as behavior clusters: suspicious delivery or execution followed by discovery, persistence, injection/loading, and outbound C2 is higher value than any single event.
- Tune Windows discovery detections to reduce administrative false positives by baselining legitimate helpdesk, software inventory, and domain administration activity.
- Validate EDR visibility for memory-resident behaviors; disk-only malware scanning is a likely blind spot given embedded payloads, fileless storage, reflective loading, and injection-related techniques.
- Review network analytics for non-standard port use, encoded C2, and encrypted C2 patterns, while recognizing that encryption and standard encoding can limit content-based inspection.
- Ensure sandbox and malware-analysis workflows account for environmental keying, system checks, and debugger evasion; a sample that appears inert may still be relevant.
Mitigation priorities
- Prioritize rapid containment playbooks for suspected Windows backdoor activity, including endpoint isolation, credential-risk review, and preservation of volatile evidence.
- Harden and monitor common persistence locations such as Registry Run Keys and startup folders, with change control for legitimate software.
- Reduce follow-on deployment risk by enforcing least privilege, restricting unnecessary command shell use where practical, and monitoring administrative tools used for discovery.
- Strengthen email attachment controls and investigation workflows because the supplied campaign context includes distribution via email attachments.
- Improve endpoint behavior prevention and detection for process injection, reflective loading, and suspicious native API activity rather than relying only on static signatures.
Analyst notes and limits
This take is based on ATT&CK S1145 version 1.0 and supplied relationships. The most decision-relevant point is that Pikabot is represented as a backdoor for initial access and follow-on tool deployment with multiple evasion, discovery, persistence, C2, and exfiltration-related techniques. The related Water Curupira campaign and TA577 group provide useful triage context, but they should not be treated as proof of attribution in a local incident without supporting evidence.
MITRE does not provide an official detection section for Pikabot in the supplied object, and the malware object’s own tactics are not specified. Recommendations therefore derive from the official description, Windows platform field, external references, and ATT&CK technique relationships. Local logging architecture, endpoint agent capability, network visibility, and email telemetry are required to determine actual detection coverage.
Pikabot
Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Pikabot gathers victim network information through commands such as |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Pikabot can execute Windows shell commands via |
| Enterprise | T1482 | Domain Trust Discovery | Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution.CitationElastic Pikabot 2024 |
| Enterprise | T1055.003 | Thread Execution Hijacking Sub-technique | Pikabot can create a suspended instance of a legitimate process (e.g., ctfmon.exe), allocate memory within the suspended process corresponding to Pikabot's core module, then redirect execution flow via `SetContextThread` API so that when the thread resumes the Pikabot core module is executed.CitationElastic Pikabot 2024 |
| Enterprise | T1622 | Debugger Evasion | Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.CitationZscaler Pikabot 2023CitationElastic Pikabot 2024CitationLogpoint Pikabot 2024 |
| Enterprise | T1571 | Non-Standard Port | Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.CitationElastic Pikabot 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.CitationZscaler Pikabot 2023 Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.CitationElastic Pikabot 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1087.001 | Local Account Sub-technique | Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.CitationElastic Pikabot 2024 |
| Enterprise | T1106 | Native API | Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`.CitationZscaler Pikabot 2023 Other Pikabot variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution.CitationElastic Pikabot 2024 |
| Enterprise | T1082 | System Information Discovery | Pikabot performs a variety of system checks and gathers system information, including commands such as |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.CitationElastic Pikabot 2024 |
| Enterprise | T1027.003 | Steganography Sub-technique | |
| Enterprise | T1620 | Reflective Code Loading | Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.CitationElastic Pikabot 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.CitationZscaler Pikabot 2023CitationElastic Pikabot 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.CitationZscaler Pikabot 2023 Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.CitationZscaler Pikabot 2023 Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.CitationZscaler Pikabot 2023 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | Pikabot stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.CitationZscaler Pikabot 2023CitationElastic Pikabot 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Pikabot maintains persistence following system checks through the Run key in the registry.CitationZscaler Pikabot 2023 |
| Enterprise | T1497.001 | System Checks Sub-technique | Pikabot performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).CitationElastic Pikabot 2024 |
Groups, software, and campaigns
G1037: TA577
TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]
C0036: Pikabot Distribution February 2024
Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[1][2]
C0037: Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 387229b95e8b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler Pikabot 2023
Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
Open source URL -
[2]
Elastic Pikabot 2024
Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
Open source URL -
[3]
Logpoint Pikabot 2024
Swachchhanda Shrawan Poudel. (2024, February). Pikabot: A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.
Open source URL -
[4]
mitre-attack S1145Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.