Numerous phishing attacks have been launched by the Water Curupira operation to deploy the PikaBot loader malware as part of campaigns that initially ran from early to mid-2023 before reemerging in September, The Hacker News reports.
Intrusions have ramped up during the third quarter likely due to the dismantling of the QakBot trojan in August, according to a report from Trend Micro. Water Curupira leveraged email thread hijacking to commence its attacks that sought to lure targets into opening attachments and links, which include IMG and JavaScript files that trigger PikaBot. Aside from using PikaBot to exfiltrate system information, attackers have also deployed Cobalt Strike for Black Basta ransomware distribution.
"PikaBot's operators ran phishing campaigns, targeting victims via its two components a loader and a core module which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server," said Trend Micro, which also noted Water Curupira's brief involvement in DarkGate and IcedID malware campaigns before exclusively using PikaBot.
