CINXE.COM
Pulsedive Blog | Pikabot Rising
<!DOCTYPE html> <html lang="en"> <head> <title>Pulsedive Blog | Pikabot Rising</title> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="HandheldFriendly" content="True" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="preload" as="style" href="https://blog.pulsedive.com/assets/built/screen.css?v=d258074b52" /> <link rel="preload" as="script" href="https://blog.pulsedive.com/assets/built/casper.js?v=d258074b52" /> <link rel="stylesheet" type="text/css" href="https://blog.pulsedive.com/assets/built/screen.css?v=d258074b52" /> <meta name="description" content="Dive into the distribution methods and capabilities of Pikabot, a loader that has been growing in prevalence since early 2023."> <link rel="icon" href="https://blog.pulsedive.com/content/images/size/w256h256/2018/09/heart128-1.png" type="image/png"> <link rel="canonical" href="https://blog.pulsedive.com/pikabot/"> <meta name="referrer" content="no-referrer-when-downgrade"> <link rel="amphtml" href="https://blog.pulsedive.com/pikabot/amp/"> <meta property="og:site_name" content="Pulsedive Blog"> <meta property="og:type" content="article"> <meta property="og:title" content="Pulsedive Blog | Pikabot Rising"> <meta property="og:description" content="Dive into the distribution methods and capabilities of Pikabot, a loader that has been growing in prevalence since early 2023."> <meta property="og:url" content="https://blog.pulsedive.com/pikabot/"> <meta property="og:image" content="https://blog.pulsedive.com/content/images/2024/01/Pikabot-Cover.jpg"> <meta property="article:published_time" content="2024-01-22T17:24:55.000Z"> <meta property="article:modified_time" content="2024-01-22T17:24:55.000Z"> <meta property="article:tag" content="threat intelligence"> <meta property="article:tag" content="malware"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:title" content="Pulsedive Blog | Pikabot Rising"> <meta name="twitter:description" content="Dive into the distribution methods and capabilities of Pikabot, a loader that has been growing in prevalence since early 2023."> <meta name="twitter:url" content="https://blog.pulsedive.com/pikabot/"> <meta name="twitter:image" content="https://blog.pulsedive.com/content/images/2024/01/Pikabot-Cover-1.jpg"> <meta name="twitter:label1" content="Written by"> <meta name="twitter:data1" content="Pulsedive Threat Research"> <meta name="twitter:label2" content="Filed under"> <meta name="twitter:data2" content="threat intelligence, malware"> <meta name="twitter:site" content="@pulsedive"> <meta name="twitter:creator" content="@pulsedive"> <meta property="og:image:width" content="960"> <meta property="og:image:height" content="540"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "publisher": { "@type": "Organization", "name": "Pulsedive Blog", "url": "https://blog.pulsedive.com/", "logo": { "@type": "ImageObject", "url": "https://blog.pulsedive.com/content/images/2022/03/Pulsedive-Logo_Light-Blue.png" } }, "author": { "@type": "Person", "name": "Pulsedive Threat Research", "image": { "@type": "ImageObject", "url": "https://blog.pulsedive.com/content/images/size/w1200/2024/01/Pulsedive-Heart_Color.jpg", "width": 1200, "height": 1200 }, "url": "https://blog.pulsedive.com/author/pulsedive/", "sameAs": [ "https://pulsedive.com/", "https://twitter.com/pulsedive" ] }, "headline": "Pulsedive Blog | Pikabot Rising", "url": "https://blog.pulsedive.com/pikabot/", "datePublished": "2024-01-22T17:24:55.000Z", "dateModified": "2024-01-22T17:24:55.000Z", "image": { "@type": "ImageObject", "url": "https://blog.pulsedive.com/content/images/2024/01/Pikabot-Cover.jpg", "width": 960, "height": 540 }, "keywords": "threat intelligence, malware", "description": "Dive into the distribution methods and capabilities of Pikabot, a loader that has been growing in prevalence since early 2023.", "mainEntityOfPage": "https://blog.pulsedive.com/pikabot/" } </script> <meta name="generator" content="Ghost 5.116"> <link rel="alternate" type="application/rss+xml" title="Pulsedive Blog" href="https://blog.pulsedive.com/rss/"> <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/sodo-search.min.js" data-key="f196065209a88f0a030efd9285" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/main.css" data-sodo-search="https://pulsedive.ghost.io/" data-locale="en" crossorigin="anonymous"></script> <link href="https://blog.pulsedive.com/webmentions/receive/" rel="webmention"> <script defer src="/public/cards.min.js?v=d258074b52"></script><style>:root {--ghost-accent-color: #14252E;}</style> <link rel="stylesheet" type="text/css" href="/public/cards.min.css?v=d258074b52"> <!