{
	"id": "bf222416-8200-4e73-88ae-c021f4ec9390",
	"created_at": "2026-04-06T00:12:26.880564Z",
	"updated_at": "2026-04-10T03:32:46.01027Z",
	"deleted_at": null,
	"sha1_hash": "3a0d30f77aaa254be5933e6cf6e6585f5443f364",
	"title": "The Many Tentacles of the Necurs Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2027051,
	"plain_text": "The Many Tentacles of the Necurs Botnet\r\nBy Jaeson Schultz\r\nPublished: 2018-01-18 · Archived: 2026-04-05 19:22:22 UTC\r\nThursday, January 18, 2018 11:02\r\nThis post was written by Jaeson Schultz.\r\nIntroduction Over the past five years the Necurs botnet has established itself as the largest\r\npurveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking\r\nmalware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and\r\neven cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs'\r\nspam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.\r\nTo conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between\r\nAugust 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from\r\nalmost 1.2 million distinct sending IP addresses in over 200 countries and territories.\r\nNecurs Recipients From an email marketing and delivery perspective, Necurs doesn't appear to\r\nbe too sophisticated. Necurs' recipient database includes email addresses that have been harvested\r\nonline, commonly deployed role-based accounts, as well as email addresses that appear to have\r\nbeen auto-generated. These are among the worst, most unreliable sources for obtaining email\r\naddresses, and any legitimate email marketer wouldn't last a day mailing to addresses such as\r\nthese. Of course, an illegitimate botnet such as Necurs has no such concerns. For many months\r\nthe email addresses in Necurs database seemed to be largely static; Necurs hasn't actively added\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 1 of 25\n\nany new addresses for at least the past year, possibly two years or more. In November of 2017,\r\nNecurs stopped mailing to many of the autogenerated accounts.\r\nAt one of my personal domains, Necurs has been seen mailing to addresses such as 'equifax@' --an email address\r\nthat was originally stolen from Equifax years before the 2017 breach. Necurs also often mails to\r\n'thisisatestmessageatall@', another email address I generated and put into the wild, long ago. There are also\r\nvariations on other legitimate addresses, for example 'aeson@', '20jaeson@', and 'eson@' which are all variations\r\non my address 'jaeson@'. The number 20 was present at the beginning of many of Necurs recipients. Hex 20\r\ncorresponds with the space character and is used in percent-encoding, etc. This provides further indication of the\r\nharvested nature of these addresses.\r\nOther addresses in Necurs' mailing list appear to have been auto-generated. For example 'EFgUYsxebG@',\r\n'ZhyWaTmu@', and 'MTAyOvoYkx@' have never been aliases at my domain that I've ever used, and the only\r\nmail these accounts ever receive comes from Necurs.\r\nNecurs email received at an auto-generated email address\r\nFrom our set of Necurs' spam messages, Talos extracted only the user alias portion of the To: address. There are\r\nnumerous email aliases, such as role-based addresses, that appear to be in Necurs' recipient DB across many\r\ndifferent recipient domains. Strangely, the list also included some odd email aliases deployed at multiple domains\r\nsuch as 'unity_unity[0-9]@', 'petgord32truew@', 'iamjustsendingthisleter@', 'docs[0-9]@', and others.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 2 of 25\n\nEmail alias and the number of domains in our data in which that alias was found\r\nInterestingly, some of these same strange aliases can be found on Project Honeypot's list of the Top Dictionary\r\nAttacker Usernames, though it is unclear whether Necurs obtained their aliases from this list, or whether these\r\naliases made Project Honeypot's list as a result of Necurs' spamming activity.