{
	"id": "4f2acab8-6d5e-4cbc-8625-cb39993df269",
	"created_at": "2026-04-06T00:16:07.822583Z",
	"updated_at": "2026-04-10T13:11:46.345366Z",
	"deleted_at": null,
	"sha1_hash": "60053aec257bf5624aab7647869f21de22749fe8",
	"title": "FBI and international cops catch a NetWire RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40056,
	"plain_text": "FBI and international cops catch a NetWire RAT\r\nBy Jessica Lyons\r\nPublished: 2023-03-10 · Archived: 2026-04-05 21:27:57 UTC\r\nInternational law enforcement agencies have claimed another victory over cyber criminals, after seizing the\r\nwebsite, and taking down the infrastructure operated by crims linked to the NetWire remote access trojan (RAT).\r\nPolice in Croatia on Tuesday arrested a suspect who allegedly administered the worldwiredlabs website, which\r\nhas sold the NetWire malware for several years. On the same day, a US judge approved a seizure warrant that\r\nallowed federal authorities in Los Angeles to seize the internet domain, and Swiss law enforcement seized the\r\nserver hosting the NetWire RAT infrastructure.\r\nThe malware, first discovered in 2012, is often hidden in malicious files. The RAT is a favourite of cyber crime\r\ngangs and state-backed groups, and is frequently delivered by phishing attacks. After infecting a victim's\r\nsmartphone or laptop, the RAT's capabilities include stealing passwords, keylogging, and remotely controlling the\r\ndevice. \r\n\"By removing the NetWire RAT, the FBI has impacted the criminal cyber ecosystem,\" Donald Alway, the assistant\r\ndirector in charge of the FBI's Los Angeles field office, declared in a statement.\r\n\"The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in\r\norder to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals,\"\r\nAlway added. \r\nThe FBI's Los Angeles bureau opened an investigation into the malware distributor in 2020. As part of this,\r\nundercover agents created accounts on the website, paid for a subscription, and \"constructed a customized instance\r\nof the NetWire RAT using the product's Builder Tool,\" according to the affidavit in support of the seizure warrant.\r\nAs described in a warrant [PDF], Verisign redirected the worldwiredlabs domain to servers controlled by the FBI.\r\nNeither US nor Croatian authorities released the suspect's name. However infosec journalist Brian Krebs has\r\nidentified Mario Zanko of Zapresic, Croatia, as the owner of the domain since 2012.\r\nThe malware peddler allegedly sold NetWire licenses for between $10 and $1,200, according to Croatian police,\r\nwho have yet to determine the total illicit haul from selling the RAT. \r\nOther criminals who bought the malware used NetWire to target healthcare organizations and banks, they added.\r\nDoppelPaymer ransomware suspects cuffed, alleged ringleaders escape\r\nFBI smokes ransomware Hive after secretly buzzing around gang's network for months\r\nMicrosoft seizes 41 domains tied to 'Iranian phishing ring'\r\nEvidence planted on laptops of jailed Indian activists, says forensics firm Arsenal Consulting\r\nhttps://www.theregister.com/2023/03/10/fbi_netwire_seizure/\r\nPage 1 of 2\n\nThe NetWire takedown follows several other international law enforcement operations over recent months\r\nintended to disrupt high-profile cyber crime gangs.\r\nEarlier this month German and Ukrainian cops, working with Europol and the FBI, arrested suspected members of\r\nthe DoppelPaymer ransomware crew and issued warrants for three other \"masterminds\" behind the global\r\noperation.\r\nIn January, US and international law enforcement partners shut down Hive's ransomware infrastructure following\r\na seven-month covert operation. During that time, the FBI hacked Hive's network and used that access to provide\r\ndecryption keys to more than 300 victims – saving them $130 million in ransomware payments, we're told.\r\nThat same month European cops arrested 15 suspected scammers and shut down a multi-country network of call\r\ncenters selling fake cryptocurrency that law enforcement alleged stole upwards of hundreds of million euros from\r\nvictims. ®\r\nSource: https://www.theregister.com/2023/03/10/fbi_netwire_seizure/\r\nhttps://www.theregister.com/2023/03/10/fbi_netwire_seizure/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.theregister.com/2023/03/10/fbi_netwire_seizure/"
	],
	"report_names": [
		"fbi_netwire_seizure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434567,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60053aec257bf5624aab7647869f21de22749fe8.pdf",
		"text": "https://archive.orkl.eu/60053aec257bf5624aab7647869f21de22749fe8.txt",
		"img": "https://archive.orkl.eu/60053aec257bf5624aab7647869f21de22749fe8.jpg"
	}
}