-- Plausible --> <script defer data-domain="blog.pulsedive.com" src="https://plausible.io/js/script.js"></script> <!-- End Plausible --> <!-- Matomo --> <script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="https://pulsedive.matomo.cloud/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '5']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src='//cdn.matomo.cloud/pulsedive.matomo.cloud/matomo.js'; s.parentNode.insertBefore(g,s); })(); </script> <!-- End Matomo Code --> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-108145347-5"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-108145347-5'); </script> </head> <body class="post-template tag-threat-intelligence tag-malware is-head-left-logo has-sans-body has-cover"> <div class="viewport"> <header id="gh-head" class="gh-head outer"> <div class="gh-head-inner inner"> <div class="gh-head-brand"> <a class="gh-head-logo" href="https://blog.pulsedive.com"> <img src="https://blog.pulsedive.com/content/images/2022/03/Pulsedive-Logo_Light-Blue.png" alt="Pulsedive Blog"> </a> <button class="gh-search gh-icon-btn" aria-label="Search this site" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2" width="20" height="20"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg></button> <button class="gh-burger" aria-label="Main Menu"></button> </div> <nav class="gh-head-menu"> <ul class="nav"> <li class="nav-home"><a href="https://blog.pulsedive.com/">Home</a></li> <li class="nav-platform"><a href="https://pulsedive.com">Platform</a></li> <li class="nav-faqs"><a href="https://blog.pulsedive.com/pulsedive-cyber-threat-intelligence-faqs/">FAQs</a></li> </ul> </nav> <div class="gh-head-actions"> <button class="gh-search gh-icon-btn" aria-label="Search this site" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2" width="20" height="20"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg></button> </div> </div> </header> <div class="site-content"> <main id="site-main" class="site-main"> <article class="article post tag-threat-intelligence tag-malware "> <header class="article-header gh-canvas"> <div class="article-tag post-card-tags"> <span class="post-card-primary-tag"> <a href="/tag/threat-intelligence/">threat intelligence</a> </span> </div> <h1 class="article-title">PikaBot Rising</h1> <p class="article-excerpt">Dive into the distribution methods and capabilities of Pikabot, a loader that has been growing in prevalence since early 2023.</p> <div class="article-byline"> <section class="article-byline-content"> <ul class="author-list instapaper_ignore"> <li class="author-list-item"> <a href="/author/pulsedive/" class="author-avatar" aria-label="Read more of Pulsedive Threat Research"> <img class="author-profile-image" src="/content/images/size/w100/2024/01/Pulsedive-Heart_Color.jpg" alt="Pulsedive Threat Research" /> </a> </li> </ul> <div class="article-byline-meta"> <h4 class="author-name"><a href="/author/pulsedive/">Pulsedive Threat Research</a></h4> <div class="byline-meta-content"> <time class="byline-meta-date" datetime="2024-01-22">22 Jan 2024</time> <span class="byline-reading-time"><span class="bull">•</span> 7 min read</span> </div> </div> </section> </div> <figure class="article-image"> <img srcset="/content/images/size/w300/2024/01/Pikabot-Cover.jpg 300w, /content/images/size/w600/2024/01/Pikabot-Cover.jpg 600w, /content/images/size/w1000/2024/01/Pikabot-Cover.jpg 1000w, /content/images/size/w2000/2024/01/Pikabot-Cover.jpg 2000w" sizes="(min-width: 1400px) 1400px, 92vw" src="/content/images/size/w2000/2024/01/Pikabot-Cover.jpg" alt="PikaBot Rising" /> </figure> </header> <section class="gh-content gh-canvas"> <p><a href="https://pulsedive.com/threat/Pikabot"><strong><u>Pikabot</u></strong></a><strong> </strong>is an emerging loader that has been active since early 2023. The malware provides access to environments with the ability to remotely execute commands for reconnaissance or the ingress of additional tools. Over the past year, security researchers have observed Pikabot distributed through malspam and malvertising. Its usage became more prevalent following the takedown of Qakbot by law enforcement agencies in 2023.