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 3 of 25\n\nProject Honeypot's Top Dictionary Attacker Usernames\r\nNecurs Sending IPs Next, Talos extracted the sending IP addresses responsible for transmitting\r\nNecurs' spam emails, and we grouped the data according to geographical location. Rather than\r\nbeing uniformly distributed worldwide, a majority of Necurs' nodes were concentrated among\r\njust a few countries --India (25.7% of total spam), Vietnam (20.3% of total spam), and Iran (7.3%\r\nof total spam). More than half (51.3%) of the sending IP addresses in our data came from just\r\nthese three countries. In contrast, other large industrialized nations were only responsible for tiny\r\nfraction of the spam. For example, the United States, was home to 6,314 (less than 1%) of Necurs\r\nsending IPs. The country of Russia was only attributed to 38 sending IP addresses out of a nearly\r\n1.2 million total sender IPs!\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 4 of 25\n\nNumber of spam messages sent per country\r\nTalos also analyzed the individual spam campaigns in order to determine how often the sending IP addresses were\r\nreused from campaign to campaign. We found very little infrastructure reuse. In fact, none of the sending IP\r\naddresses in our data were seen across all thirty-two of the campaigns we extracted. Only three sending IP\r\naddresses could be found across thirty of Necurs' spam campaigns. The vast, vast majority of sending IP\r\naddresses, 937,761 (78.6% of the total), were only ever seen in a single Necurs spam campaign! This means that\r\nNecurs botnet is large enough to conduct attacks over several months without substantial reuse of most sending\r\nnodes --an impressive feat.\r\nNumber of unique IP addresses vs. how many campaigns in which they appeared \r\nNecurs Spam Campaigns Typically email campaigns from Necurs fall into one of two categories:\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 5 of 25\n\nhigh-volume weekday campaigns, or low volume continuous campaigns. Necurs has occasionally\r\nbeen seen sending high volume campaigns on weekends, but the vast majority of the time high\r\nvolume campaigns are limited to the business week only. The mailing list database Necurs is using\r\nseems to be segmented, such that the high volume campaigns use one subset of email addresses\r\nfrom the DB, and the low volume campaigns use a different set of email addresses.\r\nPump-N-Dump Stock Spam Below is an example of a pump-n-dump stock spam sent on April 12th, 2017 by\r\nNecurs touting the stock symbol QSMG, Quest Management Incorporated. On the following day the price\r\nof QSMG peaked at $2.33, probably netting the criminals a tidy gain on their initial investment. QSMG is\r\ncurrently worth less than $0.02.\r\nA message touting the penny stock, QSMG\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 6 of 25\n\nQSMG was at $2.33 on April 13. Currently it is worth less than $0.02\r\nDating Spam Necurs also sends dating spam. Recent dating spam have arrived without any URLs in the\r\nbody, except a mailto: link to an email address. Current dating campaigns have involved the free email\r\nprovider rambler.ru, but other previous dating campaigns have taken advantage of similar free email\r\nservices such as gmx.com. Necurs' dating campaigns have also been known to include HTML links to fast-fluxed domains, or sometimes compromised websites (Wordpress, etc.).\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 7 of 25\n\nNecurs dating spam featuring an email address at rambler.ru\r\nIf you respond to one of these dating messages, you may be enrolled in a Russian dating website such as\r\nmarmeladies.site. In this case, the criminals are making money by referring new users to these dating sites. Most\r\nlikely they are being paid on an affiliate model.\r\nMarmeladies is one of the dating sites to which victims who reply are directed\r\nRansomware Of course one of Necurs' most well-known payloads is ransomware. Necurs has been one of\r\nthe biggest distributors of the Locky ransomware. Locky also works on an affiliate model. Inside of each\r\nlocky sample, in the metadata, is an affiliate ID, which is always the same (3) for Necurs mailings. Most of\r\nthe time, very little investment is made in the design of the messages themselves, as in the following\r\nexample.