www.zscaler.com
Open in
urlscan Pro
2606:4700:4400::ac40:99eb
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/d-evolution-PIKABOT
Submission: On November 15 via api from BY — Scanned from DE
Submission: On November 15 via api from BY — Scanned from DE
Form analysis 6 forms found in the DOM
<form class="mb-[3rem] pt-[4.8rem] md:mb-[4.2rem] md:pt-[3rem]">
<div class="relative"><input placeholder="What are you looking for?" aria-label="job-search-input" class="
border-0
focus:ring-0
w-full
font-normal
text-[2rem]
leading-10
-tracking-[0.01rem]
py-[1.3rem]
pr-[3rem]
bg-[transparent]
focus:outline-none
md:text-[3.2rem]
md:leading-[3.5rem]
border-b-[0.3rem]
autofill:shadow-[0 0 0px 1000px transparent inset]
autofill:transition-[background-color]
autofill:duration-[5000s]
autofill:ease-in-out
text-darkBlue border-b-pink autofill:text-darkBlue" value=""></div>
</form><form class="mb-[3rem] pt-[4.8rem] md:mb-[4.2rem] md:pt-[3rem]">
<div class="relative"><input placeholder="What are you looking for?" aria-label="job-search-input" class="
border-0
focus:ring-0
w-full
font-normal
text-[2rem]
leading-10
-tracking-[0.01rem]
py-[1.3rem]
pr-[3rem]
bg-[transparent]
focus:outline-none
md:text-[3.2rem]
md:leading-[3.5rem]
border-b-[0.3rem]
autofill:shadow-[0 0 0px 1000px transparent inset]
autofill:transition-[background-color]
autofill:duration-[5000s]
autofill:ease-in-out
text-darkBlue border-b-pink autofill:text-darkBlue" value=""></div>
</form><form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_7971"
style="opacity: 100; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" novalidate="novalidate">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email_7971" id="LblEmail_7971" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email_7971" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail_7971 InstructEmail_7971" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;" aria-label="Enter email"><span id="InstructEmail_7971" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="7971" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256" placeholder=""><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor" value="Website Direct"
placeholder=""><input type="hidden" name="Lead_Source_Type__c" class="mktoField mktoFieldDescriptor" value="Website" placeholder=""><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor" value=""
placeholder=""><input type="hidden" name="Lead_Source_Recent__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Content__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input
type="hidden" name="Campaign_ID__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Term__c" class="mktoField mktoFieldDescriptor" value="" placeholder="">
</form><form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_1944" style="opacity: 100; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;"
novalidate="novalidate">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email_1944" id="LblEmail_1944" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email_1944" name="Email" placeholder="Please enter your email to subscribe" maxlength="255" aria-labelledby="LblEmail_1944 InstructEmail_1944" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;" aria-label="Enter email"><span id="InstructEmail_1944" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1944" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256" placeholder=""><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor" value="Website Direct"
placeholder=""><input type="hidden" name="Lead_Source_Type__c" class="mktoField mktoFieldDescriptor" value="Website" placeholder=""><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor" value=""
placeholder=""><input type="hidden" name="Lead_Source_Recent__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Content__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input
type="hidden" name="Campaign_ID__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Term__c" class="mktoField mktoFieldDescriptor" value="" placeholder="">
</form><form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs mktoForm mktoHasWidth mktoLayoutLeft"
style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"></form><form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq mktoForm mktoHasWidth mktoLayoutLeft"
style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"></form>Text Content
___
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
OpenSearch
ThreatLabz
CXO REvolutionaries
Careers
Partners
Support
ShowContact Us
Get in touch
1-408-533-0288
Chat with us
ShowSign In
Zscaler Cloud Portal | Admin
Zscaler Cloud Portal One | Admin
Zscaler Cloud Portal Two | Admin
Zscaler Cloud Portal Three | Admin
Zscaler Cloud Portal Beta | Admin
admin.zscloud.net
Zscaler Private Access Cloud Portal One | Admin
Zscaler Private Access Cloud Portal Two | Admin
Home
Platform
Products
Solutions
Resources
Company
Request a demo
Secure the Workforce
Provide users with seamless, secure, reliable access to applications and data.
Secure the Cloud
Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.
Secure IoT/OT
Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.
