{
	"id": "47ecf007-2d62-433f-bf53-51aaff6bfcdf",
	"created_at": "2026-04-06T00:07:25.639578Z",
	"updated_at": "2026-04-10T03:23:52.146357Z",
	"deleted_at": null,
	"sha1_hash": "16d2a751ce3f17e808cb418bf2a93d12ae9bf4b3",
	"title": "Cutwail Botnet Feeling Effects of Blackhole Takedown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34698,
	"plain_text": "Cutwail Botnet Feeling Effects of Blackhole Takedown\r\nBy Michael Mimoso\r\nPublished: 2013-12-18 · Archived: 2026-04-05 23:06:01 UTC\r\nWithout the Blackhole exploit kit around to inject malware such as the Zeus Trojan, keepers of the Cutwail spam\r\nbot have been forced to resort to some old-school methods of sending malware such as direct email attachments.\r\nThe arrest of alleged hacker Paunch and the subsequent dismantling of the Blackhole Exploit Kit operation has\r\ncybercrime groups scrambling to find another automated means of delivering exploits.\r\nIn the meantime, some are settling for old-school tactics that include infected email attachments and an increased\r\ninvestment in the social engineering used to entice users into double-clicking and executing the malware stored in\r\nthe attachment.\r\nThe most recent evidence of this comes from a major cybercrime group reliant on the Cutwail botnet to send out\r\nspam that had been fiddling with a relatively new exploit kit called Magnitude before deciding to go the direct-attachment route.\r\nResearchers at Websense said that since Paunch’s arrest, reported in early October, the company has captured\r\nemails with links that used to redirect to Blackhole now redirecting to Magnitude and others redirecting to\r\nphishing pages with American Express, work from home and diet remedy themes.\r\nApparently, however, Magnitude didn’t serve the attackers’ needs sufficiently as more and more samples included\r\ndirect attachments, said director of research Alex Watson.\r\n“That gives us an interesting look at the criminal community that leaves you open to speculate why they\r\nexperimented with Magnitude and then moved away,” Watson told Threatpost. While the group was using\r\nBlackhole, the number of Cutwail messages containing malicious URLs was markedly higher than post-Blackhole\r\nwhen the number of emails containing infected ZIP files shot up.\r\n“The overall levels of malicious activity have stayed somewhat consistent, but I would say the success of\r\ncampaigns since moving to direct attachments and things like that is dramatically lower,” Watson said. “We’ve\r\nseen slightly more sophisticated social engineering attacks that are more convincing to users,  but not nearly the\r\nsame success rates they had when Blackhole was available for use.”\r\nCutwail is one of the most established spam botnets and most prolific, sending at one point, millions of spam\r\nmessages daily. It was two million compromised machines strong and used to distribute spam and financial\r\nmalware targeting not only credit card data but credentials.  The Cutwail emails often included links that would\r\nlead victims to sites hosting Blackhole, which would then inject downloaders for other malware such as\r\nZeroAccess or Zeus.\r\nThe arrest of Paunch and the Blackhole takedown has turned cybercrime economics on its ear in some parts.\r\nAttackers have been forced to find other avenues to recover lost revenue.\r\nhttps://threatpost.com/cutwail-botnet-feeling-effects-of-blackhole-takedown/103228/\r\nPage 1 of 2\n\n“They’ve had to put more work into the social engineering and having sophisticated-looking emails to get users to\r\nclick,” Watson said. “A second thing we’ve noticed is an increased aggressiveness with malware installations on\r\ncomputers that are compromised.”\r\nWhere attackers would be satisfied with leaner attacks because the volume provided by Blackhole web injections\r\nwas so high, that’s now changed.\r\n“Often we’ll see a Pony downloader which will steal credentials, which will then download Zeus, which will then\r\ndownload Cryptolocker, all in the matter of a couple of minutes,” Watson said. “So you’re looking at very\r\naggressive installation of malware on computers that are targeted, which could be another way of making up lost\r\nrevenue due to not infecting as many machines.”\r\nCompromised computers are more than ever cash cows for attackers, some of whom invest significant money in\r\npurchasing exploit kits such as Blackhole. When that goes away, a number of infection vectors go away with it.\r\nSome of that dynamic has given rise to ransomware in recent months, in particular Cryptolocker, which encrypts\r\nfiles on shared drives in return for a ransom. Other malware variants have taken to anonymity networks such as\r\nTor or I2P to hide communication and hopefully preserve the longevity of their enterprise.\r\nRansomware, however, gives an attacker an immediate shot at collecting a payout, Watson said.\r\n“With Cryptolocker, I think there have been some cases where it’s been very successful,” he said. “If you look\r\nsmaller companies that don’t have really strong controls around file sharing or backup, and those businesses that\r\ndon’t really have an established disaster recovery plan would be vulnerable to this.”\r\nSource: https://threatpost.com/cutwail-botnet-feeling-effects-of-blackhole-takedown/103228/\r\nhttps://threatpost.com/cutwail-botnet-feeling-effects-of-blackhole-takedown/103228/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/cutwail-botnet-feeling-effects-of-blackhole-takedown/103228/"
	],
	"report_names": [
		"103228"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16d2a751ce3f17e808cb418bf2a93d12ae9bf4b3.pdf",
		"text": "https://archive.orkl.eu/16d2a751ce3f17e808cb418bf2a93d12ae9bf4b3.txt",
		"img": "https://archive.orkl.eu/16d2a751ce3f17e808cb418bf2a93d12ae9bf4b3.jpg"
	}
}