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 8 of 25\n\nA typical ransomware campaign from Necurs\r\nCryptocurrency Credential Phishing The rise (and fall) in the value of digital currencies such as Bitcoin and\r\nEtherium has not escaped the attention of the Necurs criminals. They have been seen conducting attack\r\ncampaigns using domains designed to look similar to legitimate wallet management websites. In the email\r\nbelow, note the extra word 'my' in the domain 'mymyetherwallet.com'.\r\nThis domain is registered to appear similar to the real Etherium wallet management site, myetherwallet.com\r\nRecently, the Necurs attackers have drawn from previous stock pump-n-dump scams to come up with a relatively\r\nnew tactic related to cryptocurrency. They had a spam campaign pumping Swisscoin (SIC).\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 9 of 25\n\nA Necurs spam email encouraging recipients to buy Swisscoin (SIC)\r\nJob Spam Necurs was recently sending a low volume job spam campaign which includes links to freshly\r\nregistered domains. For example, in the email below, sent October 30th 2017, we can see they are using a\r\nlink to the domain, 'supercoins.top'. (The affiliate id in the URL is always the same)\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 10 of 25\n\nAn example of a low volume, job-related spam campaign from Necurs\r\nAttribution\r\nwhois-agent@gmx.com Checking the whois record for this domains we see the following registration\r\ndetails. Note the registrant email 'whois-agent@gmx.com'. This is an attempt by the threat actors to\r\nconvince the casual observer that the domain is somehow registered through a third party whois privacy\r\nprotection service. Email accounts @gmx.com are free to the public, and in this instance the attackers have\r\nsimply generated the alias 'whois-agent' for their use in registering domains.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 11 of 25\n\nA review of the domains registered to 'whois-agent@gmx.com' yields 399 domains (from DT as of January 17,\r\n2018). The list of domains registered to 'whois-agent@gmx.com' reads like a who's-who of criminal activity.\r\nAmong some of the more notable domains we can see obvious phishing domains:\r\namex-notification.com\r\namexcardmail.com\r\namexmailnotification.com\r\nnatwestonlinebanking.info\r\nhsbc-sec.site\r\ndropbox-ch.co\r\ndropbox-fileshare.com\r\ndropboxmailgate.com\r\npaypa1.info\r\nsage-uk.com\r\nsagepay.info\r\nTypo-squattish domains targeting cryptocoin-related sites:\r\nmyetlherwa11et.com\r\nmyetlherwalllet.com\r\nrnyetherwa11et.com\r\nblockchaifn.info\r\nblockchaign.info\r\nblockchainel.info\r\nblockchaingr.info\r\nblockchait.info\r\nblockchalgn.info\r\nblockchalne.info\r\nblockchalner.info\r\nblockchalng.info\r\nblockchanel.info\r\nblockchart.info\r\nblockchatn.info\r\nblockcheing.info\r\nblockcheit.info\r\nblockclmain.info\r\nblockclnajn.info\r\nbloclnchain.info\r\nbloknchain.info\r\nFake Flash Player Update domains:\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 12 of 25\n\nflash-ide-update.top\r\nflash-ime-update.top\r\nflash-one-eupdate.top\r\nflash-one-update.info\r\nflash-player-update.info\r\nflash-update-player.info\r\nEven domains intended to masquerade as government resources:\r\nasic-gov-au.co\r\naustralia-gov-au.com\r\ncanadapost-office.info\r\ngovonfraud.info\r\nA review of some of the domains in passive DNS gives us some other important clues. While most domains are\r\nonly registered for the minimum of one year, the attackers have chosen to maintain the registration for a longer\r\ntime on other domains such as 'pp24.ws'. That domain is home to an online marketplace for buying and selling\r\nstolen credit card numbers, stolen ssh account credentials and more.