Secure B2B
Provide zero trust site-to-site connectivity and reliable access to B2B apps for
partners.
Why Zscaler
Leadership in AI/ML
Zscaler SASE
Zscaler SSE
Analyst Recognition
Customer Stories
Partner Ecosystem
Reduce Your Carbon Footprint
GARTNER REPORT
Zscaler: A Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)
Get the report
Cyberthreat Protection
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Zero Trust Firewall
Sandbox
Browser Isolation
Data Protection
Web and Email DLP
Multi-Mode CASB
Endpoint DLP
Unified SaaS Security
Gen AI Security
DSPM
BYOD Security
Zero Trust Networking
Zero Trust SD-WAN
Zero Trust Device Segmentation
Zero Trust Cloud
Zero Trust for IoT/OT
Digital Experience (ZDX)
Zero Trust SASE
Risk Management
Risk360
Unified Vulnerability Management
Breach Predictor
Deception
Identity Protection
Managed Threat Hunting
Business Insights
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Visit now
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
About Zscaler
Discover how it began and where it’s going
Partners
Meet our partners and explore system integrators and technology alliances
News & Announcements
Stay up to date with the latest news
Leadership Team
Meet our management team
Partner Integrations
Explore our technology partner integrations
Investor Relations
See news, stock information, and quarterly reports
Environmental, Social & Governance
Learn about our ESG approach
Careers
Join our mission
Press Center
Find everything you need to cover Zscaler
Compliance
Understand our adherence to rigorous standards
Zenith Ventures
Learn about our strategic startup investments
Home
Request a demo
Platform
Products
Solutions
Resources
Company
Request a demo
ThreatLabzCXO REvolutionariesCareersPartnersSupport
ShowContact Us
Get in touch1-408-533-0288Chat with us
ShowSign In
Zscaler Cloud Portal | AdminZscaler Cloud Portal One | AdminZscaler Cloud Portal
Two | AdminZscaler Cloud Portal Three | AdminZscaler Cloud Portal Beta |
Adminadmin.zscloud.netZscaler Private Access Cloud Portal One | AdminZscaler
Private Access Cloud Portal Two | Admin
Platform
Secure the Workforce
Provide users with seamless, secure, reliable access to applications and data.
Secure the Cloud
Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.
Secure IoT/OT
Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.
Secure B2B
Provide zero trust site-to-site connectivity and reliable access to B2B apps for
partners.
Why Zscaler
Leadership in AI/ML
Zscaler SASE
Zscaler SSE
Analyst Recognition
Customer Stories
Partner Ecosystem
Reduce Your Carbon Footprint
GARTNER REPORT
Zscaler: A Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)
Get the report
Products
Cyberthreat Protection
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Zero Trust Firewall
Sandbox
Browser Isolation
Data Protection
Web and Email DLP
Multi-Mode CASB
Endpoint DLP
Unified SaaS Security
Gen AI Security
DSPM
BYOD Security
Zero Trust Networking
Zero Trust SD-WAN
Zero Trust Device Segmentation
Zero Trust Cloud
Zero Trust for IoT/OT
Digital Experience (ZDX)
Zero Trust SASE
Risk Management
Risk360
Unified Vulnerability Management
Breach Predictor
Deception
Identity Protection
Managed Threat Hunting
Business Insights
Solutions
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
Resources
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Visit now
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Company
About Zscaler
Discover how it began and where it’s going
Partners
Meet our partners and explore system integrators and technology alliances
News & Announcements
Stay up to date with the latest news
Leadership Team
Meet our management team
Partner Integrations
Explore our technology partner integrations
Investor Relations
See news, stock information, and quarterly reports
Environmental, Social & Governance
Learn about our ESG approach
Careers
Join our mission
Press Center
Find everything you need to cover Zscaler
Compliance
Understand our adherence to rigorous standards
Zenith Ventures
Learn about our strategic startup investments
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
Subscribe
Security Research
THE (D)EVOLUTION OF PIKABOT
NIKOLAOS PANTAZOPOULOS - Nikolaos Pantazopoulos
February 12, 2024 - 12 min read
Threatlabz Research
Contents
1. Introduction
2. Key Takeaways
3. Technical Analysis
4. Conclusion
5. Indicators Of Compromise (IOCs)
6. Zscaler Coverage
7. More blogs
Copy URL
Copy URL
INTRODUCTION
Pikabot is a malware loader that originally emerged in early 2023. Over the past
year, ThreatLabz has been tracking the development of Pikabot and its modus
operandi. There was a significant increase in usage of Pikabot in the second
half of 2023, following the FBI-led takedown of Qakbot. This was likely the
result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for
initial access. However, Pikabot ceased activity shortly after Christmas 2023,
with its version number being 1.1.19 at that time.
