Pykspa

Category: worm · Aliases: None known · Sample count (EMBER 2018): 169 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

Pykspa is a worm that spreads through Skype by sending messages containing download links to other Skype users. When a recipient downloads and runs the file, Pykspa infects the system, extracts personal information, and communicates with its command-and-control (C2) servers. To make its C2 infrastructure resilient, Pykspa uses a domain generation algorithm (DGA) to produce the domain names it contacts. It is documented by Fraunhofer FKIE's Malpedia, with analysis referenced from Akamai.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_PYKSPA {
    meta:
        description = "Detects Pykspa (worm)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "pykspa" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Pykspa Activity
id: 8999f0cfe8977b7b21f5c29c1b656209
status: experimental
description: Detects generic indicators of the pykspa malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*pykspa*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Pykspa?

Pykspa is a worm that spreads through Skype. It sends messages with download links to other Skype users, and infects systems when those files are downloaded and run.

How does Pykspa spread?

Pykspa propagates by sending Skype messages containing download links to a victim's contacts. Recipients who download and execute the linked file become infected, allowing the worm to spread further.

What does Pykspa do once it infects a system?

After infection, Pykspa extracts personal information and communicates with command-and-control servers. It uses a domain generation algorithm (DGA) to generate the domains it contacts, which helps its infrastructure resist takedown.

What sources document Pykspa?

Pykspa is profiled in Fraunhofer FKIE's Malpedia, with its Skype-based spreading and DGA behaviour described in analysis referenced from Akamai.

Related Families (Category: worm)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/pykspa.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.