Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Ponmocup Botnet Still Actively Used for Financial Gain

Fox-IT, the security firm recently acquired by NCC Group for $142 million, has published a report on Ponmocup, a sophisticated botnet that has been used over the past years by cybercriminals for financial gain.

Fox-IT, the security firm recently acquired by NCC Group for $142 million, has published a report on Ponmocup, a sophisticated botnet that has been used over the past years by cybercriminals for financial gain.

The malware powering the botnet has been around since 2006 and it’s known under various names, including Ponmocup, Vundo, Virtumonde, Milicenso and Swisyn. The malware has been used for ad fraud, data theft and downloading additional threats to infected systems.

Fox-IT believes the threat has infected more than 15 million unique devices since 2009 and experts estimate that the number of active infections is currently at 500,000. In May 2011, reported sinkholing Ponmocup and observing 1.2 million unique infections within 24 hours. The number of infections peaked the next month at 2.4 million.

Ponmocup is currently one of the largest and longest-running botnets, but it hasn’t been in the news lately because its operators do their best to keep it under the radar. The malware made a lot of headlines in 2012 when it caused printers connected to infected machines to print garbled data.

The Ponmocup malware framework consists of different components used to deliver, install, execute and control the malware. Each of these components is designed to prevent researchers from reverse engineering it and analyzing its functionalities.

The threat uses encryption and stores its components in different locations in an effort to evade detection by traditional security products. It also relies on different domains for installation, which prevents security teams from using the domains as indicators of compromise (IoC). Ponmocup can also steal FTP and Facebook credentials, which might be used by the attackers to further spread the malware and increase the size of the botnet.

Cybercriminals have also invested a lot of time and effort into setting up the infrastructure used to control the Ponmocup botnet. Different servers are used for each of the components and communications between the malware and the backend servers go through several proxy layers, which makes it difficult to disrupt the entire botnet.

“Based on the size of the command and control infrastructure, it is thought that the infrastructure is maintained, monitored and protected by a well-organized group of operators. This is amongst others based on the domains in use, number of proxies in use, estimated number of back-end systems, used delivery methods and limited affiliate schemes,” Fox-IT said in its report. “It was also observed that in certain cases, the operators reacted quickly to events which could impact the botnet’s infrastructure, suggesting that the operators closely monitor their back-end infrastructure.”

Advertisement. Scroll to continue reading.

The security firm believes Ponmocup operators are most likely Russian, or at least Russian speakers. This is based on the fact that the malware was initially designed to avoid infecting devices in Russia, Ukraine and Belarus, and the instructions sent by the operators to partners and affiliates are written in Russian.

Experts say it’s difficult to determine how much money cybercriminals made with the Ponmocup botnet, but they estimate that it’s a multi-million dollar business considering the level of sophistication of the malware and infrastructure.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...