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 13 of 25\n\n'pp24.ws' is a website dedicated to buying and selling stolen credit card numbers\r\nPassive DNS also reveals instances where the attackers have hosted domains belonging to different registrants on\r\nthe same IP address. For example, when Talos analyzed the passive DNS records for one of the attacker's\r\ndomains: 'setinfoconf.com' we found that this domain was hosted on a single IP address for a couple months in\r\nlate 2016 before being parked. When we reviewed the other domains living on that same IP address we saw a bit\r\nof a pattern, and most importantly, some of these domains were NOT in the list of domains owned by 'whois-agent@gmx.com'.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 14 of 25\n\nwhois-protect@hotmail.com When we check the registration information for one of the above domains\r\n'setinofis.pw', we find that there is a different registrant. This time the email address used to register the\r\ndomain was 'whois-protect@hotmail.com'. Just as with the 'whois-agent@gmx.com' address, this is an\r\nattempt to appear to a casual observer that the domain is protected by whois privacy protection when in\r\nreality this email account appears to be under the direct control of the attackers themselves.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 15 of 25\n\nReviewing the list of 1103 domains (Domain Tools as of January 17, 2018) associated with the 'whois-protect@hotmail.com' email address we see much of the same illicit activity we saw before.\r\nMore phishing domains:\r\namex-psk.org\r\namexsafetykey.org\r\napplerecoveryprogram.com\r\napplerecoveryprogram.top\r\nbarcalys-offers-online.com\r\nbt-europe.com\r\nbtconnect.biz\r\nbtconnect.info\r\nbttconnect.com\r\ndhl4.com\r\ndocusign-australia.com\r\ndocusign-net.com\r\ndocusigner.org\r\ndropbox-eu.com\r\ndropboxa.com\r\ndropboxes.org\r\ndropboxsharing.com\r\ndropboxsmarter.com\r\ne-intuit.com\r\nefaxplus.com\r\nglobal-intuit.com\r\nhsbcbank.top\r\ninc-r.com\r\ning-update.info\r\nkbc-bank.info\r\npaupal.info\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 16 of 25\n\npaypa.info\r\npoypa1.info\r\nquickbooks-intuit-uk.com\r\nquickbooks-support.biz\r\nquickbooksonlineaccounting.com\r\nsage-uk.org\r\nsageim.com\r\nsages.biz\r\nsagetop.com\r\nsecurity-hsbc.site\r\nservicebying.com\r\ntelestrasystems.com\r\nvodafonestore.net\r\nwellsfargocertificate-637-9270.com\r\nMore domains targeting cryptocoin-related resources:\r\nblockchfain.info\r\nblokochain.info\r\nmyethelrwallet.com\r\nmyetherwallet.top\r\nmyetherwlallet.com\r\nmyethlerwallet.com\r\nrnyetherwlallet.com\r\nSimilar themed, fake Flash Player updates:\r\nflash-foe-update.win\r\nflash-ire-update.win\r\nflash-new-update.info\r\nflash-old-update.top\r\nflash-ome-update.win\r\nflash-one-eupdatee.top\r\nflash-one-eupdatte.top\r\nflash-one-update.top\r\nflash-one-update.win\r\nflash-onenew-update.info\r\nflash-ooe-update.win\r\nflash-ore-update.win\r\nflash-oue-update.top\r\nflash-owe-update.win\r\nflash-oxe-update.win\r\nflash-oye-update.win\r\nflash-playernewupdate.info\r\nflash-toe-update.win\r\nflash-woe-update.win\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 17 of 25\n\nflash-yoe-update.win\r\nflashnew-update.info\r\nflashplayernew-update.info\r\nWe even see targeting of government resources, just as we did with the other registrant account:\r\nafp-gov-au.com\r\nasic-au-gov.com\r\nasic-gov-au.com\r\nasic-government-au.com\r\nasic-mail-gov-au.com\r\nasic-message-gov-au.com\r\nasic-notification-gov.com\r\nato-gov-au.net\r\naugovn.com\r\naustgov.com\r\naustraliangovernement.com\r\naustraliangovernments.com\r\nfederalgovernmentaustralia.com\r\ngov-invoices.info\r\ngoviau.co\r\ntzyywz@qq.com Checking the registration on some of the domains associated with 'whois-privacy@hotmail.com', we can find some domains in which there are other registrants and the whois-privacy@ address is simply an Administrative and Technical Contact. This reveals an additional registrant\r\nemail address employed by the attackers, 'tzyywz@qq.com'.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 18 of 25\n\nAccording to Domain Tools (as of January 17, 2017), that qq.com email address is associated with over 2500\r\ndomains. Most of the domains belonging to this registrant email appeared to be domainer-style domains located at\r\nTLDs such as .bid and .top, but we also see a heavy dose of illegitimate looking domains in the set as well.