Water Curupira, an active threat actor, has been identified distributing the PikaBot loader malware through spam campaigns in 2023. The malware, consisting of a loader and a core module, facilitates unauthorized remote access and execution of arbitrary commands by establishing a connection with its command-and-control (C&C) server, as reported by Trend Micro. This malicious activity, initiated in the first quarter and resurfacing in September, coincides with previous campaigns linked to cybercrime groups TA571 and TA577, both known for deploying QakBot. The rise in PikaBot-related phishing campaigns is attributed to the takedown of QakBot in August, with the emergence of DarkGate as a successor.
Further analysis reveals that PikaBot, orchestrated by Water Curupira, collects system details and transmits them to a C&C server in JSON format. The campaigns orchestrated by Water Curupira initially involved DarkGate spam campaigns and a few IcedID campaigns in the early weeks of the third quarter of 2023 but have since pivoted exclusively to PikaBot. The ultimate goal of these campaigns is to drop Cobalt Strike, leading to the subsequent deployment of the Black Basta ransomware. This strategic evolution underscores the dynamic nature of cyber threats, as threat actors adapt and shift tactics in response to security measures and disruptions in the cyber landscape.