{ "id": "9e2a7a3a-afe3-4f92-8551-97701fd2d2e2", "created_at": "2026-04-06T01:31:47.43822Z", "updated_at": "2026-04-10T03:35:59.523777Z", "deleted_at": null, "sha1_hash": "0ca13276e7904aaf486406523bbf36b53ad3ca11", "title": "Has The Sun Set On The Necurs Botnet?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7291352, "plain_text": "Has The Sun Set On The Necurs Botnet?\r\nArchived: 2026-04-06 01:08:14 UTC\r\nOn March 10th 2020, while many people around the world were increasingly focused on the spreading COVID-19\r\npandemic, Microsoft’s Digital Crime Unit (DCU) announced a disruption action against a long-lived and very damaging\r\nvirtual threat – the Necurs botnet. Microsoft DCU described Necurs as “the world’s largest online criminal network”\r\nresponsible for “infecting over 9 million users globally since 2012”. The Necurs botnet has historically been used to deliver\r\na torrent of other high profile cyber threats to the world, including the GameOver Zeus and Dridex banking trojans, Locky\r\nransomware and, more recently, the banking trojan turned all purpose cybercrime-as-a-service, Trickbot. It has also been\r\nused to promote pump-and-dump stock scams, fake pharmaceutical spam emails and “Russian dating” scams.\r\nShadowserver has previously collaborated with Microsoft DCU on successful botnet takedowns, such as the Waledec\r\nspambot and the Andromeda malware dropper (part of Avalanche). It has also assisted with the take down of other historic\r\nspambots by collaborating with private partners (Grum) and with Law Enforcement, such as against various versions of\r\nKelihos with the FBI, DoJ and other private sector partners. Microsoft DCU and Bitsight had conducted a multi-year\r\ninvestigation into Necurs, and Shadowserver was asked to support their disruption efforts once an action plan had been\r\nagreed.\r\nWe would usually provide in-depth details here about the technical functionality of the Necurs malware, reverse engineering\r\ninformation, the use of multiple layers of Domain Generation Algorithms (DGAs) – including .bit for blockchain based\r\nname to IP address resolution, the tiered command and control (C2) infrastructure, the structure of the multiple sub-botnets\r\nor the disruption strategies employed, but we recommend you read Bitsight’s already published series of excellent Necurs\r\narticles. We will instead focus on some other interesting aspects of the Necurs disruption operation.\r\nRegistry Actions\r\nSome botnet takedowns are purely criminal cases, performed by Law Enforcement Agencies using criminal laws – although,\r\nnot every country has developed such legislation. In some countries, particularly the USA, LEAs can use civil legal orders in\r\nthe fight against cybercrime. This avenue is also open to private sector organizations; indeed, Microsoft has previously used\r\ncivil court orders to tackle large botnets. Where the name of a suspect behind the botnet is not known, but damages can be\r\ndemonstrated, it is still possible for a plaintiff (in this case Microsoft) to make an “ex parte” (meaning in the interests of one\r\nside, when the other side is not present) “John Doe” complaint through a civil court. If successful, a judge can issue a\r\nTemporary Restraining Order (TRO) that grants injunctive relief to the plaintiff. This is the legal approach that was adopted\r\nby Microsoft in regards to Necurs. You can view the Eastern District of New York court documents here and read the\r\nwording of its TRO application here.\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 1 of 17\n\nMicrosoft Necurs Ex Parte Temporary Restraining Order (TRO)\r\nShadowserver were on site with Bitsight and Microsoft at its Digital Crime Center in Redmond, WA, USA to support the\r\nNecurs disruption effort. Our contribution to the operation was primarily in two areas:\r\n1. Coordinating with our extensive, international network of country-code, top-level, domain (ccTLD) Registry\r\noperators who trust us to report malware to them that uses millions of unregistered DGA domains, as in previous\r\nlarge botnet takedown operations such as Avalanche.