{
	"id": "d13ea2f3-7e7a-4f12-a2fb-f47690e4a5f0",
	"created_at": "2026-04-06T00:09:21.521116Z",
	"updated_at": "2026-04-10T13:11:40.758648Z",
	"deleted_at": null,
	"sha1_hash": "4173bae5ccf8e30c0c2f19dbcfd1293d32c51016",
	"title": "SIMDA: A Botnet Takedown | Security Intelligence Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2050736,
	"plain_text": "SIMDA: A Botnet Takedown | Security Intelligence Blog\r\nBy Trend Micro\r\nArchived: 2026-04-05 21:04:41 UTC\r\nThe collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute\r\nresulted in a triumph for the security industry earlier this week: the takedown of the SIMDA botnet. Trend Micro\r\nprovided information such as the IP addresses of the affiliated servers and statistical information about the\r\nmalware used, which led to the disruption of the botnet activities.\r\nSIMDA, the Malware Behind the Botnet\r\nThe botnet relies on the backdoor SIMDA for its operations. One notable feature of the malware is that it modifies\r\nHOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites. Our research\r\nshows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as\r\ntheir regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted\r\nto affect as many users as it can, on a global scale. Here’s a sample screenshot of a modified HOSTS file.\r\nFigure 1. Modified HOSTS file\r\nhttps://web.archive.org/web/20150619155915/https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/\r\nPage 1 of 3\n\nAnalysis also reveals that the malware collects information about the affected system. It also checks for the\r\npresence of certain processes, including those used for malware analysis. The latter could be seen as a detection\r\nprecaution.\r\nFurther research shows that the botnet activity spanned the globe. We found that the redirection servers were\r\nlocated in 14 countries, among which include the Netherlands, Canada, Germany, Russia, and the United States.\r\nBotnet victims were also scattered. Feedback from the Trend Micro™ Smart Protection Network™ lists at least 62\r\naffected countries, including the United States, Australia, Japan, Germany, Italy, among others. Below is a\r\nvisualization of the redirection servers located in several countries:\r\nFigure 2. Redirection IPs\r\n(Click to enlarge)\r\nBotnets in the Threat Landscape\r\nBotnets have deep ties throughout the threat landscape. For most cybercriminals, creating a botnet is the precursor\r\nfor other malicious activities. Botnets can be used to send spam, perform distributed denial-of-service (DDoS)\r\nattacks, perform click fraud, or attack targeted domains.\r\nFor cybercriminals to launch these attacks, they need to be in constant communication with all their infected\r\ncomputers, whose numbers can reach the thousands and above. This is where command-and-control (C\u0026C)\r\nhttps://web.archive.org/web/20150619155915/https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/\r\nPage 2 of 3\n\nservers come in. A C\u0026C infrastructure allows cybercriminals to have a dedicated connection between themselves\r\nand their victim’s network. Our Global Botnet Map shows the connection between bots and C\u0026C servers,\r\nhighlighting the location of the C\u0026C servers and the victimized computers they control.\r\nBotnets are harmful to users in two ways: they push threats to users and they force victims to be unwitting\r\naccomplices to malicious activities. Being part of a botnet means a user is no longer in control of his computer;\r\nthe bot master can dictate what the infected computers can and will do.\r\nAddressing Botnets\r\nCybercriminals employ different tricks to add more victims to their botnets. For example, they often take\r\nadvantage of peer-to-peer (P2P) networks to distribute disguised malware. Spammed messages are another go-to\r\nmethod for adding more computers to their botnets.\r\nWe advise users to be cautious when opening emails. Avoid opening emails and attachments from senders who are\r\nunknown or who cannot be verified. P2P networks aren’t inherently malicious but users should be aware that\r\ndealing with these sites can increase their chances of encountering malware. Users should also invest in a security\r\nsolution that goes beyond simple malware detection; features such as spam detection and URL blocking can go a\r\nlong way in protecting users from threats.\r\nWe mentioned that SIMDA modifies HOSTS files as part of its redirection routines. There might be instances\r\nwhere the modified HOSTS files may remain even after detecting and removing SIMDA from the affected\r\ncomputer. The presence of these modified files might lead to further infections. We advise users to manually check\r\nHOSTS files and to remove any suspicious record in these files.\r\nTrend Micro protects users from the SIMDA botnet by detecting malware variants as BKDR_SIMDA.SMEP and\r\nBKDR_SIMDA.SMEP2, and other BKDR_SIMDA variants. TROJ_HOSIMDA.SM is the Trend Micro detection\r\nname for the modified HOSTS files. All associated URLs have been blocked as well. Non-Trend Micro\r\ncustomers may use Trend Micro Housecall for scanning.\r\nThis entry was posted on Sunday, April 12th, 2015 at 11:03 pm and is filed under Botnets . You can leave a response, or trackback from\r\nyour own site.\r\nSource: https://web.archive.org/web/20150619155915/https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/\r\nhttps://web.archive.org/web/20150619155915/https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20150619155915/https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/"
	],
	"report_names": [
		"simda-a-botnet-takedown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434161,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4173bae5ccf8e30c0c2f19dbcfd1293d32c51016.pdf",
		"text": "https://archive.orkl.eu/4173bae5ccf8e30c0c2f19dbcfd1293d32c51016.txt",
		"img": "https://archive.orkl.eu/4173bae5ccf8e30c0c2f19dbcfd1293d32c51016.jpg"
	}
}