In recent campaigns, which started in February 2024, Pikabot reemerged with
significant changes in its code base and structure. Although it appears to be in
a new development cycle and testing phase, the developers have reduced the
complexity of the code by removing advanced obfuscation techniques and changing
the network communications.
KEY TAKEAWAYS
* Pikabot is a malware loader that was first observed in early 2023 and became
very active following the takedown of Qakbot in August 2023.
* In December 2023, Pikabot activity ceased, possibly as a result of a new
version of Qakbot that emerged. In February 2024, a new version of Pikabot
was released with significant changes.
* Previous versions of Pikabot used advanced string encryption techniques,
which have been replaced with simpler algorithms.
* Pikabot now stores all configuration elements in a single memory block,
similar to Qakbot. In prior versions, Pikabot decrypted necessary
configuration elements only when required.
* Pikabot continues to use HTTP for command-and-control, but its network
protocol has changed, including the network command IDs and the encryption
algorithms.
TECHNICAL ANALYSIS
As covered in our previous technical analysis of Pikabot, the malware consists
of two components: a loader and a core module. The core module is responsible
for executing commands and injecting payloads from a command-and-control server.
The malware uses a code injector to decrypt and inject the core module. It
employs various anti-analysis techniques and string obfuscation. Pikabot uses
similar distribution methods, campaigns, and behaviors as Qakbot. The malware
acts as a backdoor, allowing the attacker to control the infected system and
distribute other malicious payloads such as Cobalt Strike.
In the following sections, we will describe the latest Pikabot variant,
including its capabilities and notable changes compared to previous versions.
The analysis was performed on Pikabot binaries with version 1.8.32.
ANTI-ANALYSIS TECHNIQUES
As with previous versions of Pikabot, this variant employs a series of different
anti-analysis techniques to make the analysis more time-consuming. It should be
noted that none of the methods below presents any significant advanced
capabilities. Furthermore, Pikabot used a series of more advanced detection
features in its loader component in previous versions of the malware.
STRINGS ENCRYPTION
The most notable change is the string obfuscation. In previous versions of
Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC.
This method was highly effective in preventing analysis, particularly when it
came to automated configuration extraction. To successfully analyze Pikabot, an
analyst would need to detect not only the encrypted string but also its unique
RC4 key. Additionally, they would need to extract the AES key and initialization
vector, which are unique to each Pikabot payload.It should be noted that the
approach the Pikabot malware developers followed is similar to the
ADVobfuscator.
In the latest version of Pikabot, the majority of the strings are either
constructed by retrieving each character and pushing it onto the stack (Figure
1) or, in some rare cases, a few strings are still encrypted using the RC4
algorithm only.
Figure 1. String stack construction
JUNK INSTRUCTIONS
This anti-analysis technique was also implemented in previous versions of
Pikabot. Pikabot inserts junk code between valid instructions. The junk code is
either inlined in the function or a call is made to a function, which contains
the junk code (Figure 2).
Figure 2. Junk code
ANTI-DEBUG METHODS
Pikabot uses two methods to detect a debugging session. They are:
* Reading the BeingDebugged flag from the PEB (Process Environment Block).
* Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.
Pikabot constantly performs the debugging checks above in certain parts of its
code. For example, when it (en/de)codes network data or when it makes a request
to receive a network command.
ANTI-SANDBOX EVASION
In addition to the anti-debugging checks above, Pikabot uses the following
methods to evade security products and sandboxes:
* Pikabot utilizes native Windows API calls.
* Pikabot delays code execution at different stages of its code. The timer is
randomly generated each time.
* Pikabot dynamically resolves all required Windows API functions via API
hashing.
A Python representation of the algorithm is available below.
api_name = b""
checksum = 0x113B
for c in api_name:
if c > 0x60:
c -= 0x20
checksum = (c + (0x21 * checksum)) & 0xffffffff
print(hex(checksum))
LANGUAGE DETECTION
Identical to previous versions, Pikabot stops execution if the operating
system's language is any of the following:
* Russian (Russia)
* Ukrainian (Ukraine)
This is likely an indication that the threat actors behind Pikabot are
Russian-speaking and may reside in Ukraine and/or Russia. The language check
reduces the chance of law enforcement action and potential criminal prosecution
in those regions.
BOT INITIALIZATION PHASE
Unlike previous versions, this version of Pikabot stores all settings and
information in a single structure at a global address (similar to Qakbot). The
analyzed structure is shown below. For brevity, we redacted non-important items
of the structure (such as Windows API names).
struct bot_structure
{
void *host_info;
WINHTTPAPI winhttp_session_handle;
bool bot_error_init_flag;
FARPROC LdrLoadDll;
FARPROC LdrGetProcedureAddress;
FARPROC RtlAllocateHeap;
FARPROC RtlReAllocateHeap;
FARPROC RtlFreeHeap;
FARPROC RtlDecompressBuffer;
FARPROC RtlGetVersion;
FARPROC RtlRandomEx;
---redacted—
wchar_t* bot_id;
bool registered_flag;
int process_pid;
int process_thread_id;
int* unknown_unused_1;
unsigned short os_arch;
unsigned short dlls_apis_loaded_flag;
int unknown_unused_2;
unsigned char* host_rc4_key;
int number_of_swap_rounds;
int beacon_time_ms;
int delay_time_ms; // Used only during the initialization phase of Pikabot.
int delay_seed_mul;
wchar_t* bot_version;
wchar_t* campaign_tag;
wchar_t* unknown_registry_key_name;
cncs_info* active_cnc_info;
cncs_info* cncs_list;
int num_of_cncs;
int unknown_unused_3;
int max_cnc_attempts;
wchar_t* user_agent;
void* uris_array;
void* request_headers_array;
TEB* thread_environment_block;
};
struct cncs_info
{
wchar_t* cnc;
int cnc_port;
int http_connection_settings; // If set to 1 then server’s certificate validation is ignored and sets the flags WINHTTP_FLAG_SECURE | WINHTTP_FLAG_BYPASS_PROXY_CACHE
int connection_attempts;
bool is_cnc_unavailable;
cncs_info* next_cnc_ptr;
};
BOT CONFIGURATION
The latest version of Pikabot stores its entire configuration in plaintext in
one address. This is a significant drawback since in previous versions, Pikabot
decrypted each required element at runtime and only when required. In addition,
many of the configuration elements (e.g. command-and-control URIs) were
randomized.
ANALYST NOTE: Despite their randomization, all configuration elements were valid
on the server-side. If a bot sent incorrect information, then it would get
rejected/banned by the command-and-control server.
The configuration structure is the following:
struct configuration
{
int number_of_swap_rounds_number_of_bytes_to_read_from_end; // During the bot initialization process, this member represents the number of bytes to read from the end of the configuration block.
size_t len_remaining_structure; // Size of the remaining structure's data minus the last element
wchar_t* bot_minor_version; // E.g. 32-beta. In some samples, this member contains both the major and minor versions of the bot.
size_t len_campaign_name;
wchar_t* campaign_name;
size_t len_unknown_registry_key_name;
wchar_t* unknown_registry_key_name; // Used only in the network command 0x246F.
size_t len_user_agent;
wchar_t* user_agent;
size_t number_of_http_headers;
wchar_string request_headers[number_of_http_headers];
int number_of_cnc_uris;
wchar_string cnc_uris[number_of_cnc_uris];
int number_of_cncs;
cnc cns[number_of_cns];
int beacon_time_ms;
int delay_time_ms;
int delay_seed_mul; // Multiplies this value with the calculated value of the operation - delay_seed_mul * 1000.
int maximum_cnc_connection_attempts;
size_t len_bot_version // major version + minor version
wchar_t* major_version; // 1.8.
int len_remaining_bytes_to_read; // Added to the first member and shows how many more bytes to read right after `len_remaining_structure`
};
struct wchar_string
{
size_t length;
wchar_t* wstring;
};
struct cnc
{
size_t len_cnc;
wchar_t* cnc;
int cnc_port;
int connection_attempts;
bool http_connection_settings;
};
Once Pikabot parses the plaintext configuration, it erases it by setting all
bytes to zero. We assess that this is an anti-dumping method to avoid automating
the extraction of the configuration.