</p><figure class="kg-card kg-image-card kg-card-hascaption"><a href="https://pulsedive.com/threat/Pikabot"><img src="https://lh7-us.googleusercontent.com/HiTLWLtRmp4UISiYf0sM3goLORDC15yi5wqEM2oA6zTyUC89viRnSZbYv0SwWqwhdYOEvNUdkRbDtwhPgdnNFCQBYj-AwPf5Raq2MYbfparIH1m9Zi_l2K1_NVbOfRZPXDMIWLTfcbyHWOx5CGONhC5iLwAFb74xaM5JHiDFkNnrlAJvZ9T-Fdh7DBijzA" class="kg-image" alt="" loading="lazy" width="1067" height="615"></a><figcaption><span style="white-space: pre-wrap;">Figure 1. Pulsedive's </span><a href="https://pulsedive.com/threat/Pikabot" rel="noreferrer"><span style="white-space: pre-wrap;">Pikabot</span></a><span style="white-space: pre-wrap;"> threat page</span></figcaption></figure><p>This blog provides an overview of the distribution mechanisms and features of Pikabot with to highlight its capabilities which include:</p><ul><li>Anti-analysis checks</li><li>Loading junk libraries</li><li>Executing commands</li><li>Gathering system information</li></ul><h1 id="distribution-mechanisms">Distribution Mechanisms</h1><p>Pikabot has been distributed primarily through spam emails. Following the takedown of Qakbot in August 2023, there was an increase in campaigns using Pikabot. Similar to campaigns spreading other malware, these emails are often part of a hijacked thread containing either an attachment or a link to download the file.</p><h2 id="spam-campaigns">Spam Campaigns</h2><p><a href="https://www.trendmicro.com/en_ie/research/24/a/a-look-into-pikabot-spam-wave-campaign.html"><u>Trend Micro Research</u></a> identified a spam campaign used to deliver Pikabot. The campaign leveraged thread hijacking, where threat actors inject themselves into existing email threads and send emails as if the malicious entity was always part of the thread. Typically, Pikabot intrusions start through a JavaScript file that is used to download and execute the second stage payload. In other observed intrusions, instead of a Javascript file, the ZIP archive contained either an IMG or PDF file. In the case of an IMG, it consists of a LNK file masquerading as a Word document and the Pikabot DLL. The LNK file is used to execute the Pikabot DLL. For PDFs, the PDF serves as a lure that is used to download the DLL sample. The LOLBIN, <em>rundll32.exe</em>, is used to execute the DLL file. </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh7-us.googleusercontent.com/1WAgr2ehkU8rJ12UjwnWA2Bma_A8garzXXCVTN8tJ1dZWolElqid75mDhg87apm3wDvbDuJqIQpZ5HpRB_v1swVhGk4BjBvWLrrtdI1_IKhLJYwvYEfc6zLdcTKCZaf068OcBnzYEzteisPwSDfJlBw-xnGx3-eFNJOsZwHULvECnPj9HI7UV2O0ynYjcg" class="kg-image" alt="" loading="lazy" width="943" height="520"><figcaption><span style="white-space: pre-wrap;">Figure 2: Execution flow observed in spam campaigns delivering Pikabot.</span></figcaption></figure><h2 id="malvertising">Malvertising</h2><p>Threat researchers have also identified cases where Pikabot was distributed through malicious advertising. In one example, Pikabot impersonated the remote access tool <a href="https://anydesk.com/en"><u>AnyDesk</u></a> in a malvertising campaign (<a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads"><u>Malwarebytes</u></a>). The campaign used paid advertisements for the phishing sites to appear at the top of a user’s Google search results and rely on a user clicking the sponsored link instead of the actual AnyDesk URL. After users clicked the malvertising link, they were redirected to a page mimicking the AnyDesk webpage.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh7-us.googleusercontent.com/tKnXeKaLT2zd8V-u5I9XpeXRMppVzjNUGUDwyqvY7Bmj207Oduv8sjaRGNZLO919qxUBthax_EWu1Ih-9W-bjTwDh-UnXGhZPIvOHc1GbDSNYLMK2gsboUH9t1A3CAZd2NnwC7zIxQJI6uuJOYJsN04CiiGTYYpFv-KOnwOKgBrus3c1YQ-PTAHzUhfNJA" class="kg-image" alt="" loading="lazy" width="1097" height="737"><figcaption><span style="white-space: pre-wrap;">Figure 3: A web page masquerading as the official AnyDesk download source (</span><a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads"><u><span class="underline" style="white-space: pre-wrap;">Malwarebytes</span></u></a><span style="white-space: pre-wrap;">)</span></figcaption></figure><p>The page hosts a malicious .msi file used to run Pikabot. The MSI uses process hollowing to execute the malicious code in a SearchProtocolHost.exe process, by creating the process in a suspended state, unmapping the process memory, writing the malicious code to memory, and then resuming the thread. </p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh7-us.googleusercontent.com/Lmbpgz6gIs1VonXw0u_baBk3GHJt985eXGcXTjVPPpyNZK6zMWp23XYhbvR9y7ROthtH5pdCHXQ_u7jPWpDOc3NeFketEatVb4Zqp7a_IvFol8UShyPsAsLDQGdkb9xU46P-1IdrFPv3PgPn3O46ZcMTfsmEV2bO2tAOxvcMvnusDU9dl0tJfCGs0ElsFg" class="kg-image" alt="" loading="lazy" width="794" height="209"><figcaption><span style="white-space: pre-wrap;">Figure 4: Execution flow observed in Pikabot intrusions originating from malvertising campaigns. </span></figcaption></figure><h1 id="features-of-pikabot">Features of Pikabot</h1><h2 id="dynamic-api-resolving">Dynamic API