{
	"id": "676c5281-0df2-4875-b4da-dd33f3945a1b",
	"created_at": "2026-04-06T00:17:57.506897Z",
	"updated_at": "2026-04-10T13:12:59.915134Z",
	"deleted_at": null,
	"sha1_hash": "71c93736664577d7666c429f26b4645d57942d2f",
	"title": "Kelihos botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153200,
	"plain_text": "Kelihos botnet\r\nBy Contributors to Wikimedia projects\r\nPublished: 2012-04-28 · Archived: 2026-04-05 12:40:09 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nThe Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.\r\n[1]\r\nThe Kelihos botnet was first discovered around December 2010.\r\n[2]\r\n Researchers originally suspected having found\r\na new version of either the Storm or Waledac botnet, due to similarities in the modus operandi and source code of\r\nthe bot,[3][4] but analysis of the botnet showed it was instead a new, 45,000-infected-computer-strong botnet that\r\nwas capable of sending an estimated 4 billion spam messages a day.\r\n[5][6]\r\n In September 2011,\r\n[7]\r\n Microsoft took\r\ndown the botnet in an operation codenamed \"Operation b79\".[5][8] At the same time, Microsoft filed civil charges\r\nagainst Dominique Alexander Piatti, dotFREE Group SRO and 22 John Doe defendants for suspected involvement\r\nin the botnet for issuing 3,700 subdomains that were used by the botnet.[8][9] These charges were later dropped\r\nwhen Microsoft determined that the named defendants did not intentionally aid the botnet controllers.[10][11]\r\nIn January 2012, a new version of the botnet was discovered, one sometimes referred to as Kelihos.b or Version 2,\r\n[1][6][7]\r\n consisting of an estimated 110,000 infected computers.[1][12] During this same month Microsoft pressed\r\ncharges against Russian citizen Andrey Sabelnikov, a former IT security professional, for being the alleged creator\r\nof the Kelihos Botnet sourcecode.\r\n[11][13][14]\r\n The second version of the botnet itself was shut down in March 2012\r\nby several privately owned firms by sinkholing it – a technique which gave the companies control over the botnet\r\nwhile cutting off the original controllers.[2][15]\r\nFollowing the shutdown of the second version of the botnet, a new version surfaced as early as April 2nd, though\r\nthere is some disagreement between research groups whether the botnet is simply the remnants of the disabled\r\nVersion 2 botnet, or a new version altogether.\r\n[16][17]\r\n This version of the botnet currently consists of an estimated\r\n70,000 infected computers. The Kelihos.c version mostly infects computers through Facebook by sending users of\r\nthe website malicious download links. Once clicked, a Trojan horse named Fifesoc is downloaded, which turns the\r\ncomputer into a zombie, which is part of the botnet.[18]\r\nOn 24 November 2015 a Kelihos botnet event occurred causing widespread false positives of blacklisted IPs:\r\n″November 24, 2015 Widespread false positives\r\nEarlier today, a very large scale Kelihos botnet event occurred - by large scale, many email installations\r\nwill be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a\r\nvolume of as much as 500%. This isn't an unusual thing normally, the CBL/XBL has been successfully\r\ndealing with large scale Kelihos spam spikes like this, often daily, for years.\r\nhttps://en.wikipedia.org/wiki/Kelihos_botnet\r\nPage 1 of 5\n\nThe email was allegedly from the US Federal Reserve, saying something about restrictions in \"U.S.\r\nFederal Wire and ACH online payments.\" Not only was the notice itself fraudulent, the attached Excel\r\nspreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable\r\nvirus, most likely Dyreza or Dridex malware.\r\nThe detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a\r\nnumber of IP addresses in error.