\r\n2. Using Shadowserver’s proven victim remediation network, of 107 National CERTs/CSIRTs in 136 countries and over\r\n4,600 vetted network owners (covering 90% of the Internet by IP space/ASN/CIDR), to ensure that the collected\r\nsinkhole data was quickly distributed to as many constituents as possible, in order to maximize world-wide victim\r\nremediation. Data is also available through Microsoft CTIP and Bitsight’s commercial services.\r\nOur special purpose The Registrar of Last Resort Foundation (RoLR), another Dutch Stichting non-profit, public-benefit\r\norganization, created specifically by Shadowserver to quarantine toxic domain names, provided crucial support to the\r\nNecurs disruption activities. Voluntary action was successfully secured across 22 ccTLD registries, complementing\r\nMicrosoft’s US civil court orders, which had been executed on 5 US-based registries.\r\nThe Necurs botnet makes use of hardcoded domains and multiple layers of DGAs to attempt to guarantee reliable command\r\nand control (C2) capabilities. Since the Necurs DGAs and seed values had been reverse engineered by security researchers\r\nand reimplemented in code, 25 months of future domains could be forward calculated (a total of 6.1 million potential botnet\r\nC2 domains across 42 TLDs).\r\nUnder the wording of Microsoft’s civil court ordered TRO, all existing Necurs botnet C2 domain names (except those\r\ndetermined to belong to legitimate security researchers) within US-operated TLDs should be seized and sinkholed by the\r\nRegistry. Any unregistered DGA domain names would be blocked so that they could not be registered in the future – except\r\nby “Microsoft or its security industry partners Stichting The Registrar of Last Resort Foundation and The Shadowserver\r\nFoundation for the purposes of analyzing the botnet”.\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 2 of 17\n\nMicrosoft Necurs Ex Parte Temporary Restraining Order (TRO) Wording\r\nShortly before the operation took place, a subset of the pre-calculated domains for all of the Necurs 5,7,9,11,13 and 15 sub-botnets was registered and pointed to Microsoft’s and Bitsight’s sinkhole servers, to ensure that all infected victims would\r\nattempt to resolve at least one sinkholed botnet C2 domain and communicate with at least one sinkhole server every day;\r\nhopefully, without being able to communicate with the criminals operating the botnet. This approach allows the victim\r\npopulation to be identified and hopefully remediated, while minimizing the number of potential DGA C2 domains that\r\nactually have to be registered (around a thousand C2 domains per year, rather than the potentially millions of C2 domains).\r\nRoLR was used to register Necurs C2 domains for sinkholing purposes and to manage the ongoing maintenance and\r\nrenewal of the domains. The actions of breaking the DNS resolution of criminal controlled C2 domains, and instead\r\ndelivering infected victim computers to the Microsoft and Bitsight sinkhole servers, attempts to protect victims from further\r\ncriminal abuse, and allows National CERTs/CSIRTs and responsible network owners to be notified to remediate those\r\ninfections. The Necurs disruption sinkhole data is available through Microsoft’s CTIP service, Bitsight’s commercial service\r\nand Shadowserver’s free daily network reports. If you or your organization do not already subscribe to this free public\r\nbenefit service, then please do sign up.\r\nThe TLDs used by the Necurs botnet for C2 communications were:\r\nccTLDs: .ac, .bz, .cc, .cm, .co, .cx, .de, .eu, .ga, .im, .in, .ir, .jp, .ki, .kz, .la, .me, .mn, .ms, .mu, .mx, .nf, .nu, .pw, .ru, .sc, .sh,\r\n.so, .su, .sx, .to, .tv, .tw, .ug, .us, .tj\r\ngTLDs / nTLDs: .biz, .com, .net, .org, .pro, .xxx\r\nOther: .bit\r\nThe number of C2 domains per TLD over the calculated period were:\r\nTLD Domains\r\nac 186,399\r\nbit 85,887\r\nbiz 86,136\r\nbz 164,375\r\ncc 185,819\r\ncm 186,274\r\nco 165,067\r\ncom 85,993\r\ncx 185,314\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 3 of 17\n\nde 164,369\r\neu 164,837\r\nga 85,512\r\nim 186,611\r\nin 185,952\r\nir 85,767\r\njp 