\r\nSome typical 'Domainer'-ish domains:\r\naapk.bid\r\naapo.bid\r\naapq.bid\r\naapu.bid\r\naapv.bid\r\naapw.bid\r\naapx.bid\r\njbanj.top\r\njcqth.top\r\njhtaq.top\r\njhugs.top\r\njian0.top\r\njian1.top\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 19 of 25\n\njian2.top\r\njian3.top\r\nIllegitimate Domains:\r\namex-notification.com\r\namexaccountvalidate.com\r\namexcardcustomerservice.com\r\namexcardmail.com\r\namexcardpersonalsafetykey.com\r\namexcardpsk.com\r\namexcardsafetykey.com\r\namexcardservice.com\r\namexcardservicevalidate.com\r\namexcardsupport.com\r\namexcardsupportservice.com\r\namexcardsupportteam.com\r\namexcardverification.com\r\namexcardverified.com\r\namexcardverifier.com\r\namexcloudcervice.com\r\namexcustomersupport.com\r\namexmailnotification.com\r\namexotpcardcustomerservice.com\r\namexotpcardsupport.com\r\namexotpgenerate.com\r\namexotpgeneratesetup.com\r\namexotpsetup.com\r\namexotpsetupcustomerservice.com\r\namexotpsetupservice.com\r\namexpersonalsafekey.com\r\namexpersonalsafetykey.com\r\namexpersonalsafetykeyregistration.com\r\namexpersonalsafetykeysupport.com\r\namexpskcustomerservice.com\r\namexpskkey.com\r\namexpsksupport.com\r\namexsafetykeycustomerservice.com\r\namexverifier.com\r\namexverifierservice.com\r\ndocusign-australia.com\r\ndocusign-net.com\r\ndropboxbusinessaccount.com\r\nmail-asic-government-au.com\r\npostbank-kundennummer43.com\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 20 of 25\n\npostbank-kundennummerfinnaz.com\r\nsalesforceproaccount.com\r\nverifybyamericanexpress.com\r\nverifybyamexcards.com\r\nyandex-login.com\r\nyandex-user578185.com\r\nyandex-user912.com\r\nyandex-user952.com\r\nMore Domain Registrant Accounts Revealed We can associate even more registrant email accounts with\r\nthese same threat actors using similar techniques. While researching passive DNS for one of the domains we\r\nfound previously, 'blokochain.info', we ran across something very interesting. That particular domain was\r\nhosted October 21, 2017 on the IP address 47.254.18.28 which belongs to Alibaba as part of their cloud\r\nhosting product. When we analyze all the other domains which have been hosted on that same IP we see\r\nmany domains that belong to the registrant email addresses we already knew about, 'whois-agent@gmx.com' and 'whois-privacy@hotmail.com'. However we also see several domains associated with\r\ndifferent registrants.\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 21 of 25\n\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 22 of 25\n\nseoboss@seznam.cz Looking at the list of domains found on this same Alibaba IP we find the domain\r\n'paltruise.gdn'. This domain is registered to the registrant email address, 'seoboss@seznam.cz'. This\r\nregistrant has registered 125 domains (Domain Tools as of January 17, 2018), many of which have been\r\nlinked to malicious activities. According tothese links, domains associated with this registrant email have\r\nbeen used as part of the Rig Exploit Kit infrastructure. The domain, 'paltruise.gdn', was hosted on the\r\n47.90.202.68 Alibaba IP address on October 19, 2017 --only two days before the IP was used to host domains\r\nbelonging to 'whois-protect@hotmail.com'.\r\ngalicole@mail.com The domain 'indian-trk711.com' belongs to the registrant email address\r\n'galicole@mail.com'. The 'indian-trk711.com' domain was hosted on the 47.254.18.28 IP on October 25th\r\nthrough October 30th, 2017 --also very close to the timeframe in which we saw the IP hosting the other\r\nmalicious domains.\r\nAs of January 16, 2017, DomainTools attributes 918 domains to the registrant email address 'galicole@mail.com'.