″[19]\r\nAn affidavit unsealed on 5 February 2018, showed Apple's unexpected role in bringing the Russian spam king to\r\njustice. Peter Levashov allegedly ran the Kelihos botnet under the alias \"Severa\", renting out access to spammers\r\nand other cybercriminals. But despite Levashov's significant efforts at anonymity, court records show that federal\r\nagents had been surveilling his iCloud account since 20 May 2016, funneling back crucial information that may\r\nhave led to his arrest. The standing federal iCloud warrant would have given authorities a running tab of IP\r\naddresses used to log in to the account, which could easily have tipped them off to his vacation in Barcelona,\r\nSpain, and was arrested at the request of US law enforcement and extradited to the United States for prosecution.\r\n[20]\r\nStructure, operations and spread\r\n[edit]\r\nThe Kelihos botnet is a so-called peer-to-peer botnet, where individual botnet nodes are capable of acting as\r\ncommand-and-control servers for the entire botnet. In traditional non-peer-to-peer botnets, all the nodes receive\r\ntheir instructions and \"work\" from a limited set of servers – if these servers are removed or taken down, the botnet\r\nwill no longer receive instructions and will therefore effectively shut down.[21] Peer-to-peer botnets seek to\r\nmitigate that risk by allowing every peer to send instructions to the entire botnet, thus making it more difficult to\r\nshut down.[2]\r\nThe first version of the botnet was mainly involved in denial-of-service attacks and email spam, while version two\r\nof the botnet added the ability to steal Bitcoin wallets, as well as a program used to mine bitcoins itself.[2][22] Its\r\nspam capacity allows the botnet to spread itself by sending malware links to users in order to infect them with a\r\nTrojan horse, though later versions mostly propagate over social network sites, in particular through Facebook.[16]\r\n[23]\r\n A more comprehensive list of the Kelihos spam can be found in the following research paper.\r\n[24]\r\nhttps://en.wikipedia.org/wiki/Kelihos_botnet\r\nPage 2 of 5\n\nU.S. v. Levashov Search Warrant (Unsealed)\r\nArrest and extradition\r\n[edit]\r\nOn 2 February 2018, the United States Department of Justice announced that a Russian national has been\r\nextradited from Spain and will be arraigned in Connecticut on charges stemming from his alleged operation of the\r\nKelihos botnet. Peter Yuryevich Levashov, 37, also known as Pyotr Levashov,\r\n[25]\r\n Petr Levashov, Peter Severa,\r\nPetr Severa and Sergey Astakhov, of St. Petersburg, was detained on 7 April 2017 in Barcelona, when he was\r\narrested by Spanish authorities based upon a criminal complaint and arrest warrant issued in the United States\r\nDistrict of Connecticut.[26] On 3 February 2018, he pleaded not guilty to the charges of wire and email fraud,\r\nhacking, identity theft and conspiracy after appearing before a federal judge in the U.S. state of Connecticut. He\r\nremains in detention.[25] In September 2018, Levashov pleaded guilty.\r\n[27]\r\nBotnet\r\nE-mail spam\r\nInternet crime\r\nInternet security\r\nMalware\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Mills, Elinor (28 March 2012). \"110,000 PC-strong Kelihos botnet sidelined\". CNET.\r\nRetrieved 28 April 2012.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Ortloff, Stefan (28 March 2012). \"FAQ: Disabling the new Hlux/Kelihos Botnet\".\r\nSecurelist.com. Retrieved 19 May 2020.\r\n3. ^ Adair, Steven (30 December 2010). \"New Fast Flux Botnet for the Holidays: Could it be Storm Worm\r\n3.0/Waledac 2.0?\". Shadowserver. Archived from the original on 21 April 2012. Retrieved 28 April 2012.\r\nhttps://en.wikipedia.org/wiki/Kelihos_botnet\r\nPage 3 of 5\n\n4. ^ Donohue, Brian (29 March 2012). \"Kelihos Returns: Same Botnet or New Version?\". Threatpost.\r\nArchived from the original on 4 April 2012. Retrieved 28 April 2012.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n Mills, Elinor (27 September 2011). \"Microsoft halts another botnet: Kelihos\". CNet.\r\nRetrieved 28 April 2012.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n Kirk, Jeremy (1 February 2012). \"Kelihos botnet, once crippled, now gaining strength\".