Security Experts:

Connect with us

Hi, what are you looking for?



Kelihos Botnet Spreading Troldesh Ransomware

The Kelihos botnet has switched to dropping ransomware onto targeted computers, and is currently spreading the Troldesh malware family, security researchers warn.

The Kelihos botnet has switched to dropping ransomware onto targeted computers, and is currently spreading the Troldesh malware family, security researchers warn.

Kelihos has been around for approximately eight years and managed to survive several takedown attempts, two of which took place in September 2011 and March 2012, respectively. Over time, the botnet has been used for various nefarious purposes, including pump and dump stock spam campaigns and the distribution of MarsJoke and Wildfire ransomware.

In August this year, as its operators started lining it up with other botnets for the spreading of popular current threats such as ransomware and banking Trojans, Kelihos tripled its size overnight. The next month, it was seen spreading Panda Zeus, Nymain and Kronos, but has recently reverted to ransomware.

Kelihos was seen spreading the Troldesh encryption ransomware via spam emails containing URLs that link to a JavaScript file and a Microsoft Word document. According to Arsh Arora, malware analyst and Ph.D. researcher at The University of Alabama at Birmingham, this is the first time the botnet is using JavaScript files to infect users.

The malware encrypts users’ files and adds the .no_more_ransom extension to them, which appears meant to add an ironic twist to the infection by pointing at the NoMoreRansom initiative, created to fight ransomware and help victims all around the world.

The Troldesh distribution campaign was targeting email addresses ending with “.au” specifically, meaning that only Australian users might have received the ransomware. Simultaneously, the botnet was delivering dating spam to “.pl” email addresses, was spamming “.us” users to recruit them as money mules, and was pushing pharmaceutical spam to all other geographies.

The spam messages linking to the Troldesh ransomware featured a credit debt theme and were impersonating Bank of America. Intended victims were informed of an outstanding debt and were encouraged to open an attachment supposedly meant to offer exact details on their situation. Instead, the Troldesh malware was downloaded onto the compromised machine.

After encrypting users’ files, the ransomware would drop a ransom note (in both in Russian and English) on the desktop. Users were instructed to contact the ransomware authors via a Gmail address to receive the necessary instructions to decrypt their files. It also instructed them to download Tor and access .onion addresses via their browsers.

On top of that, Troldesh was seen downloading additional malware onto the infected systems, as well as contacting its command and control center at a specific address. The ransomware was downloading the Pony info-stealer onto the victims’ computers, to gather and exfiltrate sensitive information from the machine.

“To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement,” the security researcher noted.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.