\r\nAmong some of the domains associated with this address we find gems such as:\r\n1royalbankrbcdirect.top\r\namex-onlinesecurity.top\r\nbuydumps.top\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 23 of 25\n\nbuydumpsonline.top\r\ncarder-cvv-shop.top\r\ncarder-cvv.name\r\ncarding-cvv-shop.top\r\ncarding-shop-cvv.top\r\ncarding-shop-track2.top\r\ncardingcvv.top\r\ncardingshoponline.top\r\ncvv-carder.name\r\ncvv-online-market.com\r\ncvv-shop-carder.name\r\ncvv-valid.info\r\ncvv2-online-store.top\r\ncvvcarder.name\r\ncvvdumppluspin.top\r\ncvvshopcarder.top\r\ndumps-shop-valid.top\r\ndumps-valid-shop.top\r\ndumpsonlinestore.top\r\ndumpsshopvalid.top\r\nnetflic-validatesystem.info\r\nnetflix-information.info\r\nnetflix-supportvalidate.info\r\nnetflix-verifysupport.info\r\nnetflix-veriificationbilling.info\r\nnetflixveriify.info\r\nshop-dumps-valid.top\r\nshop-online-cvv2.info\r\nshop-online-dump.top\r\nshopcardingonline.top\r\nshopcardingtrack2.top\r\nshopcvv2online.biz\r\nshopcvvcarding.top\r\nshopdumpsvalid.top\r\nshoptrack2carding.top\r\nstore-cvv-online.biz\r\nstorecarderverified.biz\r\nstorecvv2.name\r\ntrack2-shop-verified.biz\r\ntrack2cardingshop.top\r\ntrack2verifiedshop.top\r\nvalid-dumps.top\r\nvalid-market-cvv.top\r\nvalid-shop-cvv.top\r\nvalid-shop-dumps.top\r\nvaliddumpsshop.top\r\nverified-carder-store.com\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 24 of 25\n\nverifiedcarderstore.biz\r\nverifieddumpsshop.top\r\nverifiedstorecarder.biz\r\nverifiedtrack2shop.info\r\nxlbs@tvchd.com The domain 'daccat.at' is registered to 'xlbs@tvchd.com'. A Google search for this domain\r\nproduces this link at Hybrid Analysis and indicates that this particular domain was contacted as part of a\r\npiece of malware. At Virus Total, 50/68 antivirus engines detect this particular sample as malicious.\r\njiamcho1955@dnsname.info Searching Google for this registrant email address yields multiplelinks to\r\nmalware that reaches out to domains owned by 'jiamcho1955@dnsname.info'. Virus Total corroborates this\r\ninformation showing 48 and 53 antivirus detections respectively.\r\nOne Instance to Host Them All Reaching out through various contacts, Talos was able to confirm that, in\r\nfact, a single Alibaba cloud instance was controlling this same IP address for the entire time period from\r\nOctober 19, 2017 through October 30, 2017. Is this IP address some part of a criminal domain hosting\r\nservice? Or is it that a single nefarious enterprise is behind all of these various registrant email accounts\r\nand their associated domains? Only the criminals involved in this enterprise can say for certain. Talos\r\ncontinues to monitor this situation with an eye towards further deciphering the business model deployed by\r\nthese miscreants.\r\nConclusion Now that Necurs is back from their regular holiday break they are attempting to fill\r\nour inboxes with junk mail and malware once again. On one hand, the size of the Necurs botnet,\r\nand its ability to send from different nodes in every campaign makes it difficult to defend against;\r\nStandard IP address blocklists are ineffective against such tactics. Fortunately for network\r\ndefenders, the fact that Necurs does relatively little to curate their recipient database limits the\r\ndamage they can do. There are only so many times the same recipients will fall for Necurs' same,\r\nrepetitive tricks. We can expect that Necurs will continue to try variations on some of their tried\r\nand true attacks, and so user education against these threats remains paramount.\r\nSource: https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nhttps://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html\r\nPage 25 of 25\n\nnumerous email different recipient aliases, such as role-based domains. Strangely, addresses, the list also that appear included some to be in Necurs' odd email aliases recipient DB across deployed at many multiple domains\nsuch as 'unity_unity[0-9]@', 'petgord32truew@', 'iamjustsendingthisleter@',  'docs[0-9]@', and others.\n   Page 2 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html"
	],
	"report_names": [
		"the-many-tentacles-of-necurs-botnet.html"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434346,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a0d30f77aaa254be5933e6cf6e6585f5443f364.pdf",
		"text": "https://archive.orkl.eu/3a0d30f77aaa254be5933e6cf6e6585f5443f364.txt",
		"img": "https://archive.orkl.eu/3a0d30f77aaa254be5933e6cf6e6585f5443f364.jpg"
	}
}