December 20, 2022

Despite Google’s announcement in 2021 that it had taken down the infrastructure used by the Glupteba botnet and sued Russian nationals Dmitry Starovikov and Alexander Filippov for creating and operating the botnet, the Glupteba botnet remains active.

A large number of compromised Windows devices power the Glupteba botnet. The malware is capable of stealing user credentials and other information, mining cryptocurrencies, and converting devices into proxies. It secures its command and control (C&C) structure using cryptocurrency blockchains.

The malware, which is spread via fraudulent ads or software cracks, can also retrieve additional payloads that allow it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in MikroTik and Netgear IoT devices.

It’s also an example of an unusual malware that has been using blockchain as a mechanism for command-and-control (C2) since at least 2019, making its infrastructure resistant to takedown attempts as a traditional server would.

The most recent campaign, which began in June 2022, is larger than previous ones because it employs over a dozen Bitcoin addresses and involves the use of Tor services for C&C operations.

The sources for this piece include an article in TheHackerNews.