Resolving</h2><p>Pikabot samples resolve APIs at runtime. This means that some of the necessary APIs needed for the sample to execute are loaded during its execution and not when the program is compiled. This is an attempt by the malware author to make it more difficult to determine functionality through static analysis of imported APIs. Three functions are resolved through API hashing and once <em>GetProcAddress </em>and <em>LoadLibraryA </em>are resolved, they can be used to resolve other APIs that are stored as decrypted strings. </p><p><a href="https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html#String-Decryption"><u>OALabs </u></a>developed Python code that can be used to decrypt the strings. The figure below shows some of the decrypted strings from the sample <a href="https://www.unpac.me/results/671ae130-6070-48fc-82f2-afc305fdbf3d?hash=39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206#/"><u>39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206 </u></a></p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh7-us.googleusercontent.com/7kWALoigeaudwk_FoRqp0F34XXu1xEL3i7DCdYUpf-WBVGMvMXD8C2iKgfe4rfN7qCeA5BxDCQgJtjZfnk_pM0zF_E8pHxFzQjDbu45xdFm7lrZGp5Q_eEEJUJclVgGXahWO7GMWodkMyhZfI1VIn1f4uxx3WcJ_3_DuzJNDcFOikbPg87_OrCqbqqD_ZQ" class="kg-image" alt="" loading="lazy" width="868" height="814"><figcaption><span style="white-space: pre-wrap;">Figure 5: Python code showing the decrypted strings. Screenshot from </span><a href="https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html#String-Decryption"><u><span class="underline" style="white-space: pre-wrap;">OALabs</span></u></a></figcaption></figure><h2 id="anti-analysis-techniques">Anti-Analysis Techniques</h2><p>The sample leverages several anti-analysis techniques to make analysis of the malware more difficult, which include:</p><ul> <li>Using INT2D and INT3 to raise exception handlers <ul> <li>INT3 is a software breakpoint that is used to trigger an interrupt. When a debugger is not in use, the exception handler is called after an INT3 exception is raised. When a debugger is present, control of the program is not handed to the exception handler.</li> <li>For INT2D, Windows uses the EIP register as the exception address and then increments the EIP register value. This instruction may cause issues for debuggers since increasing the EIP may cause instructions to be skipped.</li> </ul> </li> <li>Checking the BeingDebuggedFlag in the PEB</li> <li>Calling the APIs <code>CheckRemoteDebuggerPresent()</code> and <code>IsDebuggerPresent()</code></li> <li>Loading junk libraries</li> <li>Delaying execution using the <a href="https://learn.microsoft.com/en-us/windows/win32/api/utilapiset/nf-utilapiset-beep"><code>beep()</code></a> function <ul> <li>This is used in a similar fashion to the sleep function and is intended to delay execution. The beep function generates a noise that is played on speakers. The execution of the program waits until the sound stops to resume execution.</li> </ul> </li> <li>Checking the value of the <code>NtGlobalFlag</code> in the process environment block to see if a debugger is attached</li> <li>Calling <code>NtQueryInformationProcess()</code> with the flag <code>0x7</code> (ProcessDebugPort)</li> <li>Using the <code>GetWriteWatch()</code> to get addresses of the allocated pages written</li> <li>Checking if the number of processors is less than or equal to 2</li> <li>Using the rdtsc instruction to detect single steps taken in a debugger</li> <li>Checking memory size with <code>GlobalMemoryStatusEx()</code> to see if it is less than 2GB</li> </ul> <figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://blog.pulsedive.com/content/images/2024/01/Pikabot-Anti-analysis.png" class="kg-image" alt="" loading="lazy" width="960" height="540" srcset="https://blog.pulsedive.com/content/images/size/w600/2024/01/Pikabot-Anti-analysis.png 600w, https://blog.pulsedive.com/content/images/2024/01/Pikabot-Anti-analysis.png 960w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Figure 6: The anti-analysis techniques used by Pikabot</span></figcaption></figure><div class="kg-card kg-callout-card kg-callout-card-blue"><div class="kg-callout-emoji">💡</div><div class="kg-callout-text"><a href="https://anti-debug.checkpoint.com/"><u>Checkpoint Research</u></a> has a helpful resource covering several anti-debug tricks observed within Pikabot samples.