{
	"id": "9a929e97-627b-45f5-b0f6-03998f3d2deb",
	"created_at": "2026-04-06T00:18:43.580131Z",
	"updated_at": "2026-04-10T13:11:26.35823Z",
	"deleted_at": null,
	"sha1_hash": "425cf086c06bf90a1e3a20923891e75735ddaf1a",
	"title": "Disrupting the Glupteba operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46006,
	"plain_text": "Disrupting the Glupteba operation\r\nBy Shane Huntley\r\nPublished: 2021-12-07 · Archived: 2026-04-05 23:13:44 UTC\r\nDec 07, 2021\r\n4 min read\r\nGoogle TAG actively monitors threat actors and the evolution of their tactics and techniques. We use our research\r\nto continuously improve the safety and security of our products and share this intelligence with the community to\r\nbenefit the internet as a whole.\r\nAs announced today, Google has taken action to disrupt the operations of Glupteba, a multi-component botnet\r\ntargeting Windows computers. We believe this action will have a significant impact on Glupteba's operations.\r\nHowever, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command\r\nand control mechanism that uses data encoded on the Bitcoin blockchain.\r\nGlupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and\r\noperate proxy components targeting Windows systems and IoT devices. TAG has observed the botnet targeting\r\nvictims worldwide, including the US, India, Brazil and Southeast Asia.\r\nThe Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic\r\npurchased from traffic distribution systems (TDS). For a period of time, we observed thousands of instances of\r\nmalicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack\r\ndownload which delivers a variant of Glupteba to users instead of the promised software.\r\nExample cracked software download site distributing Glupteba\r\nWhile analyzing Glupteba binaries, our team identified a few containing a git repository URL:\r\n“git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence,\r\nmultiple online services offered by the individuals operating the Glupteba botnet. These services include selling\r\naccess to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling\r\ncredit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and\r\npayment fraud on Google Ads.\r\nExample of a cryptocurrency scam uploaded to Google Ads by Glupteba services\r\nThis past year, TAG has been collaborating with Google’s CyberCrime Investigation Group to disrupt Glupteba\r\nactivity involving Google services. We’ve terminated around 63M Google Docs observed to have distributed\r\nGlupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their\r\ndistribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe\r\nBrowsing warnings.\r\nhttps://blog.google/threat-analysis-group/disrupting-glupteba-operation/\r\nPage 1 of 3\n\nIn the last few days, our team partnered with Internet infrastructure providers and hosting providers, including\r\nCloudflare, to disrupt Glupteba’s operation by taking down servers and placing warning interstitial pages in front\r\nof the malicious domain names. During this time, an additional 130 Google accounts associated with this\r\noperation were terminated.\r\nParallel to the analysis, tracking, and technical disruption of this botnet, Google has filed a lawsuit against two\r\nindividuals believed to be located in Russia for operating the Glupteba Botnet and its various criminal schemes.\r\nGoogle is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the\r\nComputer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and tortious\r\ninterference of business relationships, and unjust enrichment.\r\nWhile these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect\r\nthe actor’s ability to conduct future operations.\r\nGlupteba’s C2 Backup Mechanism\r\nThe command and control (C2) communication for this botnet uses HTTPS to communicate commands and\r\nbinary updates between the control servers and infected systems. To add resilience to their infrastructure, the\r\noperators have also implemented a backup mechanism using the Bitcoin blockchain. In the event that the main C2\r\nservers do not respond, the infected systems can retrieve backup domains encrypted in the latest transaction from\r\nthe following bitcoin wallet addresses:\r\n'1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1' [1]\r\n'15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6’ [2]\r\n'1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97' [3]\r\nThe following 32 byte AES keys for decryption are hard coded in the binaries:\r\n'd8727a0e9da3e98b2e4e14ce5a6cf33ef26c6231562a3393ca465629d66503cf'\r\n‘1bd83f6ed9bb578502bfbb70dd150d286716e38f7eb293152a554460e9223536’\r\nThe blockchain transaction’s OP_RETURN data can be decrypted using AES-256 GCM to provide a backup\r\ncommand and control domain name. The first 12 bytes of the OP_RETURN contains the IV, the last 16 bytes the\r\nGCM tag, while the middle section is the AES-256 GCM encrypted domain. Full details of Glupteba’s network\r\nprotocol can be found in this report from 2020, the following Python script illustrates how one can decrypt an\r\nencrypted domain name:\r\nIOCs\r\nRecent domains used for command and control:\r\nnisdably[.]com\r\nrunmodes[.]com\r\nyturu[.]com\r\nretoti[.]com\r\ntrumops[.]com\r\nhttps://blog.google/threat-analysis-group/disrupting-glupteba-operation/\r\nPage 2 of 3\n\nevocterm[.]com\r\niceanedy[.]com\r\nninhaine[.]com\r\nanuanage[.]info\r\nRecent sha256 hashes of malware samples:\r\ndf84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba\r\neae4968682064af4ae6caa7fff78954755537a348dce77998e52434ccf9258a2\r\na2fd759ee5c470da57d8348985dc34348ccaff3a8b1f5fa4a87e549970eeb406\r\nd8a54d4b9035c95b8178d25df0c8012cf0eedc118089001ac21b8803bb8311f4\r\nc3f257224049584bd80a37c5c22994e2f6facace7f7fb5c848a86be03b578ee8\r\n8632d2ac6e01b6e47f8168b8774a2c9b5fafaa2470d4e780f46b20422bc13047\r\n03d2771d83c50cc5cdcbf530f81cffc918b71111b1492ccfdcefb355fb62e025\r\ne673ce1112ee159960f1b7fed124c108b218d6e5aacbcb76f93d29d61bd820ed\r\n8ef882a44344497ef5b784965b36272a27f8eabbcbcea90274518870b13007a0\r\n79616f9be5b583cefc8a48142f11ae8caf737be07306e196a83bb0c3537ccb3e\r\ndb84d13d7dbba245736c9a74fc41a64e6bd66a16c1b44055bd0447d2ae30b614\r\nRelated stories\r\n.\r\nSource: https://blog.google/threat-analysis-group/disrupting-glupteba-operation/\r\nhttps://blog.google/threat-analysis-group/disrupting-glupteba-operation/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.google/threat-analysis-group/disrupting-glupteba-operation/"
	],
	"report_names": [
		"disrupting-glupteba-operation"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/425cf086c06bf90a1e3a20923891e75735ddaf1a.pdf",
		"text": "https://archive.orkl.eu/425cf086c06bf90a1e3a20923891e75735ddaf1a.txt",
		"img": "https://archive.orkl.eu/425cf086c06bf90a1e3a20923891e75735ddaf1a.jpg"
	}
}