{ "id": "1885d9a8-f79e-4cc5-9309-4894e3ac6884", "created_at": "2026-04-06T00:15:31.734766Z", "updated_at": "2026-04-10T13:11:39.938903Z", "deleted_at": null, "sha1_hash": "671c7c3146ff3c0d1e0f903d546816d6a0773377", "title": "Andromeda botnet dismantled in international cyber operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35346, "plain_text": "Andromeda botnet dismantled in international cyber operation\r\nBy Europol\r\nPublished: 2017-12-04 · Archived: 2026-04-05 15:11:42 UTC\r\nOn 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central\r\nCriminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint\r\nCybercrime Action Task Force (J-CAT), Eurojust and private-sector partners, dismantled one of the longest\r\nrunning malware families in existence called Andromeda (also known as Gamarue).\r\nThis widely distributed malware created a network of infected computers called the Andromeda botnet[1] .\r\nAccording to Microsoft, Andromeda’s main goal was to distribute other malware families. Andromeda was\r\nassociated with 80 malware families and, in the last six months, it was detected on or blocked an average of over 1\r\nmillion machines every month. Andromeda was also used in the infamous Avalanche network, which was\r\ndismantled in a huge international cyber operation in 2016.\r\nSteven Wilson, the Head of Europol’s European Cybercrime Centre: “This is another example of international law\r\nenforcement working together with industry partners to tackle the most significant cyber criminals and the\r\ndedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private\r\npartnerships can impact these criminals and make the internet safer for all of us.”\r\nOne year ago, on 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office\r\nVerden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of\r\nPennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, had dismantled the\r\ninternational criminal infrastructure Avalanche. This was used as a delivery platform to launch and manage mass\r\nglobal malware attacks such as Andromeda, and money mule recruitment campaigns.\r\nInsights gained during the Avalanche case by the investigating German law enforcement entities were shared, via\r\nEuropol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week.\r\nJointly, the international partners took action against servers and domains, which were used to spread the\r\nAndromeda malware. Overall, 1500 domains of the malicious software were subject to sinkholing[2] . According\r\nto Microsoft, during 48 hours of sinkholing, approximately 2 million unique Andromeda victim IP addresses from\r\n223 countries were captured. The involved law enforcement authorities also executed the search and arrest of a\r\nsuspect in Belarus.\r\nSimultaneously, the German sinkhole measures of the Avalanche case have been extended by another year. An\r\nextension of this measure was necessary, as globally 55 per cent of the computer systems originally infected in\r\nAvalanche are still infected today.\r\nThe measures to combat the malicious Andromeda software as well as the extension of the Avalanche measures\r\ninvolved the following EU Member States: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland,\r\nhttps://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation\r\nPage 1 of 2\n\nSpain, the United Kingdom, and the following non-EU Member States: Australia, Belarus, Canada, Montenegro,\r\nSingapore and Taiwan.\r\nThe operation was supported by the following private and institutional partners: Shadowserver Foundation,\r\nMicrosoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and\r\nassociated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics\r\n(FKIE), and the German Federal Office for Information Security (BSI).\r\nThe operation was coordinated from the command post hosted at Europol’s HQ.\r\n[1]\r\n Botnets are networks of computers infected with malware, which are under the control of a cybercriminal.\r\nBotnets allow criminals to harvest sensitive information from infected computers, such as online banking\r\ncredentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other\r\ncomputer systems, such as denial-of-service attacks.\r\n[2]\r\n Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected\r\nto servers controlled by law enforcement authorities and/or an IT security company. This may be done by\r\nassuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected\r\ncomputers can no longer reach the criminal command-and-control computer systems and criminals can therefore\r\nno longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can\r\nsubsequently be used for notification and follow-up through dissemination to National CERTs and network\r\nowners.\r\nSource: https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation\r\nhttps://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation" ], "report_names": [ "andromeda-botnet-dismantled-in-international-cyber-operation" ], "threat_actors": [ { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/671c7c3146ff3c0d1e0f903d546816d6a0773377.pdf", "text": "https://archive.orkl.eu/671c7c3146ff3c0d1e0f903d546816d6a0773377.txt", "img": "https://archive.orkl.eu/671c7c3146ff3c0d1e0f903d546816d6a0773377.jpg" } }