186,266\r\nki 185,968\r\nkz 86,148\r\nla 185,341\r\nme 164,255\r\nmn 185,988\r\nms 186,076\r\nmu 186,152\r\nmx 85,579\r\nnet 85,446\r\nnf 185,738\r\nnu 185,807\r\norg 86,240\r\npro 85,292\r\npw 85,979\r\nru 164,611\r\nsc 185,811\r\nsh 186,049\r\nso 186,200\r\nsu 85,734\r\nsx 85,681\r\ntj 186,089\r\nto 85,665\r\ntv 163,823\r\ntw 186,388\r\nug 85,766\r\nus 85,576\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 4 of 17\n\nxxx 86,020\r\nThis map showing the distribution of global and country TLDs helps to demonstrate the size and breadth of the effort that\r\nwas required to gain legal and voluntary action for coverage in all the TLDs used by for Necurs DGA C2 domains:\r\nGlobal and Country level TLDs involved in Necurs botnet C2 communications\r\nSinkhole Data Analysis\r\nAlthough Necurs may have been eclipsed by Emotet as the main dropper of current top threats such as Trickbot and\r\nDridex, now that we have reported out the initial few days of sinkhole data, we can see that around 155,000 Necurs\r\ninfected unique IP addresses per day are being observed by the sinkholes. In operations where we have accurate bot IDs,\r\nwe typically see about a one-to-one ratio of bots to IP addresses when taking into account DHCP lease churn and multiple\r\nbots behind a single NAT gateway. That number aligns well with Bitsight’s own published historical analysis, which shows a\r\ngradual decline in the number of detected unique Necurs victim IP address per day since the peak botnet populations that\r\nwere observed in 2016 and 2017.\r\nMicrosoft Necurs sinkhole event feed provided via Shadowserver reporting\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 5 of 17\n\nBitsight historical Necurs sinkhole events\r\nThe global IP-geolocations of the current daily Necurs victim infections globally is shown below:\r\n2020-03-11 IP-geolocated Necurs sinkhole events – locations\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 6 of 17\n\n2020-03-11 IP-geolocated Necurs sinkhole events – victims per country\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 7 of 17\n\n2020-03-11 IP-geolocated Necurs sinkhole events – top countries\r\nAnalaysis\r\nWhen blogging about specific botnet takedowns, we try to provide analysis that is unique to our own perspective on that\r\noperation. Ideally, we also present that analysis in the context of the wider and historical threat ecosystem, using\r\nShadowserver’s own unique and extensive datasets.\r\nFor Necurs, we thought that it would be interesting to compare the IP-geolocated country level victim distributions of\r\nvictims during the peak 24 hours after sinkholing data collection began.\r\nSelected spam botnet subjects are:\r\n1. Grum (2012/2013)\r\n2. Pushdo/Cutwail (2013/2014), multiple datasets\r\n3. Kelihos.C spambot (2014/2015)\r\n4. Kelihos.E spambot (2017-2018)\r\n5. Necurs spambot (2020)\r\n6. Andromeda malware dropper, for comparison (2017 to 2020)\r\nWe will start by comparing relative victim population sizes (number of unique IP addresses observed at each sinkhole per\r\nday), to provide the historical activity timelines and demonstrate each botnet’s remediation decay curve (either due to\r\nreporting and victim remediation, or through background bot atrophy/die off).\r\nGrum (2012/2013) – peak of 153,186 on 2012-08-12, reduced to 73,910 by 2012-11-06, 50% remediation in about 3\r\nmonths\r\nPushdo (2013/2014) – peak of 375,898 on 2013-06-05, reduced to 180,242 on 2013-07-08, 50% remediation in about a\r\nmonth\r\nCutwail (2014/2015) – peak of 36,662 on 2014-11-25, reduced to 16,591 on 2015-08-28, 50% remediation in about 9\r\nmonths (but had repeated rebuilds/takedowns)\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 8 of 17\n\nKelihos.C (2013) – peak of 43, 124 on 2013-02-27, reduced to 17,622 by 2013-02-28, 50% remediation in first 24 hours\r\nKelihos.E (2017-2018) – peak of 58,318 on 2017-04-10, reduced to 27,836 on 2017-06-17, 50% remediation in about 2\r\nmonths\r\nNecurs (2020) – peak of 162,953 on 2020-03-11, just sinkholed, so initial days of remediation\r\nAndromeda (2017-2020) – peak of 1,443,705 on 2017-12-05, then 1,904,451 on 2018-09-12, then 3,584,470 on 2019-09-\r\n06, with long, slow cycles towards 50% remediation\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 9 of 17\n\nEach of these selected botnets was fairly prolific during their prime time. They have all been used to deliver much of the\r\nspam, phishing lures and malware that was received globally. Andromeda in particular continues to to resist large scale clean\r\nup.