S1145: Pikabot

Pikabot matters because ATT&CK describes it as a Windows backdoor used for initial access and follow-on tool deployment, with extensive encoding, encryption, and defense-evasion behavior. For leaders, the practical risk is not only the first infected endpoint; it is whether the organization can quickly prove containment before additional tools such as Cobalt Strike or ransomware variants are deployed.

Executive priority

Treat Pikabot as a readiness test for malware-driven intrusion response: email-borne initial access context is present in the related Water Curupira campaign, and the malware’s ATT&CK-linked behaviors emphasize stealth, discovery, persistence, command-and-control, and exfiltration over C2. Executives should ask whether SOC, endpoint, identity, and network teams can correlate suspicious Windows execution, registry persistence, process injection, host/domain discovery, and encrypted or non-standard C2 quickly enough to support containment decisions and audit-quality incident evidence.

Technical view

ATT&CK provides no official detection guidance for S1145, so defenders should validate coverage from the related techniques rather than rely on a single malware signature. For Windows environments, prioritize detection and investigation logic around command shell execution, native API use, PE injection, thread execution hijacking, reflective code loading, registry run key or startup folder persistence, local account and domain trust discovery, system and network configuration discovery, anti-analysis checks, fileless or embedded payload storage, standard encoding, symmetric cryptography, non-standard C2 ports, and exfiltration over the C2 channel. Relationship context also links Pikabot to TA577 distribution and the Water Curupira Pikabot Distribution campaign, so campaign-aware triage should preserve email, endpoint, and network evidence when available.

Likely telemetry

Windows endpoint process creation and command-line telemetry, especially cmd.exe and suspicious child-process chains
Endpoint memory and behavioral telemetry capable of surfacing process injection, thread hijacking, reflective loading, and native API abuse
Windows Registry and startup folder change events for Run Key or startup persistence
Host discovery evidence, including system information, network configuration, local account, and domain trust enumeration activity
Network connection metadata, DNS/proxy/firewall logs, and TLS/session metadata for C2 over unusual protocol-port pairings

Detection direction

Build detections as behavior clusters: suspicious delivery or execution followed by discovery, persistence, injection/loading, and outbound C2 is higher value than any single event.
Tune Windows discovery detections to reduce administrative false positives by baselining legitimate helpdesk, software inventory, and domain administration activity.
Validate EDR visibility for memory-resident behaviors; disk-only malware scanning is a likely blind spot given embedded payloads, fileless storage, reflective loading, and injection-related techniques.
Review network analytics for non-standard port use, encoded C2, and encrypted C2 patterns, while recognizing that encryption and standard encoding can limit content-based inspection.
Ensure sandbox and malware-analysis workflows account for environmental keying, system checks, and debugger evasion; a sample that appears inert may still be relevant.

Mitigation priorities

Prioritize rapid containment playbooks for suspected Windows backdoor activity, including endpoint isolation, credential-risk review, and preservation of volatile evidence.
Harden and monitor common persistence locations such as Registry Run Keys and startup folders, with change control for legitimate software.
Reduce follow-on deployment risk by enforcing least privilege, restricting unnecessary command shell use where practical, and monitoring administrative tools used for discovery.
Strengthen email attachment controls and investigation workflows because the supplied campaign context includes distribution via email attachments.
Improve endpoint behavior prevention and detection for process injection, reflective loading, and suspicious native API activity rather than relying only on static signatures.

Analyst notes and limits

This take is based on ATT&CK S1145 version 1.0 and supplied relationships. The most decision-relevant point is that Pikabot is represented as a backdoor for initial access and follow-on tool deployment with multiple evasion, discovery, persistence, C2, and exfiltration-related techniques. The related Water Curupira campaign and TA577 group provide useful triage context, but they should not be treated as proof of attribution in a local incident without supporting evidence.

MITRE does not provide an official detection section for Pikabot in the supplied object, and the malware object’s own tactics are not specified. Recommendations therefore derive from the official description, Windows platform field, external references, and ATT&CK technique relationships. Local logging architecture, endpoint agent capability, network visibility, and email telemetry are required to determine actual detection coverage.

Official MITRE ATT&CK definition

Pikabot

Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 21 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1016	System Network Configuration Discovery	Pikabot gathers victim network information through commands such as `ipconfig` and `ipconfig /all`.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Pikabot can execute Windows shell commands via `cmd.exe`.[1]
Enterprise	T1482	Domain Trust Discovery	Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution.[2]
Enterprise	T1055.003	Thread Execution Hijacking Sub-technique	Pikabot can create a suspended instance of a legitimate process (e.g., ctfmon.exe), allocate memory within the suspended process corresponding to Pikabot's core module, then redirect execution flow via `SetContextThread` API so that when the thread resumes the Pikabot core module is executed.[2]
Enterprise	T1622	Debugger Evasion	Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.[1][2][3]
Enterprise	T1571	Non-Standard Port	Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.[2]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.[1] Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.[2]
Enterprise	T1041	Exfiltration Over C2 Channel	During the initial Pikabot command and control check-in, Pikabot will transmit collected system information encrypted using RC4.[2]
Enterprise	T1087.001	Local Account Sub-technique	Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.[2]
Enterprise	T1106	Native API	Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`.[1] Other Pikabot variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution.[2]
Enterprise	T1082	System Information Discovery	Pikabot performs a variety of system checks and gathers system information, including commands such as `whoami`.[1][2]
Enterprise	T1027.011	Fileless Storage Sub-technique	Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.[2]
Enterprise	T1027.003	Steganography Sub-technique	Pikabot loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core Pikabot core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.[1]
Enterprise	T1620	Reflective Code Loading	Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.[2]
Enterprise	T1132.001	Standard Encoding Sub-technique	Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.[1][2]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.[1] Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload `.text` section before consolidating them for further execution.[2] Overall LunarMail is associated with multiple encoding and encryption mechanisms to obfuscate the malware's presence and avoid analysis or detection.[3]
Enterprise	T1027.009	Embedded Payloads Sub-technique	Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.[1] Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader `.text` section before decrypting and assembling these during execution.[2]
Enterprise	T1055.002	Portable Executable Injection Sub-technique	Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.[1]
Enterprise	T1480.001	Environmental Keying Sub-technique	Pikabot stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.[1][2]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Pikabot maintains persistence following system checks through the Run key in the registry.[1]
Enterprise	T1497.001	System Checks Sub-technique	Pikabot performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).[2]

Associated objects

Groups, software, and campaigns

G1037: TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]

C0036: Pikabot Distribution February 2024

Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[1][2]

C0037: Water Curupira Pikabot Distribution

Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Jul 12, 2024, 19:07 UTC (UTC+00:00)
Modified: Oct 28, 2024, 19:01 UTC (UTC+00:00)
Raw hash: 387229b95e8b555c...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.0	Oct 28, 2024, 19:01 UTC (UTC+00:00)	Current bundle	`387229b95e8b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Zscaler Pikabot 2023

Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
Open source URL
[2]
Elastic Pikabot 2024

Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
Open source URL
[3]
Logpoint Pikabot 2024

Swachchhanda Shrawan Poudel. (2024, February). Pikabot:   A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.
Open source URL
[4]
mitre-attack S1145
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams