Back to Intelligence

Malware Newsletter Round 99: Countering PikaBot and the Rise of Post-Qakbot Loaders

SA
Security Arsenal Team
May 31, 2026
6 min read

The release of the Security Affairs Malware Newsletter Round 99 serves as a critical warning for the security community. The threat landscape is undergoing a significant shift following the disruption of Qakbot. As detailed in the report, threat actors are aggressively pivoting to PikaBot, a sophisticated malware loader that has adopted the TTPs (Tactics, Techniques, and Procedures) of its predecessor while introducing new anti-analysis features.

This is not a theoretical risk. The newsletter highlights that PikaBot is actively being distributed via massive phishing campaigns, often leveraging ISO files to bypass Mark-of-the-Web (MotW) controls. Additionally, the resurgence of Lumma Stealer and continued activity from Phobos ransomware signal a busy quarter for incident responders. Defenders must prioritize the detection of DLL side-loading and suspicious process injection chains to prevent initial access.

Technical Analysis

The Round 99 newsletter identifies three primary threats requiring immediate defensive attention:

1. PikaBot (The Qakbot Successor)

PikaBot has emerged as the dominant loader in the e-crime ecosystem following the Qakbot takedown. It functions as both a loader and a stealer, capable of dropping additional payloads like Cobalt Strike.

  • Attack Vector: Malspam campaigns distributing ZIP or ISO archives containing LNK files.
  • Mechanism: DLL Side-Loading. PikaBot typically abuses legitimate, signed Windows binaries (e.g., wab.exe, mshta.exe, or regsvr32.exe) to load a malicious DLL located in the same directory.
  • Capabilities: Anti-VM detection, process hollowing, and C2 communication using custom encryption.

2. Lumma Stealer (Info-Stealer)

Lumma (also known as LummaC2) is an information-stealing malware targeting cryptocurrency wallets, browser cookies, and saved credentials.

  • Attack Vector: The newsletter notes a specific distribution method utilizing YouTube. Attackers upload videos claiming to offer "cracked" software or premium tools, with descriptions containing malicious links.
  • Mechanism: PowerShell scripts are often used to fetch the payload, bypassing basic execution controls.

3. Phobos Ransomware

A long-standing ransomware-as-a-service (RaaS) operation.

  • Attack Vector: Exploitation of exposed RDP services and compromised valid credentials.
  • Mechanism: Manual lateral movement followed by double-extortion (encryption + data theft).

Detection & Response

This newsletter describes active exploitation of technical vulnerabilities and malware TTPs. The following detection rules and hunts are designed to identify the specific behaviors of PikaBot, Lumma, and Phobos discussed in Round 99.

Sigma Rules

YAML
---
title: PikaBot DLL Side-Loading via Regsvr32
id: 99a1b2c3-d4e5-4f6a-8b9c-0d1e2f3a4b5c
status: experimental
description: Detects PikaBot activity where regsvr32.exe is used to load a DLL from a suspicious user profile path (common in ISO/LNK distribution).
references:
 - https://securityaffairs.com/192928/security/security-affairs-malware-newsletter-round-99.html
author: Security Arsenal
date: 2024/10/15
tags:
 - attack.defense_evasion
 - attack.t1574.002
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith: '\regsvr32.exe'
   CommandLine|contains: '.dll'
 selection_filter:
   CommandLine|contains:
     - 'C:\Users\'
     - 'C:\ProgramData\'
 condition: selection and selection_filter
falsepositives:
 - Legitimate software installation (rare from Users dir)
level: high
---
title: Lumma Stealer YouTube Distribution
id: 88d2e3f4-5a6b-4c7d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects potential Lumma Stealer infection via PowerShell downloading from YouTube or similar video streaming links often used in "crack" scams.
references:
 - https://securityaffairs.com/192928/security/security-affairs-malware-newsletter-round-99.html
author: Security Arsenal
date: 2024/10/15
tags:
 - attack.initial_access
 - attack.t1566.001
logsource:
 category: process_creation
 product: windows
detection:
 selection_img:
   Image|endswith:
     - '\powershell.exe'
     - '\curl.exe'
 selection_cli:
   CommandLine|contains:
     - 'youtube'
     - 'youtu.be'
   CommandLine|contains:
     - 'download'
     - 'invoke-webrequest'
     - 'iwr'
 condition: selection_img and selection_cli
falsepositives:
 - Legitimate users downloading video tools (rare)
level: medium
---
title: Phobos Ransomware Note Creation
id: 77c3d4e5-6b7a-4b8c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects the creation of Phobos ransomware notes (info.hta or info.txt) in root drives.
references:
 - https://securityaffairs.com/192928/security/security-affairs-malware-newsletter-round-99.html
author: Security Arsenal
date: 2024/10/15
tags:
 - attack.impact
 - attack.t1486
logsource:
 category: file_create
 product: windows
detection:
 selection:
   TargetFilename|contains:
     - 'C:\\info.hta'
     - 'C:\\info.txt'
     - 'D:\\info.hta'
     - 'D:\\info.txt'
 condition: selection
falsepositives:
 - Admins creating info files (verify path)
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for PikaBot Side-loading patterns
// Looks for regsvr32 or rundll32 loading DLLs from User directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("regsvr32.exe", "rundll32.exe", "mshta.exe")
| where FileName =~ "*.dll"
| where ProcessCommandLine contains "C:\\Users"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for PikaBot artifacts: Suspicious DLLs in User AppData or Downloads
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/*", root=C:\Users\*
| WHERE Name =~ "PikaBot" 
   OR FullPath =~ ".*\\AppData\\Local\\Temp\\.*\\.*.dll"
   OR FullPath =~ ".*\\Downloads\\.*\\.*.dll")
-- Hunt for Phobos Ransomware extensions
SELECT FullPath, Size, Mtime
FROM glob(globs="C:\\*", root="C:\\")
WHERE FullName =~ ".*\\.phobos" 
   OR FullName =~ ".*\\.enc" 
   OR Name =~ "info.hta"

