{
	"id": "71ba98ee-958e-4304-8544-4ac328448c63",
	"created_at": "2026-04-06T00:21:44.826339Z",
	"updated_at": "2026-04-10T03:33:17.056047Z",
	"deleted_at": null,
	"sha1_hash": "20f847f16302a24b9cca6a90fce1d15d40154771",
	"title": "Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet - crowdstrike.com",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51228,
	"plain_text": "Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet\r\n- crowdstrike.com\r\nBy Falcon Intelligence Team\r\nArchived: 2026-04-05 13:15:33 UTC\r\nThis figure shows a snapshot of systems infected with Kelihos communicating with the sinkhole created to disable\r\nit.\r\nThe arrest of Russian cybercriminal Pyotr Levashov (aka Peter Severa, or threat actor ZOMBIE SPIDER to\r\nCrowdStrike Falcon® Intelligence™ subscribers), made global headlines this week and with good reason. For\r\nseveral years, Levashov had been the subject of an international law enforcement operation led by the FBI, which\r\nsought to curtail his global criminal activities powered by a peer-to-peer (P2P) botnet known as Kelihos.\r\nLevashov was the primary threat actor behind Kelihos, and its predecessors Waledac and Storm. At the time of\r\nLevashov’s arrest, the botnet had been operating globally, responsible for perpetrating a wide range of illegal\r\nactivities including: delivering remote access tools to hijack computers in the Netherlands; distributing banking\r\nTrojans in North America, Australia and Europe; engaging in pump-and-dump trading scams (designed to falsely\r\ninflate the price of a stock so it can be quickly dumped for profit); spamming victims with advertisements for\r\nillegal pharmaceutical sites; delivering ransomware; and conducting massive distributed denial-of-service (DDoS)\r\nattacks. Arresting Levashov was a critical first step in dismantling his incalculably destructive global enterprise –\r\nthe next step was neutralizing the Kelihos botnet itself. The CrowdStrike Falcon® Intelligence team, which had\r\nbeen tracking Levashov as the adversary called ZOMBIE SPIDER, was able to help law enforcement seize control\r\nof the Kelihos botnet so that it could no longer be used by criminal actors. To understand that accomplishment, it’s\r\nimportant to learn more about Kelihos and how it operates. The Kelihos Botnet A botnet is a collection of victim\r\ncomputers infected with malware, connected through a centralized command and control (C2) infrastructure\r\nmaintained by the criminal hacker. A botnet can be massive – many are comprised of tens of thousands of\r\n“zombie” machines –\r\nall being used for nefarious purposes. Kelihos was a botnet that employed peer-to-peer (P2P) communications\r\nusing infected systems that acted as proxies, relaying information between each other and the Kelihos backend\r\nservers. This decentralized structure makes P2P botnets harder to disrupt than the more traditional variety.\r\nLevashov was able to operate the vast Kelihos network as a service, allowing other criminals to pay for delivering\r\ntheir own spam, banking trojans, ransomware, and even DDoS attacks. His criminal proficiency had even won\r\nhim a spot on the top 10 list of the world’s worst spammers maintained by the anti-spam group Spamhaus. Here\r\nare some key facts about the Kelihos botnet, as compiled by Falcon Intelligence:\r\nKelihos is a multi-purpose P2P botnet that emerged in late 2010, shortly after its predecessor (known as\r\nWaledac) was dismantled.\r\nSince its inception, Kelihos has been subject to several takedown operations and each time the botnet has\r\nbeen rebuilt in a new, more robust manner.\r\nhttps://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/\r\nPage 1 of 2\n\nThe botnet is primarily used to deliver spam email, but it has a wide assortment of plugins that extend its\r\nfunctionality, including: credential and email address harvesting; launching distributed denial of service\r\n(DDoS) attacks; performing click fraud; and fast-flux DNS hosting.\r\nPrevious versions had the ability to mine Bitcoin.\r\nKelihos was deliberately designed to be difficult to reverse engineer – its network protocol contains several\r\nlayers of encryption including RSA, blowfish, and a custom obfuscation algorithm that the malware author\r\nrefers to as “monkey” functions.\r\nThe fifth and current generation of the botnet has been around since the summer of 2013, with an estimated\r\nsize of 50,000 to 75,000 infected machines.\r\nThe CrowdStrike Falcon® Intelligence Team’s Role In order to seize control of the Kelihos botnet, a technique\r\nknown as “peer list poisoning” was used. The objective of peer list poisoning is to use the criminal’s own bot\r\nnetwork, what one might consider his strength, against him. The process involved propagating a carefully crafted\r\npeer list that prevented the threat actor, in this case ZOMBIE SPIDER, from communicating with infected\r\nsystems. As a result of the peer list poisoning, the P2P network was transformed into a centralized network, with\r\ninfected systems only allowed to communicate with a sinkhole established by law enforcement. In effect, this\r\nneutralized Kelihos by redirecting communications from infected machines to the sinkhole, rather than the\r\nintended C2 infrastructure. Since this technical operation began, Falcon Intelligence has observed 50,541 unique\r\ninfections communicating with the sinkhole server. While the arrest of Levashov, and the team’s related actions to\r\ndismantle Kelihos, are important milestones, we have not seen the last of this breed of criminal enterprises. That’s\r\nwhy organizations need to arm themselves with intelligence-driven endpoint security that can address the\r\nincreasingly sophisticated threats the future is sure to hold.\r\nLearn more about CrowdStrike Falcon® Intelligence and CrowdStrike’s cyber intelligence subscription offerings.\r\nSource: https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/\r\nhttps://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/"
	],
	"report_names": [
		"inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e312df00-4c6f-44c3-b717-4b72800c7697",
			"created_at": "2023-01-06T13:46:39.03345Z",
			"updated_at": "2026-04-10T02:00:03.190159Z",
			"deleted_at": null,
			"main_name": "ZOMBIE SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:ZOMBIE SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3c3ca3f2-9a6a-463e-869c-e9bf02d398d7",
			"created_at": "2022-10-25T16:07:24.59432Z",
			"updated_at": "2026-04-10T02:00:05.047762Z",
			"deleted_at": null,
			"main_name": "Zombie Spider",
			"aliases": [],
			"source_name": "ETDA:Zombie Spider",
			"tools": [
				"Hlux",
				"Kelihos",
				"Waledac"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434904,
	"ts_updated_at": 1775791997,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20f847f16302a24b9cca6a90fce1d15d40154771.pdf",
		"text": "https://archive.orkl.eu/20f847f16302a24b9cca6a90fce1d15d40154771.txt",
		"img": "https://archive.orkl.eu/20f847f16302a24b9cca6a90fce1d15d40154771.jpg"
	}
}