Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet

Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.

Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.

Redmond’s Digital Crimes Unit (DCU) said it seized control of 65 domains used to remotely control the Zloader botnet, effectively disabling the crimeware gang’s command-and-control mechanism.   

The company also identified Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula, as “one of the perpetrators” behind the creation of a component used in the ZLoader botnet to distribute ransomware.

The Zloader botnet has been a thorn in Microsoft’s side for many years, infecting Windows-powered computing devices in businesses, hospitals, schools, and homes around the world.  The gang behind the botnet runs a malware-as-a-service operation designed to steal and extort money.

[ READ: Zloader Banking Malware Exploits Microsoft Signature Verification ]

Microsoft said it obtained a court order from the United States District Court for the Northern District of Georgia to take control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. The domains are being redirected to a Microsoft sinkhole, meaning they can no longer be used by the botnet’s criminal operators.   

According to a note from Microsoft DCU general manager Amy Hogan-Burney, the company will also seize an additional 319 domains that are automatically generated and embedded within the malware.

Hogan-Burney said Microsoft’s DCU led an investigation with help from anti-malware vendor ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks Unit 42.

She said the company decided to name Malikov as an alleged perpetrator “to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.” 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities,” Hogan-Burney said, while acknowledging that the crimeware threat landscape is a cat-and-mouse game with no end.

“We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals,” she added. 

The notorious Zloader botnet was originally used for financial theft, stealing account login IDs and passwords but, over time, malware hunters noticed the cybercrime gang using access to the machines to deliver data-extortion ransomware attacks. Microsoft said it linked Zdloader to the Ryuk ransomware operation hitting health care institutions worldwide. 

In a separate technical report, the Microsoft 365 Defender Threat Intelligence Team shared notes on the history of the botnet, which first surfaced in 2007 in connection with the Zeus banking trojan.

“[ZLoader’s] capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers,” the report said.

Microsoft said ZLoader attacks have affected nations around the world, with the majority targeting the U.S., China, Western Europe, and Japan.

Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques

Related: Zloader Banking Malware Exploits Microsoft Signature Verification

Related: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.