\r\nWe can use treemaps to easily visualize the relative ratios of sizes of botnet populations in different countries. Interestingly,\r\nwhen these treemaps are viewed side by side, there are some obvious observations that can be made about which countries\r\nthe bulk of the infected victim systems of each of these botnets are located:\r\nGrum – 2012-08-02\r\nPushdo – 2013-06-05\r\nCutwail – 2014-11-25\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 10 of 17\n\nKelihos.C – 2013-02-27\r\nKelihos.E – 2017-04-19\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 11 of 17\n\nNecurs – 2020-03-11\r\nAndromeda – 2017-12-05\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 12 of 17\n\nAndromeda – 2018-09-12\r\nAndromeda – 2019-08-06\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 13 of 17\n\nAndromeda – 2020-03-15\r\nFrom our range of historical and current sinkhole datasets, if we take the peak 24 hours of each botnet’s observed victim\r\npopulation, there are a number of countries where the largest victim distributions are typically found. This pattern has\r\nrepeated in many of the spamming botnet networks built up and then disrupted or taken down over the past decade. Similar\r\ndistributions occur in the still very large Andromeda malware dropper victim pools, which have experienced very slow\r\nremediation rates over the past three years, despite significant attention being drawn to this at industry conferences, in blog\r\nposts, through events in victim remediation feeds such as Shadowserver’s free daily network reports, etc.\r\nBelow is a simple ordered count of which countries appear in the top 50% of victim populations for each of the above\r\nbotnets:\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 14 of 17\n\nCountry\r\nGrum\r\n2012-\r\n08-02\r\nKelihos.C\r\n2013-02-\r\n27\r\nPushdo\r\n2013-\r\n06-05\r\nCutwail\r\n2018-\r\n05-08\r\nKelihos.E\r\n2017-04-\r\n19\r\nNecurs\r\n2020-\r\n03-14\r\nAndromeda\r\n2017-12-05\r\nAndromeda\r\n2018-09-12\r\nAndromeda\r\n2019-08-06\r\nTim\r\nFe\r\nin\r\n50\r\nInf\r\nIndia 1 1 1 1 1 1 1 1 8\r\nVietnam 1 1 1 1 1 1 1 1 8\r\nIndonesia 1 1 1 1 1 1 1 7\r\nIran 1 1 1 1 1 5\r\nTurkey 1 1 1 1 1 5\r\nMexico 1 1 1 1 4\r\nThailand 1 1 1 1 4\r\nSpain 1 1 1 3\r\nArgentina 1 1 2\r\nPhilipines 1 1 2\r\nUkraine 1 1 2\r\nUnited\r\nStates\r\n1 1 2\r\nAllied Arab\r\nEmirates\r\n1 1\r\nBelarus 1 1\r\nBosnia \u0026\r\nHerzegovina\r\n1 1\r\nBrazil 1 1\r\nChile 1 1\r\nChina 1 1\r\nEgypt 1 1\r\nGermany 1 1\r\nItaly 1 1\r\nKazakhstan 1 1\r\nPeru 1 1\r\nRomania 1 1\r\nRussia 1 1\r\nSaudi\r\nArabia\r\n1 1\r\nSouth Korea 1 1\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 15 of 17\n\nTurkey 1 1\r\nVenezuela 1 1\r\nThe purpose of this comparison analysis is not to disparage any particular country, or to blame anyone for this situation\r\n(other than the cyber criminals who have been victimizing these populations for years). We have deliberately chosen to\r\nfocus at a country level, rather than the individual ASN or IP level (although we do have that data available). The\r\nShadowserver Foundation is a public benefit non-profit organization which gives data away for free each day to any vetted\r\nnetwork owner and National CERT/CSIRT, and we have strived to help remediate these victim populations for many years\r\nnow. We merely want to highlight the observed trends across a decade of spam and malware dropping botnets, to better\r\nassist defenders in protecting all networks, in every country.\r\nFrom a global Internet security hygiene perspective, you might ask the question “After the next big takedown or\r\ndisruption of the next big spamming botnet (perhaps Emotet?) – where would the victim population likely be\r\nlocated?” Every botnet is obviously different, as are the owner’s goals and the circumstances on the Internet at that time.