</div></div><h2 id="language-checks">Language Checks</h2><p>Apart from the checks outlined above which cause the program to terminate, Pikabot samples also check the language of the system to avoid infecting <a href="https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States"><u>CIS countries</u></a>. ZScaler identified that the samples check for the following languages:</p><ul><li>Georgian</li><li>Kazakh</li><li>Uzbek</li><li>Tajik</li><li>Russian</li><li>Ukrainian</li><li>Belarusian</li><li>Slovenian</li></ul><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh7-us.googleusercontent.com/nDsEhuWNS5foxT_YZ1TKhUr0vdIes7OadxAUZplmH9lKMRJEzqXNVt63QImDs3m5raOMlf3-8rT8OzUL4E-IvdeK3862rvMvZJ5NhgSWG5m-r49ysl4ulZQOHxf2kSqJGvVP9lk0QB7BikR52fb4w-0TUeIHs6pUfCSR_baT77SPBK4hJCa4gVZuUKkzDA" class="kg-image" alt="" loading="lazy" width="1600" height="372"><figcaption><span style="white-space: pre-wrap;">Figure 7: Pikabot uses the </span><a href="https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultlangid"><u><i><em class="italic underline" style="white-space: pre-wrap;">GetUserDefaultLangID</em></i></u></a><span style="white-space: pre-wrap;"> function to return the language identifier of the Region set for the current user. </span><a href="https://kienmanowar.wordpress.com/2024/01/06/quicknote-technical-analysis-of-recent-pikabot-core-module/"><u><span class="underline" style="white-space: pre-wrap;">Screenshot from 0DAY IN {REA_TEAM}</span></u></a><span style="white-space: pre-wrap;">.</span></figcaption></figure><p>The API function <a href="https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultlangid"><u>GetUserDefaultLandID</u></a> returns the language for the current user. This information can also be determined from <strong>Control Panel -> Clock, Language, and Region -> Change date, time, or number formats -> Formats </strong>(<a href="https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultlangid"><u>Microsoft</u></a>). </p><div class="kg-card kg-callout-card kg-callout-card-blue"><div class="kg-callout-emoji">❗</div><div class="kg-callout-text">Language identifiers are numerical abbreviations for languages. </div></div><p>If any of these languages are identified, then the program terminates. This type of check to avoid infecting endpoints in CIS countries is not unique to Pikabot and has also been observed in several ransomware variants. </p><h2 id="capabilities">Capabilities</h2><p>Once the anti-analysis checks are complete, the malware initiates connections with a Command and Control server. The malware also executes several commands to gather additional information about the compromised host. The commands include collecting network information using the <em>ipconfig.exe </em>binary and collecting user information through the <em>whoami.exe /all </em>command. </p><p>Apart from using native binaries to collect system information, researchers at <a href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot"><u>Zscaler</u></a> identified the following capabilities that the malware can perform. </p><ul><li>cmd</li><li>destroy</li><li>shellcode</li><li>dll</li><li>Exe</li><li>knock_timeout</li><li>Information collection<ul><li>screenshot</li><li>whoami</li><li>ipconfig</li><li>processes</li></ul></li></ul><h1 id="conclusion">Conclusion</h1><p>Pikabot is a relatively recent loader that increased in popularity from August 2023 onwards. As of January 2024, there has been just 1 sample shared on <a href="https://bazaar.abuse.ch/browse/tag/Pikabot/"><u>Malware Bazaar</u></a> uploaded on January 3rd, 2024. The malware adopts several anti-analysis techniques which make it difficult to detect and analyse. Pikabot binaries resolve APIs using API hashing and decrypted strings, meaning looking at imports during static analysis may not provide insight into the malware’s functionality. The malware also can execute commands on the infected host, using this to conduct system information discovery activities. </p><h2 id="recommendations">Recommendations</h2><ul><li><strong>Continued User Awareness Training</strong><ul><li>Both of Pikabot’s dissemination mechanisms require user execution. Continued user awareness training may help mitigate the risk from spam and malvertising by teaching users how these threats work and what to look out for. </li></ul></li><li><strong>Monitor and block the execution of cmd or curl from scripting interpreters</strong><ul><li>To alert on potentially malicious VBScript or JavaScript files attempting to download additional payloads or launching recently downloaded executable content. </li><li>Some security products contain rules to block this type of activity. An example is the <a href="https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#attack-surface-reduction-rules-by-type"><em><u>Block JavaScript or VBScript from launching downloaded executable content</u></em></a><em> </em>attack surface reduction rule in Microsoft Defender for Endpoint.