Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet

Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.

Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.

Redmond’s Digital Crimes Unit (DCU) said it seized control of 65 domains used to remotely control the Zloader botnet, effectively disabling the crimeware gang’s command-and-control mechanism.   

The company also identified Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula, as “one of the perpetrators” behind the creation of a component used in the ZLoader botnet to distribute ransomware.

The Zloader botnet has been a thorn in Microsoft’s side for many years, infecting Windows-powered computing devices in businesses, hospitals, schools, and homes around the world.  The gang behind the botnet runs a malware-as-a-service operation designed to steal and extort money.

[ READ: Zloader Banking Malware Exploits Microsoft Signature Verification ]

Microsoft said it obtained a court order from the United States District Court for the Northern District of Georgia to take control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. The domains are being redirected to a Microsoft sinkhole, meaning they can no longer be used by the botnet’s criminal operators.   

According to a note from Microsoft DCU general manager Amy Hogan-Burney, the company will also seize an additional 319 domains that are automatically generated and embedded within the malware.

Hogan-Burney said Microsoft’s DCU led an investigation with help from anti-malware vendor ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks Unit 42.

She said the company decided to name Malikov as an alleged perpetrator “to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.” 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities,” Hogan-Burney said, while acknowledging that the crimeware threat landscape is a cat-and-mouse game with no end.

“We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals,” she added. 

The notorious Zloader botnet was originally used for financial theft, stealing account login IDs and passwords but, over time, malware hunters noticed the cybercrime gang using access to the machines to deliver data-extortion ransomware attacks. Microsoft said it linked Zdloader to the Ryuk ransomware operation hitting health care institutions worldwide. 

In a separate technical report, the Microsoft 365 Defender Threat Intelligence Team shared notes on the history of the botnet, which first surfaced in 2007 in connection with the Zeus banking trojan.

“[ZLoader’s] capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers,” the report said.

Microsoft said ZLoader attacks have affected nations around the world, with the majority targeting the U.S., China, Western Europe, and Japan.

Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques

Related: Zloader Banking Malware Exploits Microsoft Signature Verification

Related: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...