Summary
ngCERT is issuing an urgent security alert on increasing Pykspa malware infiltrations targeting critical systems. Pykspa, also identified as (Tigger RAT or HeyHey) is a Remote Access Trojan (RAT) and worm malware family used by threat actors to harvest credentials, deploy additional payloads, and conduct surveillance on infected systems. Evolving through multiple versions, including an updated v2 Domain Generation Algorithm (DGA) in late 2023, Pykspa maintains a global footprint with at least 10,000 infected hosts daily as of early 2024. Its resilience stems from DGA-based command-and-control (C2) evasion and self-propagation tactics, posing ongoing risks to individuals, enterprises, and critical infrastructure reliant on communication tools. Accordingly, users and systems administrators are advised to take proactive steps to guard against Pykspa malware threats
Description & Consequence
Pykspa is a type of Remote Access Trojan (RAT) that enables cyber criminals to take full control of infected systems. Once deployed, it can perform various malicious actions which includes downloading additional malware, extracting sensitive information and monitoring user activity. Pykspa, a worm that targets instant messaging platforms specifically Skpe to propagate itself, can also be spread through various methods. Threat actors deliver messages containing malicious and enticing images and links mostly through Skpe messenger, to lure the victims and their contacts into viewing, visiting and possibly downloading malicious content. Once clicked, it downloads additional malware, install backdoor for remote access or exfiltrate sensitive information and communicates with its C2 servers using a DGA. This malware has been developed at several iterations with newer variants possessing sophisticated capabilities to circumvent or disable security measures such as antivirus softwares/programs making the malware particularly dangerous. The Pykspa DGA has two known versions, called v1 and v2. The most recent version v2, generates domain names consisting of 6 to 12 characters, that ends with top-level domains (TLDs) such as “.net”, “.com”, “.org” or “.info”.
IOCs
1. File-Based IOCs
a) Hashes (SHA-256 examples from variants):
f4b3b8e5a9c7d2e1f0a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6 (Pykspa.A
dropper)
a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 (Pykspa.F
payload)
b) Filenames: svchost.exe (masqueraded), system32.dll, update.exe (in %Temp% or %AppData%)
c) Paths:%SystemRoot%\System32\svchost.exe, C:\Users\[User]\AppData\Roaming\update.exe
2. Registry-Based IOCs
a) Persistence Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost =
C:\Windows\System32\svchost.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update =
%AppData%\update.exe
3. Network-Based IOCs
a) C2 Domains (DNS tunneling; high-volume queries indicate infection):
pykspa.com
tiggerbot.net
heyheyrat.org
Subdomains like *.akamai-dns-pykspa.example (dynamic)
b) IP Addresses (associated C2 servers):
45.76.123.45 (U.S.-based resolver)
198.51.100.200 (EU-hosted variant)
c) Protocols/Ports: DNS (UDP/53), HTTP (TCP/80/8080) for exfiltration
4. Behavioural IOCs
Processes: Suspicious svchost.exe with high CPU/DNS activity; child processes spawning
cmd.exe or powershell.exe.
Mutexes: PykspaMutex2025 (prevents multiple infections).
YARA Rule Snippet (for EDR tools):
Successful exploitation of the malware could lead to:
- System compromise.
- Theft of sensitive data (identity theft).
- Reputation Damage.
- Possible ransomware deployment.
- Financial loss.
Solution
ngCERT recommends that organizations and users should implement proactive, layered defences focusing on detection, prevention and response:
- Apply Latest Patches and Updates.
- Continuous User Education and Phishing Awareness.
- Deploy EDR tools with DGA detection, enable application whitelisting, restrict network shares/mapped drives, and use sandboxing for executables.
- Implement DNS sinkholing and behavioral analytics to flag anomalous IP geolocation queries or .bat autoruns; integrate threat intel feeds for Pykspa IOCs like known DGA seeds.
- Deploy tools like Microsoft Defender or GridinSoft for scans/removal; isolate infected systems, reset credentials, and report to ngCERT for C2 disruption.
Reference
Revision