</li></ul></li></ul><figure class="kg-card kg-image-card"><img src="https://lh7-us.googleusercontent.com/zuHR-L0m1Fxb90dEAq8_rbDRkbuC3gy53REU29kqWlKf_X3zEJgI21cIRGgzzJbpy8ODuwZ7zeYt4Rax8cLHZV7aqBYZDU10CEqwkeStChdlM8tY7zYnuaIrs5uug4bnUuahlZs0MTAxTA38D3UWBYlHFWspprVYGAV9J3uwiA5E-c-DLTaeKshzTNig6Q" class="kg-image" alt="" loading="lazy" width="1600" height="493"></figure><h1 id="indicators-of-compromise">Indicators of Compromise</h1><p>The table below contains a list of Pikabot network IoCs identified and added to the Pulsedive platform. IoCs can be queried in Pulsedive using the Explore query <a href="https://pulsedive.com/explore/?q=threat%3DPikabot"><u>threat="Pikabot"</u></a> and is available for export in multiple formats (CSV, STIX 2.1, JSON).</p> <!--kg-card-begin: html--> <table style="border:none;border-collapse:collapse;"><colgroup><col width="603"></colgroup><tbody><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#ddeef7;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Pikabot IOCs</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">https://104.200.28.75:2222/</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">https://139.162.147.197:2225/</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">51.68.147.114</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">104.200.28.75</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">65.20.82.17</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">172.234.16.175</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">https://139.99.216.90:13720/nastier/YaEq5oFpdVHuvOuYK</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">http://65.108.216.128/l9yvUH/arcti</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">http://95.216.204.145/K2n/Churo</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">https://9jaflaverstore.com/uss/</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#ddeef7;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">And more, retrieve all indicators </span><a href="https://pulsedive.com/explore/?q=threat%3DPikabot" style="text-decoration:none;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#1155cc;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;-webkit-text-decoration-skip:none;text-decoration-skip-ink:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">here</span></a><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"> </span></p></td></tr></tbody></table> <!--kg-card-end: html--> <p>The table below shows some fingerprints for Pikabot C2 infrastructure:</p> <!--kg-card-begin: html--> <table style="border:none;border-collapse:collapse;"><colgroup><col width="302"><col width="302"></colgroup><tbody><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#ddeef7;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Fingerprint Type</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#ddeef7;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Fingerprint Value</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">JARM</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">21d19d00021d21d21c21d19d21d21dd188f9fdeea4d1b361be3a6ec494b2d2</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">JA4+</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">1a59268f55e5_1a59268f55e5_795797892f9c</span></p></td></tr></tbody></table> <!--kg-card-end: html--> <h1 id="mitre-attck-ttps">MITRE ATT&CK TTPs</h1> <!--kg-card-begin: html--> <table style="border:none;border-collapse:collapse;"><colgroup><col width="221"><col width="383"></colgroup><tbody><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#ddeef7;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Technique</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#ddeef7;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Tactic</span></p></td></tr><tr style="height:21pt"><td rowspan="2" style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Collection</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Archive Collected Data (T1560)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Input Capture (T1056)</span></p></td></tr><tr style="height:21pt"><td rowspan="2" style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Encrypted Channel (T1573)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Non-Standard Port (T1571)</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Credential Access</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Input Capture (T1056)</span></p></td></tr><tr style="height:21pt"><td