Lastly, Pikabot loads any remaining required Windows API functions and generates
a bot identifier for the compromised host. The algorithm is similar to previous
versions and can be reproduced with the following Python code.
def checksum(input: int) -> int:
return (0x10E1 * input + 0x1538) & 0xffffffff
def generate_bot_id_set_1(host_info: bytes, volume_serial_number: int) -> int:
for current_character in host_info.lower():
volume_serial_number *= 5
volume_serial_number += current_character
bot_id_part_1 = checksum(volume_serial_number & 0xffffffff)
return bot_id_part_1
def generate_bot_id_set_2(volume_serial_number: int) -> int:
bot_id_part_2 = checksum(volume_serial_number)
bot_id_part_2 = checksum(bot_id_part_2)
return bot_id_part_2
def generate_bot_id_set_3(bot_id_part_2: int) -> int:
out = []
for i in range(8):
bot_id_part_2 = checksum(bot_id_part_2)
out.append(bot_id_part_2 & 0xff)
out = bytes(out[-4:])
return int.from_bytes(out, byteorder='little')
host_info = b"username|hostname"
volume_serial_number = int("",16)
bot_id_part_1 = generate_bot_id_set_1(host_info, volume_serial_number)
bot_id_part_2 = generate_bot_id_set_2(volume_serial_number)
bot_id_part_3 = generate_bot_id_set_3(bot_id_part_2)
bot_id = f"{bot_id_part_1:07X}{bot_id_part_2 & 0xffff:09X}{bot_id_part_3}"
ANALYST NOTE: In some samples, Pikabot does not read the volume serial number
due to a bug in their code that causes a failure when calling
GetVolumeInformationW.
NETWORK COMMUNICATIONS
Pikabot contacts the command-and-control server to request and receive network
commands. In this version, the network protocol has considerably changed.
Pikabot starts by registering the compromised host to its server.
First, Pikabot collects information from the compromised host, such as:
* Monitor’s display settings
* Windows version
* Hostname/username and operating system’s memory size
* Beacon and delay settings
* Process information such as the process ID, parent process ID and number of
threads (see the description of network command 0x985 for a comprehensive
list).
* Bot’s version and campaign name
* Name of the domain controller
Then Pikabot appends the following information to the registration packet:
* 32-bytes network RC4 key (unique per host), which remains the same for the
session. In previous versions, Pikabot was using AES-CBC with a random key/IV
per request.
* Unknown registry key name. We observed it used only in the network command
with ID 0x246F.
* Number of swap rounds used for encoding the data. This remains the same for
the rest of the session.
Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted
output, picks a random URI from its list, and sends the data with a POST request
to the command-and-control server.
The encoding involves bytes swapping for N times, where N is a randomly
generated number in the range 0-25.
ANALYST NOTE: Despite the fact that a round number is set in the configuration
(see the configuration structure), this value is ignored and Pikabot replaces it
with a random value. Moreover, Pikabot has completely removed the JSON format in
its network packets and inserts everything in a raw format.
If the bot registration is successful, Pikabot starts an infinite loop to
request and execute commands.
Each incoming network command (with the exception of network command with ID
0x164) has a task ID that is placed at the start of the (decrypted) packet as a
QWORD value. In Table 1 below, we list the identified network commands along
with a description of their functionality.
Command IDDescription0x164Requests command from command-and-control server. The
packet includes the command ID, size of bot ID, and the bot ID. The server
replies with the same command ID if there is no network command for the bot to
execute.0x555Reports the output of the executed network command to the
command-and-control server.0x1291Registers the bot. An unknown integer value
(0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon
time.0x1A5ATerminates/kills the bot.0x2672Not implemented0x246FWrites a file to
disk and adds registry data using the value name specified in the configuration
(unknown_registry_key_name).0xACBExecutes the system command and sends back the
output. Includes the error code 0x1B3 if there is no output.0x36CInjects the
code of a downloaded PE file. The target process information is specified in the
network packet.0x792Injects the code of a downloaded shellcode. The target
process information is specified in the network packet.0x359Executes system
command and sends back the output.
