A year after Google successfully took down the Glupteba malware botnet, it has returned, perhaps more tenacious than ever.

Nozomi’s cybersecurity analysts claim that evidence including TLS certificate registrations, blockchain transactions, and reverse-engineered Glupteba samples points to a fresh, widespread campaign that appears to have begun in the spring of last year and is still active today.

Glupteba is a blockchain-enabled modular virus whose main purpose is to steal user passwords and cookies while also mining money on infected endpoints. To add insult to injury, it may deploy proxies, which the threat actors then resell as “residential proxies” to anybody who can afford to pay.

Coin Mining

To avoid detection, malware frequently adopts a legitimate-looking name and obtains a current C2 server list from the Bitcoin blockchain. It’s not easy to shut down the botnet, as it’s not hard to put up a C2 server and the Bitcoin blockchain is unchangeable.

Despite this, the Bitcoin blockchain is public and uses pseudonyms for all transactions, thus it is possible to learn the identities of those involved.

There are now 15 Bitcoin addresses in use by Glupteba’s administration, the most recent of which was activated in June 2022. Since of this, the new version is more robust than the old one because it can reach more people. As was also said, the campaign is ongoing. Additionally, the number of TOR hidden services being used as C2 servers has increased tenfold. In all, 11 different transactions were made from the most popular address, which contacted 1,197 different malware samples.

By December of 2021, Google has successfully shut down the Glupteba malware network. The business was able to secure a warrant for the seizure of the botnet’s physical components. Complaints were also lodged against two Russian operators.