Remediation Script (PowerShell)

PowerShell
# Response Script: PikaBot and Generic Loader Remediation
# Requires Admin Privileges

Write-Host "Starting Threat Remediation based on Security Affairs Round 99..." -ForegroundColor Cyan

# 1. Kill Suspicious Processes (Regsvr32 running from User Profile)
$suspiciousProcesses = Get-Process -Name "regsvr32" -ErrorAction SilentlyContinue | 
    Where-Object { $_.Path -like "*Users*" }

if ($suspiciousProcesses) {
    Write-Host "Terminating suspicious regsvr32 instances..." -ForegroundColor Yellow
    $suspiciousProcesses | Stop-Process -Force
} else {
    Write-Host "No suspicious regsvr32 processes found." -ForegroundColor Green
}

# 2. Scan and Remove Suspicious ISO/LNK files in Downloads (Common PikaBot Vector)
$dangerousExtensions = @(".iso", ".img", ".vhd", ".lnk")
$userProfiles = Get-ChildItem "C:\Users" -Directory

foreach ($user in $userProfiles) {
    $downloadPath = Join-Path $user.FullName "Downloads"
    if (Test-Path $downloadPath) {
        Write-Host "Scanning $downloadPath for malicious archives..." -ForegroundColor Yellow
        Get-ChildItem -Path $downloadPath -Recurse -Include $dangerousExtensions -ErrorAction SilentlyContinue | 
            Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
            Remove-Item -Force -ErrorAction SilentlyContinue
    }
}

Write-Host "Remediation complete. Please run a full AV scan." -ForegroundColor Green

Remediation

Based on the threats detailed in Round 99, apply the following defensive measures immediately:

  1. Patch and Harden RDP: To mitigate Phobos Ransomware, ensure RDP is not exposed to the internet. Enforce Network Level Authentication (NLA) and use VPNs or Zero Trust Network Access (ZTNA) for remote access.
  2. Block Macros and ISO Attachments: PikaBot relies heavily on ISO and LNK files. Configure email gateways (Microsoft Defender for Office 365 / Mimecast) to strip ISO, IMG, and LNK file attachments.
  3. Application Control (AppLocker): Implement strict DLL side-loading prevention. Use Microsoft AppLocker or Windows Defender Application Control (WDAC) to prevent regsvr32.exe, mshta.exe, or rundll32.exe from loading DLLs from user-writable directories (e.g., C:\Users\*, C:\ProgramData\*, AppData\Local\Temp).
  4. User Awareness: Conduct targeted phishing training regarding "YouTube Crack" scams used to distribute Lumma Stealer. Users should be instructed never to download software from video hosting platforms.
  5. Network Segmentation: Restrict lateral movement. Phobos relies on moving laterally from the initial jump host; segmenting critical assets from user workstations limits the blast radius.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirpikabotqakbotlumma-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action