Security Experts:

Connect with us

Hi, what are you looking for?



Glupteba Botnet Still Active Despite Google’s Disruption Efforts

An analysis conducted by OT and IoT cybersecurity firm Nozomi Networks shows that the Glupteba botnet is still active following Google’s efforts to disrupt the cybercrime operation.

An analysis conducted by OT and IoT cybersecurity firm Nozomi Networks shows that the Glupteba botnet is still active following Google’s efforts to disrupt the cybercrime operation.

The Glupteba botnet is powered by a large number of compromised Windows devices. The malware can steal user credentials and other data, mine cryptocurrencies, and turn devices into proxies. It leverages cryptocurrency blockchains to protect its command and control (C&C) structure.

Google announced in December 2021 that it had taken action against the Glupteba botnet and its alleged operators, Russian nationals Dmitry Starovikov and Alexander Filippov. The internet giant had filed a lawsuit against the two men and worked with industry partners to take down C&C infrastructure.

However, a blockchain analysis conducted by Nozomi reveals that the threat is still active, with the latest campaign, which is ongoing, starting in June 2022.

Nozomi’s investigation focused on Glupteba’s use of the Bitcoin blockchain for hidden C&C domains. Specifically, the blockchain can be used to store arbitrary data through an opcode that fits up to 80 bytes of data with the signature script.

Using this method makes the botnet more resilient to takedown because blockchain transactions cannot be erased by law enforcement or defenders.

“The way the Bitcoin blockchain is built on top of modern cryptography also makes this mechanism secure; without the Bitcoin address private key, one cannot send a transaction with such a data payload originating from the malicious address, hence, taking over the botnet is not possible. Additionally, threat actors can encrypt their payload from peering eyes, making the data storage scheme robust and cost effective,” Nozomi explained

According to the security firm, Glupteba has been using the technique, which has also been used by the Cerber ransomware, since at least 2019.

An analysis of more than 1,500 malware samples and a scan of the entire Bitcoin blockchain showed that the first campaign, which started in June 2019, used a single Bitcoin address to distribute malicious domains.

In the second campaign, which started in April 2020, two Bitcoin addresses were used for C&C domain distribution. The third campaign started in November 2021 and it was the shortest, stopping after roughly two months, likely due to the actions taken by Google.

Nozomi has determined that it took the cybercriminals six months to build a new campaign. This latest operation, which began in June 2022, is much larger, with more than a dozen Bitcoin addresses being used, likely in an effort to hinder the efforts of the cybersecurity community. The black hat hackers also increased the use of Tor hidden services for C&C servers.

Google announced last month that it won the lawsuit against Glupteba operators, with the court ordering the defendants and their US-based attorney to pay legal fees. The operators attempted to mislead the court by claiming they were willing to cooperate when in fact their plan was to abuse the court system and discovery rules to obtain information that would help them bypass Google’s efforts to shut down the botnet.

Starovikov and Filippov at one point offered to provide information about the Bitcoin addresses associated with the botnet in return for Google giving each of them $1 million and not reporting them to law enforcement. The offer was seen as an extortion attempt by Google, which notified law enforcement.

Google confirmed in a recent blog post that Glupteba operators have “resumed activity on some non-Google platforms and IoT devices”, but believes that the successful legal case against them “makes it less appealing for other criminal operations to work with them”. In addition, Google said that while the cybercrime campaign is ongoing, the company’s disruption effort still had a significant impact, with a 78% reduction being observed in the number of infected hosts.

Nozomi has published a blog post containing Bitcoin addresses used in the Glupteba operation, as well as other indicators of compromise (IoCs) that can be useful to defenders.

Related: Hamas Cyberspies Return With New Malware After Exposure of Operations

Related: FIN7 Cybercrime Operation Continues to Evolve Despite Arrests

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.