{ "id": "4614b66f-1567-49be-8371-f29bc87f7530", "created_at": "2026-04-06T00:22:17.141845Z", "updated_at": "2026-04-10T03:21:08.49659Z", "deleted_at": null, "sha1_hash": "767acb43eac7acfb73c2e0da7d08b0db5e70f0a0", "title": "Doctor Web discovers a botnet that attacks Russian banks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 196726, "plain_text": "Doctor Web discovers a botnet that attacks Russian banks\r\nPublished: 2016-11-14 · Archived: 2026-04-05 21:38:25 UTC\r\nBy continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies\r\nrelated to the collection of visitor statistics.\r\nLearn more\r\n14.11.2016\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nNovember 14, 2016\r\nDoctor Web’s specialists have pinpointed that the Trojan BackDoor.IRC.Medusa.1 was used by\r\ncybercriminals to carry out the recent series of DDoS attacks on the Rosbank and Eximbank of Russia\r\nwebsites.\r\nBackDoor.IRC.Medusa.1 is a malicious program belonging to the IRC bot category. Trojans of this category can\r\nunite into botnets and receive instructions over the IRC (Internet Relay Chat) protocol. After connecting to a\r\nspecific chat channel, IRC bots wait for directives. The main function of BackDoor.IRC.Medusa.1 is to perform\r\nDDoS attacks. Doctor Web’s security researchers believe this was the Trojan used to carry out the attack on\r\nSberbank of Russia that was recently covered by the mass media.\r\nBackDoor.IRC.Medusa.1 carries out several types of DDoS attacks and can also download and run executable\r\nfiles on an infected computer. The below figure shows a botnet operator manual published by the virus makers.\r\nThe manual describes a botnet created using BackDoor.IRC.Medusa.1 and contains a list of commands the\r\nTrojan can execute:\r\nhttps://news.drweb.com/show/?i=10302\u0026lng=en\r\nPage 1 of 3\n\nThe Trojan is being actively promoted on underground forums. Its creators claim that a botnet consisting of 100\r\ninfected computers is capable of generating up to 20,000-25,000 requests per second with a peak value of 30,000.\r\nAs proof, they show a diagram of a test attack on the NGNIX http server:\r\nCurrently, 314 active connections are registered on one of the IRC channels controlling the\r\nBackDoor.IRC.Medusa.1 botnet. A Doctor Web analysis of the command log revealed that from November 11 to\r\nNovember 14, 2016, the cybercriminals attacked the following websites multiple times: rosbank.ru (Rosbank) and\r\neximbank.ru (Eximbank of Russia) as well as fr.livraison.lu and en.livraison.lu (the Livraison restaurant chain)\r\nand korytov-photographer.ru (a private website).\r\nhttps://news.drweb.com/show/?i=10302\u0026lng=en\r\nPage 2 of 3\n\nThe signature for BackDoor.IRC.Medusa.1 is already in the Dr.Web for Linux database. Doctor Web’s specialists\r\nare keeping a close watch on the situation.\r\nMore about this Trojan\r\n10302 en 5\r\n0\r\nDoctor Web’s Q1 2026 review of virus activity on mobile devices\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDoctor Web’s Q1 2026 virus activity review\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDr.Web for personal computers receives SKD AWARDS product excellence distinction\r\n24.03.2026\r\nCorporate news | Dr.Web products\r\nRead\r\nSource: https://news.drweb.com/show/?i=10302\u0026lng=en\r\nhttps://news.drweb.com/show/?i=10302\u0026lng=en\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://news.drweb.com/show/?i=10302\u0026lng=en" ], "report_names": [ "?i=10302\u0026lng=en" ], "threat_actors": [], "ts_created_at": 1775434937, "ts_updated_at": 1775791268, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/767acb43eac7acfb73c2e0da7d08b0db5e70f0a0.pdf", "text": "https://archive.orkl.eu/767acb43eac7acfb73c2e0da7d08b0db5e70f0a0.txt", "img": "https://archive.orkl.eu/767acb43eac7acfb73c2e0da7d08b0db5e70f0a0.jpg" } }