{
	"id": "5caddfde-ab98-486c-858e-3523823424b6",
	"created_at": "2026-04-06T00:18:35.635431Z",
	"updated_at": "2026-04-10T03:20:44.305134Z",
	"deleted_at": null,
	"sha1_hash": "2eaceadc78b7910f568e6dfaec739a1fa4776e7d",
	"title": "Spam Sent by Necurs Botnet Is Trying \u0026amp; Succeeding in Altering Stock Market Prices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 982225,
	"plain_text": "Spam Sent by Necurs Botnet Is Trying \u0026amp; Succeeding in Altering\r\nStock Market Prices\r\nBy Catalin Cimpanu\r\nPublished: 2017-03-21 · Archived: 2026-04-05 19:19:44 UTC\r\nThe Necurs botnet is back and active again, but instead of spreading the Locky ransomware or the Dridex banking trojan, its\r\noperators are engaged in a spam scheme that tries to boost a company's stock market price artificially.\r\nThis particular spam scheme has a special name in the infosec industry, which is \"pump\u0026dump.\" The idea behind\r\npump\u0026dump schemes is to send massive amounts of spam that try to convince users in buying stocks for a particular\r\ncompany.\r\nAs users flock to acquire the company's stock, the price surges. When Necurs spam has reached a desired share price value,\r\nthe Necurs operators, or the people that rented the botnet, sell their stocks at the higher price and earn a profit.\r\nThis spam scheme has been around since the 90s, and has mainly targeted so-called \"penny stocks,\" securities for small\r\ncompanies that sell under $5/share, whose prices can be influenced by a few hundreds of new buyers/sellers in a day.\r\nhttps://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nNecurs pump\u0026dump takes aim at InCapta stock\r\nWith a monthly bot population of 5 to 6 million unique bots, Necurs is the perfect spam botnet for these operations, as it can\r\nfling tens of thousands of messages per hour without breaking a sweat.\r\nThis latest pump\u0026dump spam campaign targeted the stocks of InCapta Inc (INCT), a media holding company.\r\nThe spam campaign pushing for InCapta stock started on Monday morning, March 20, and resulted in an immediate share\r\nprice spike.\r\nFive different observers noted the new Necurs spam campaign, such as Cisco Talos, MalwareTech, MX Lab, My Online\r\nSecurity, and Dynamoo.\r\nNecurs sent out four spam runs\r\nAccording to MalwareTech, Necurs sent out four different spam waves on Monday (2 spam runs) and Tuesday (2 spam\r\nruns), keeping InCapta's stock at a heightened level.\r\nAccording to Cisco Talos, the spam campaigns sent around tens of thousands of messages per hour, with the second wave\r\nbeing larger than the first.\r\nJust as you'd expect, the spammed message didn't make any sense, trying to trick users into buying InCapta stock because of\r\nan impending acquisition by DJI, the world's leader in drone manufacturing.\r\nThe spam message incorrectly stated that InCapta had manufactured its own drone. With a little bit of research (Google\r\nsearch), users would have discovered that InCapta is a media company, and would have avoided wasting their money. Below\r\nare the first two spam messages sent during the first two waves. The third and fourth spam messages are here and here.\r\nhttps://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/\r\nPage 3 of 5\n\nNecurs pump\u0026dump stock spam for InCapta Inc. (MalwareTech)\r\nNecurs pump\u0026dump stock spam for InCapta Inc. (Cisco Talos)\r\nNecurs returns to life\r\nPrior to yesterday's spam run, the Necurs botnet has been extremely quiet. During 2016, Necurs had focused on delivering\r\nspam email with malicious attachments that installed the Locky ransomware or the Dridex banking trojan.\r\nThe botnet had gone silent before the winter holidays, as it does every year, but never came back to its previous activity\r\nlevels, stopping the distribution of Locky altogether. Yesterday's pump\u0026dump campaign was Necurs' biggest campaign this\r\nyear so far, whose infrastructure was dormant for most of 2017.\r\nNecurs had previously dabbled in pump\u0026dump spam schemes, mostly in 2015 and earlier, before Locky. There were\r\nisolated pump\u0026dump spam schemes in 2016, but nothing to eclipse its efforts on spreading Locky and Dridex.\r\nNecurs' Locky infrastructure still dormant\r\nAccording to Cisco's Talos team, Necurs operators appear to be using a different infrastructure for spreading Locky and\r\nanother one for pump\u0026dump spam.\r\nAs Necurs came back from its winter holiday slumber, Talos researchers say that only the pump\u0026dump infrastructure came\r\nback to life, while the one responsible for Locky remains dormant.\r\nhttps://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/\r\nPage 4 of 5\n\n\"On the other hand, both of these campaign types share common recipients, hinting at the fact that Necurs operators may use\r\na shared database of email addresses even when clients request different services,\" the Cisco Talos team explained.\r\nNonetheless, because ransomware has a wider attack base, compared to the small userbase susceptible to pump\u0026dump\r\nschemes, most industry experts expect Necurs to return to spreading Locky or another ransomware family, as it's far more\r\nprofitable than spreading any other type of spam.\r\nConrad Longmore, the researcher behind the Dynamoo blog has some advice for people taking their stock market tips from\r\nspam messages.\r\n\"Pump and dump spam like this is a criminal activity, and typically companies being promoted in this way are in terminal\r\ndecline (but not always),\" Longmore says. \"Avoid buying stocks on the recommendation of criminals.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/\r\nhttps://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices/"
	],
	"report_names": [
		"spam-sent-by-necurs-botnet-is-trying-andamp-succeeding-in-altering-stock-market-prices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2eaceadc78b7910f568e6dfaec739a1fa4776e7d.pdf",
		"text": "https://archive.orkl.eu/2eaceadc78b7910f568e6dfaec739a1fa4776e7d.txt",
		"img": "https://archive.orkl.eu/2eaceadc78b7910f568e6dfaec739a1fa4776e7d.jpg"
	}
}