Security Experts:

Connect with us

Hi, what are you looking for?



Glupteba Botnet Still Active Despite Google’s Disruption Efforts

An analysis conducted by OT and IoT cybersecurity firm Nozomi Networks shows that the Glupteba botnet is still active following Google’s efforts to disrupt the cybercrime operation.

An analysis conducted by OT and IoT cybersecurity firm Nozomi Networks shows that the Glupteba botnet is still active following Google’s efforts to disrupt the cybercrime operation.

The Glupteba botnet is powered by a large number of compromised Windows devices. The malware can steal user credentials and other data, mine cryptocurrencies, and turn devices into proxies. It leverages cryptocurrency blockchains to protect its command and control (C&C) structure.

Google announced in December 2021 that it had taken action against the Glupteba botnet and its alleged operators, Russian nationals Dmitry Starovikov and Alexander Filippov. The internet giant had filed a lawsuit against the two men and worked with industry partners to take down C&C infrastructure.

However, a blockchain analysis conducted by Nozomi reveals that the threat is still active, with the latest campaign, which is ongoing, starting in June 2022.

Nozomi’s investigation focused on Glupteba’s use of the Bitcoin blockchain for hidden C&C domains. Specifically, the blockchain can be used to store arbitrary data through an opcode that fits up to 80 bytes of data with the signature script.

Using this method makes the botnet more resilient to takedown because blockchain transactions cannot be erased by law enforcement or defenders.

“The way the Bitcoin blockchain is built on top of modern cryptography also makes this mechanism secure; without the Bitcoin address private key, one cannot send a transaction with such a data payload originating from the malicious address, hence, taking over the botnet is not possible. Additionally, threat actors can encrypt their payload from peering eyes, making the data storage scheme robust and cost effective,” Nozomi explained

According to the security firm, Glupteba has been using the technique, which has also been used by the Cerber ransomware, since at least 2019.

An analysis of more than 1,500 malware samples and a scan of the entire Bitcoin blockchain showed that the first campaign, which started in June 2019, used a single Bitcoin address to distribute malicious domains.

In the second campaign, which started in April 2020, two Bitcoin addresses were used for C&C domain distribution. The third campaign started in November 2021 and it was the shortest, stopping after roughly two months, likely due to the actions taken by Google.

Nozomi has determined that it took the cybercriminals six months to build a new campaign. This latest operation, which began in June 2022, is much larger, with more than a dozen Bitcoin addresses being used, likely in an effort to hinder the efforts of the cybersecurity community. The black hat hackers also increased the use of Tor hidden services for C&C servers.

Google announced last month that it won the lawsuit against Glupteba operators, with the court ordering the defendants and their US-based attorney to pay legal fees. The operators attempted to mislead the court by claiming they were willing to cooperate when in fact their plan was to abuse the court system and discovery rules to obtain information that would help them bypass Google’s efforts to shut down the botnet.

Starovikov and Filippov at one point offered to provide information about the Bitcoin addresses associated with the botnet in return for Google giving each of them $1 million and not reporting them to law enforcement. The offer was seen as an extortion attempt by Google, which notified law enforcement.

Google confirmed in a recent blog post that Glupteba operators have “resumed activity on some non-Google platforms and IoT devices”, but believes that the successful legal case against them “makes it less appealing for other criminal operations to work with them”. In addition, Google said that while the cybercrime campaign is ongoing, the company’s disruption effort still had a significant impact, with a 78% reduction being observed in the number of infected hosts.

Nozomi has published a blog post containing Bitcoin addresses used in the Glupteba operation, as well as other indicators of compromise (IoCs) that can be useful to defenders.

Related: Hamas Cyberspies Return With New Malware After Exposure of Operations

Related: FIN7 Cybercrime Operation Continues to Evolve Despite Arrests

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...