\r\nNetwork World. Archived from the original on 5 September 2012. Retrieved 28 April 2012.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n Constantin, Lucian (28 March 2012). \"Security Firms Disable the Second Kelihos\r\nBotnet\". PCWorld. Retrieved 28 April 2012.\r\n8. ^ Jump up to: a\r\n \r\nb\r\n Boscovich, Richard (27 September 2011). \"Microsoft Neutralizes Kelihos Botnet, Names\r\nDefendant in Case\". Microsoft TechNet. Retrieved 28 April 2012.\r\n9. ^ Microsoft (26 September 2011). \"Operation b79 (Kelihos) and Additional MSRT September Release\".\r\nMicrosoft Technet. Retrieved 28 April 2012.\r\n10. ^ Latif, Lawrence (27 October 2011). \"Microsoft drops Kelihos botnet allegations against ISP owner\". The\r\nInquirer. Archived from the original on 30 October 2011. Retrieved 28 April 2012.\r\n11. ^ Jump up to: a\r\n \r\nb\r\n Gonsalves, Antone (24 January 2012). \"Microsoft Says Ex-Antivirus Maker Ran Botnet\".\r\nCRN Magazine. Retrieved 28 April 2012.\r\n12. ^ Warren, Tom (29 March 2012). \"Second Kelihos botnet downed, 116,000 machines freed\". The Verge.\r\nRetrieved 28 April 2012.\r\n13. ^ Brewster, Tom (24 January 2012). \"Microsoft suspects ex-antivirus worker of Kelihos botnet creation\". IT\r\nPRO. Retrieved 28 April 2012.\r\n14. ^ Keizer, Gregg (24 January 2012). \"Accused Kelihos botnet maker worked for two security firms |\r\nITworld\". ITworld. Retrieved 28 April 2012.\r\n15. ^ Donohue, Brian (28 March 2012). \"Kaspersky Knocks Down Kelihos Botnet Again, But Expects Return\".\r\nThreatPost. Archived from the original on 12 April 2012. Retrieved 28 April 2012.\r\n16. ^ Jump up to: a\r\n \r\nb\r\n Raywood, Dan (2 April 2012). \"CrowdStrike researchers deny that Kelihos has spawned\r\na new version – SC Magazine UK\". SC Magazine. Archived from the original on 6 April 2012. Retrieved 29\r\nApril 2012.\r\n17. ^ Leyden, John (29 March 2012). \"Kelihos zombies erupt from mass graves after botnet massacre\". The\r\nRegister. Retrieved 28 April 2012.\r\n18. ^ SPAMfighter News (13 April 2012). \"Kelihos Botnet Re-emerges, This Time Attacking Social Networks\".\r\nSPAMfighter. Retrieved 28 April 2012.\r\n19. ^ http://www.abuseat.org\r\n[full citation needed]\r\n20. ^ \"Feds tracked down Russian spam kingpin with help from his iCloud account\". The Verge. Retrieved 6\r\nFebruary 2018.\r\n21. ^ Grizzard, Julian; David Dagon; Vikram Sharma; Chris Nunnery; Brent ByungHoon Kang (3 April\r\n2007). \"Peer-to-Peer Botnets: Overview and Case Study\". The Johns Hopkins University Applied Physics\r\nLaboratory. Retrieved 28 April 2012.\r\n22. ^ SPAMfighter (5 April 2012). \"Security Companies Take Down Kelihos Botnet of Version 2\". SPAMfighter.\r\nRetrieved 28 April 2012.\r\n23. ^ Jorgenson, Petra (6 April 2012). \"Kelihos Botnet Could Resurge via Facebook Worm\". Midsize Insider.\r\nRetrieved 29 April 2012.\r\n[dead link]\r\nhttps://en.wikipedia.org/wiki/Kelihos_botnet\r\nPage 4 of 5\n\n24. ^ Arora, Arsh; Gannon, Max; Warner, Gary (15 May 2017). \"Kelihos Botnet: A Never-Ending Saga\".\r\nAnnual ADFSL Conference on Digital Forensics, Security and Law.\r\n25. ^ Jump up to: a\r\n \r\nb\r\n \"Russian accused of running spam network extradited to US\". Deutsche Welle. 3\r\nFebruary 2018. Retrieved 2 April 2019.\r\n26. ^ \"Alleged Operator of Kelihos Botnet Extradited From Spain\". www.justice.gov. 2 February 2018.\r\nRetrieved 3 February 2018.\r\n27. ^ Farivar, Cyrus (13 September 2018). \"Russian man pleads guilty, admits he ran notorious Kelihos\r\nbotnet\". ArsTechnica. Retrieved 2 April 2019.\r\nSource: https://en.wikipedia.org/wiki/Kelihos_botnet\r\nhttps://en.wikipedia.org/wiki/Kelihos_botnet\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Kelihos_botnet"
	],
	"report_names": [
		"Kelihos_botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71c93736664577d7666c429f26b4645d57942d2f.pdf",
		"text": "https://archive.orkl.eu/71c93736664577d7666c429f26b4645d57942d2f.txt",
		"img": "https://archive.orkl.eu/71c93736664577d7666c429f26b4645d57942d2f.jpg"
	}
}