rowspan="11" style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Hijack Execution Flow: DLL Side-Loading (T1574.002)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Impair Defenses: Disable or Modify Tools (T1574.002)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Impair Defenses: File Deletion (T1070.004)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Masquerading (T1036)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Modify Registry (T1112)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Native API (T1106)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Obfuscated Files or Information (T1027)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Process Hollowing (T1055.012)</span></p></td></tr><tr style="height:29.0478515625pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">System Binary Proxy Execution: Regsvr32 (T1218.010)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">System Binary Proxy Execution: Rundll32 (T1218.011)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Virtualization/Sandbox Evasion (T1497)</span></p></td></tr><tr style="height:21pt"><td rowspan="6" style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Discovery</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">File and Directory Discovery (T1083)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Process Discovery (T1057)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Software Discovery: Security Software Discovery (T1518)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">System Information Discovery (T1082)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">System Owner/User Discovery (T1033)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Virtualization/Sandbox Evasion (T1497)</span></p></td></tr><tr style="height:0pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Evasion</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Masquerading (T1036)</span></p></td></tr><tr style="height:21pt"><td rowspan="4" style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Execution</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Native API (T1106)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">System Binary Proxy Execution: Regsvr32 (T1218.010)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">System Binary Proxy Execution: Rundll32 (T1218.011)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Shared Modules (T1129)</span></p></td></tr><tr style="height:21pt"><td rowspan="2" style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Persistence</span></p></td><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Hijack Execution Flow: DLL Side-Loading (T1574.002)</span></p></td></tr><tr style="height:21pt"><td style="border-left:solid #ffffff 2.25pt;border-right:solid #ffffff 2.25pt;border-bottom:solid #ffffff 2.25pt;border-top:solid #ffffff 2.25pt;vertical-align:top;background-color:#f0f6f9;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size:11pt;font-family:Arial,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)</span></p></td></tr></tbody></table> <!--kg-card-end: html--> </section> </article> </main> <aside class="read-more-wrap outer"> <div class="read-more inner"> <article class="post-card post"> <a class="post-card-image-link" href="/rilide-an-information-stealing-browser-extension/"> <img class="post-card-image" srcset="/content/images/size/w300/2025/03/Pulsedive-Blog_Rilide.jpg 300w, /content/images/size/w600/2025/03/Pulsedive-Blog_Rilide.jpg 600w, /content/images/size/w1000/2025/03/Pulsedive-Blog_Rilide.jpg 1000w, /content/images/size/w2000/2025/03/Pulsedive-Blog_Rilide.jpg 2000w" sizes="(max-width: 1000px) 400px, 800px" src="/content/images/size/w600/2025/03/Pulsedive-Blog_Rilide.jpg" alt="Rilide - An Information Stealing Browser Extension" loading="lazy" /> </a> <div class="post-card-content"> <a class="post-card-content-link" href="/rilide-an-information-stealing-browser-extension/"> <header class="post-card-header"> <div class="post-card-tags"> </div> <h2 class="post-card-title"> Rilide - An Information Stealing Browser Extension </h2> </header> <div class="post-card-excerpt">Learn about the information stealing browser extension Rilide, its delivery methods, and intrusion chain.