Note: Same as 0xACB but does not send the error code.0x3A6Executes system
command and sends back the output.
Note: Same as 0xACB but does not send the error code.0x240Executes system
command and sends back the output.
Note: Same as 0xACB but does not send the error code.0x985
Collects processes’ information. These are:
* Executable's filename
* Process ID
* Boolean flag, which indicates if it is a Pikabot process.
* Boolean flag, which indicates if Pikabot can access the process with all
possible access rights.
* Number of threads
* Base priority of threads
* Process architecture
* Parent process ID
0x982Not implemented
Table 1. Pikabot Network Commands
CONCLUSION
Despite its recent inactivity, Pikabot continues to pose a significant cyber
threat and is in constant development. However, the developers have decided to
take a different approach and decrease the complexity level of Pikabot's code by
removing advanced obfuscation features. Moreover, based on our code analysis, it
appears that certain features and network commands have not been implemented yet
and are still a work in progress.
Zscaler ThreatLabz continues to track this threat and add detections to protect
our customers.
INDICATORS OF COMPROMISE (IOCS)
SHA256
Description
555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f
Pikabot sample (version 1.8.32-beta)
ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
Pikabot sample (version 1.8.32-beta)
IOC
Description
104.129.55[.]103:2224
Command-and-Control server
178.18.246[.]136:2078
Command-and-Control server
158.220.80[.]167:2967
Command-and-Control server
104.129.55[.]104:2223
Command-and-Control server
23.226.138[.]161:5242
Command-and-Control server
37.60.242[.]85:9785
Command-and-Control server
23.226.138[.]143:2083
Command-and-Control server
37.60.242[.]86:2967
Command-and-Control server
85.239.243[.]155:5000
Command-and-Control server
158.220.80[.]157:9785
Command-and-Control server
65.20.66[.]218:5938
Command-and-Control server
95.179.191[.]137:5938
Command-and-Control server
139.84.237[.]229:2967
Command-and-Control server
ZSCALER COVERAGE
In addition to sandbox detections, Zscaler’s multilayered cloud security
platform detects indicators related to Pikabot at various levels with the
following threat names:
* Win32.Trojan.PikaBot
* Win32.Downloader.PikaBot
Thank you for reading
WAS THIS POST USEFUL?
Yes, very!
Not really
EXPLORE MORE ZSCALER BLOGS
Technical Analysis of Pikabot
Read post
Tracking 15 Years of Qakbot Development
Read post
Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis
Read post
GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX
*
Subscribe
By submitting the form, you are agreeing to our privacy policy.
THE ZSCALER EXPERIENCE
Learn about:
Your world, securedZero TrustSecure Access Service Edge (SASE)Security Service
Edge (SSE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)Data
Security Posture Management (DSPM)
PRODUCTS & SOLUTIONS
Secure Your Users
Secure Your Workloads
Secure Your IoT and OT
Secure Internet Access (ZIA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Industry & Market Solutions
Partner Integrations
Zscaler Client Connector
PLATFORM
Zero Trust Exchange Platform
Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation
RESOURCES
Resource Library
Customer Success Stories
Security Preview
Threat Assessment Tools
ThreatLabz Analytics & Insights
Upcoming Events
Blog
Zscaler Academy
CXO Revolutionaries
Zpedia
Ransomware Protection ROI Calculator
POPULAR LINKS
Pricing & Plans
About Zscaler
Leadership Team
Career Opportunities
Find or Become a Partner
Customer Success Center
Investor Relations
Press Center
News & Announcements
ESG
Compliance
Contact Zscaler
Home
English
FrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues -
Brasil
Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.
English
FrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues -
Brasil
*
Subscribe
Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2024 Zscaler, Inc.
All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.
Zscaler uses cookies, pixels, and other tools to collect information you provide
to us and to capture and record your interaction with our site. We use this
information to enhance site navigation, personalize content, analyze your use of
our website, and assist in our marketing efforts and customer service. To
deliver the best experience and to assist with our efforts, Zscaler social
media, advertising, analytics, and hosting service providers may have access to
the information that you provide to us. By clicking "Accept All," you consent to
our collection, use, and disclosure of such information and to ourTerms of
Service. For more information about our data processing practices, please see
ourPrivacy Policy.
Manage Cookie Preferences Reject All Accept All