Brad<p>2023-05-22 (Mon) &amp; 2023-05-23 (Tue): TA577 pushes <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pikabot</span></a></p><p>2023-05-24 (Wed): TA577 back to pushing <a href="https://infosec.exchange/tags/Qabkot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Qabkot</span></a> (<a href="https://infosec.exchange/tags/Qbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Qbot</span></a>)</p><p>Pikabot:</p><p>- <a href="https://malware-traffic-analysis.net/2023/05/22/index.html" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">023/05/22/index.html</span></a></p><p>- <a href="https://malware-traffic-analysis.net/2023/05/23/index.html" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">023/05/23/index.html</span></a></p><p>Qakbot (TA570 obama264): </p><p>- <a href="https://malware-traffic-analysis.net/2023/05/24/index.html" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">023/05/24/index.html</span></a></p><p>I was lucky enough to get <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> with the two Pikabot infections, so I wrote tweets for my employer on the bird site.</p><p>See the above links for <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> files, malware samples, IOCs, and links to my employer's tweets for the Pikabot activity.</p>