</div> </a> <footer class="post-card-meta"> <time class="post-card-meta-date" datetime="2025-03-21">21 Mar 2025</time> <span class="post-card-meta-length">17 min read</span> </footer> </div> </article> <article class="post-card post"> <a class="post-card-image-link" href="/work-with-us-technical-writer/"> <img class="post-card-image" srcset="/content/images/size/w300/2025/03/Pulsedive-Blog_Technical-Writer-Hiring.jpg 300w, /content/images/size/w600/2025/03/Pulsedive-Blog_Technical-Writer-Hiring.jpg 600w, /content/images/size/w1000/2025/03/Pulsedive-Blog_Technical-Writer-Hiring.jpg 1000w, /content/images/size/w2000/2025/03/Pulsedive-Blog_Technical-Writer-Hiring.jpg 2000w" sizes="(max-width: 1000px) 400px, 800px" src="/content/images/size/w600/2025/03/Pulsedive-Blog_Technical-Writer-Hiring.jpg" alt="Work With Us: Technical Writer" loading="lazy" /> </a> <div class="post-card-content"> <a class="post-card-content-link" href="/work-with-us-technical-writer/"> <header class="post-card-header"> <div class="post-card-tags"> </div> <h2 class="post-card-title"> Work With Us: Technical Writer </h2> </header> <div class="post-card-excerpt">Pulsedive is looking for a technical writer on a contract basis to create clear, concise, and user-friendly content.</div> </a> <footer class="post-card-meta"> <time class="post-card-meta-date" datetime="2025-03-19">19 Mar 2025</time> <span class="post-card-meta-length">3 min read</span> </footer> </div> </article> <article class="post-card post"> <a class="post-card-image-link" href="/compromised-browser-extensions-a-growing-threat-vector/"> <img class="post-card-image" srcset="/content/images/size/w300/2025/02/Pulsedive-Blog_Compromised-Browser-Extensions.PNG 300w, /content/images/size/w600/2025/02/Pulsedive-Blog_Compromised-Browser-Extensions.PNG 600w, /content/images/size/w1000/2025/02/Pulsedive-Blog_Compromised-Browser-Extensions.PNG 1000w, /content/images/size/w2000/2025/02/Pulsedive-Blog_Compromised-Browser-Extensions.PNG 2000w" sizes="(max-width: 1000px) 400px, 800px" src="/content/images/size/w600/2025/02/Pulsedive-Blog_Compromised-Browser-Extensions.PNG" alt="Compromised Browser Extensions - A Growing Threat Vector" loading="lazy" /> </a> <div class="post-card-content"> <a class="post-card-content-link" href="/compromised-browser-extensions-a-growing-threat-vector/"> <header class="post-card-header"> <div class="post-card-tags"> </div> <h2 class="post-card-title"> Compromised Browser Extensions - A Growing Threat Vector </h2> </header> <div class="post-card-excerpt">Learn how threat actors leverage browser extensions as an attack vector, including examples for Cyberhaven and GraphQL Network Inspector.</div> </a> <footer class="post-card-meta"> <time class="post-card-meta-date" datetime="2025-02-25">25 Feb 2025</time> <span class="post-card-meta-length">15 min read</span> </footer> </div> </article> </div> </aside> </div> <footer class="site-footer outer"> <div class="inner"> <section class="copyright"><a href="https://blog.pulsedive.com">Pulsedive Blog</a> © 2025</section> <nav class="site-footer-nav"> <ul class="nav"> <li class="nav-twitter"><a href="https://twitter.com/pulsedive">Twitter</a></li> <li class="nav-linkedin"><a href="https://www.linkedin.com/company/pulsedive/">LinkedIn</a></li> <li class="nav-about"><a href="https://pulsedive.com/about">About</a></li> </ul> </nav> <div class="gh-powered-by"><a href="https://ghost.org/" target="_blank" rel="noopener">Powered by Ghost</a></div> </div> </footer> </div> <div class="pswp" tabindex="-1" role="dialog" aria-hidden="true"> <div class="pswp__bg"></div> <div class="pswp__scroll-wrap"> <div class="pswp__container"> <div class="pswp__item"></div> <div class="pswp__item"></div> <div class="pswp__item"></div> </div> <div class="pswp__ui pswp__ui--hidden"> <div class="pswp__top-bar"> <div class="pswp__counter"></div> <button class="pswp__button pswp__button--close" title="Close (Esc)"></button> <button class="pswp__button pswp__button--share" title="Share"></button> <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button> <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button> <div class="pswp__preloader"> <div class="pswp__preloader__icn"> <div class="pswp__preloader__cut"> <div class="pswp__preloader__donut"></div> </div> </div> </div> </div> <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap"> <div class="pswp__share-tooltip"></div> </div> <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)"></button> <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)"></button> <div class="pswp__caption"> <div class="pswp__caption__center"></div> </div> </div> </div> </div> <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"> </script> <script src="https://blog.pulsedive.com/assets/built/casper.js?v=d258074b52"></script> <script> $(document).ready(function () { // Mobile Menu Trigger $('.gh-burger').click(function () { $('body').toggleClass('gh-head-open'); }); // FitVids - Makes video embeds responsive $(".gh-content").fitVids(); }); </script> </body> </html>