\r\nBut 15 years of historic sinkhole data would suggest that it would likely be many of the same areas again.\r\nThese repeated botnet population patterns could be due to limited infosec budgets in certain countries, ignorance of the\r\navailable (free) remediation data sources (such as Shadowserver), a lack of public awareness and good security practice\r\nguidance, larger populations of older, more vulnerable operating systems and computer hardware, perhaps a higher chance\r\nof software licensing compliance problems, or it could just be simple economic realities. Given that spamming botnets and\r\nmalware droppers have proven to be highly effective, are often long lived, and are one of the primary attack vectors against\r\nthe entire online world, it seems likely that countries with fewer infections will continue to be bombarded with spam and\r\nmalware from similar locations in the future.\r\nThis is a obviously a complex topic, requiring more than a single blog post to do the subject justice. At a time when the\r\nphysical world is dealing with the current COVID-19 pandemic and isolation is being considered, at both national and\r\npersonal level, it is obviously difficult for many people to worry too much about malware and Internet-borne viruses. That is\r\nunderstandable, and protecting human lives needs to come first. However, we should all also think about some of the\r\ndifficult challenges in maintaining good global internet hygiene, and how best the various members of the National\r\nCERT/CSIRT, network owner, Law Enforcement Agency, private sector business and ordinary members of the public can\r\nwork together to help minimize the risk of another major spambot outbreak soon.\r\nConclusion\r\nIt has been good to work again with Microsoft and Bitsight on another major cybercrime disruption operation. We appreciate\r\nbeing offered the opportunity to support the final phase of their Necurs disruption effort, and to assist in what will hopefully\r\nbe a rapid, effective, global remediation effort.\r\nThanks to the way Microsoft have managed this investigation and the civil court orders that they obtained, along with the\r\nuse of RoLR for non-US TLDs, hundreds of thousands of unique daily victim IP addresses observed by the Necurs sinkholes\r\nwill not only be made available to Microsoft and Bitsight’s customers, but will also be available through Shadowserver’s\r\nfree daily network reports (in the Shadowserver drone feed, tagged as type=necurs). Some ISPs will also be blocking\r\noutbound connections to the known C2 infrastructure to further protect their end users.\r\nThis is a truly laudable effort from two private sector companies collectively trying to clean up this persistent, highly\r\neffective and impactful botnet. Regardless of whether the Necurs botnet will eventually be rebuilt, notifying – and hopefully\r\nremediating – so many victims of cybercrime is always a positive result for the good guys, and hopefully a bad day for the\r\ncriminals.\r\nIf you receive an infection notification from your ISP, network owner or National CERT/CSIRT, please use anti-virus\r\nsoftware to disinfect your computer and reduce the risk to yourself and others who might be impacted as a consequence of\r\nfurther malware attacks launched from your infected system. At this time in particular, we should all be aware that not only\r\ndo we need to look after our own health, but we also have to think about our social responsibility towards others.\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 16 of 17\n\nSource: https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/" ], "report_names": [ "has-the-sun-set-on-the-necurs-botnet" ], "threat_actors": [ { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439107, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ca13276e7904aaf486406523bbf36b53ad3ca11.pdf", "text": "https://archive.orkl.eu/0ca13276e7904aaf486406523bbf36b53ad3ca11.txt", "img": "https://archive.orkl.eu/0ca13276e7904aaf486406523bbf36b53ad3ca11.jpg" } }