{
	"id": "36ef815a-9c77-4b4b-9841-4882a4149994",
	"created_at": "2026-04-06T00:06:06.960923Z",
	"updated_at": "2026-04-10T03:21:28.339583Z",
	"deleted_at": null,
	"sha1_hash": "7ee088bf5c23231e6f3e8c0fa94e5ee6fe9f589d",
	"title": "Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1976970,
	"plain_text": "Joint Effort with Microsoft to Disrupt Massive Criminal Botnet\r\nNecurs\r\nBy Written by Valter Santos Principal Threat Researcher\r\nArchived: 2026-04-05 18:41:33 UTC\r\nSince 2017 Bitsight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the\r\ninner workings of the Necurs malware, its botnets and command and control infrastructure in order to take\r\ndisruptive action against the threat, including reverse engineering, malware analysis, modules updates, infection\r\ntelemetry and command and control updates and forensic analysis. This week, an action took place to disrupt all\r\nNecurs botnets, followed by mitigation and eradication actions.\r\nNecurs was first detected in 2012. It’s used in a variety of illegal activities, but it is primarily known as a dropper\r\nfor other malware, including GameOver Zeus, Dridex, Locky, Trickbot and others. Its main uses have been as a\r\nspambot, a delivery mechanism for ransomware, financial malware and for running pump and dump stock scams.\r\nFrom 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was\r\nresponsible for 90% of the malware spread by email worldwide.\r\nThe malware infects a victim’s system by being dropped by other malware, through either spammed email\r\nattachments or malicious advertisements. Once on a system, Necurs utilizes its kernel mode rootkit capabilities to\r\ndisable a large number of security applications, including Windows Firewall, both to protect itself and other\r\nmalware on the infected system. Necurs is modular, in that it allows the operators to change how they operate it\r\nover time.\r\nIts botnets appear to be closely controlled by a single group. During our investigation we have identified eleven\r\nNecurs botnets; of these, four are the most active and constitute approximately 95% of all infections. Since March\r\n2019, the Necurs botnets’ activity stalled but left an estimated 2 million infected systems in a dormant state\r\nwaiting for the botnets to revive. It’s not unusual for Necurs to stall operations from time to time, but it has never\r\nhappened for such a long period of time until now.\r\nBitsight’s unique ability to observe massive global infections is the reason why law enforcement and private\r\nsector organizations have worked with us over the years on significant disruption initiatives.\r\nBack in 2016, we discovered that Necurs had around 1 million infected systems. Shortly after that post we had the\r\nopportunity to see a much bigger infection base of around 2 million infected systems in a 24 hour period.\r\nMeasuring infections for Necurs is not as simple as for other malware; this is due to how the malware establishes\r\ncommunication with its command and control (C2, see below) and how our sinkholes collect this information. The\r\ncommunication from the infected machines would not reach out to us always, so only in rare occasions we have\r\nfull visibility of all the botnets. On normal days of Necurs operation, our daily infection counters are below 50k\r\ninfected systems when there are active C2s, and between 100k-300k when not. Even when under circumstances\r\nwhere we do receive a higher number of connections from infected systems, the daily unique observations\r\ncontinue to be an underestimate of the true size of the botnet, but it stills enables the ability to approximate those\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 1 of 7\n\nchanges over time. After March 2019, when active C2s were last seen, we observed a slight decrease in infections\r\novertime.\r\nThe following chart shows the evolution over the last years of how many infected systems reached out to our\r\nsinkholes:\r\nNecurs infections observed in the last years in Bitsight sinkholes\r\nThe following map shows how a week of Necurs infection telemetry is dispersed geographically:\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 2 of 7\n\nGeographic distribution of Necurs infections\r\nThe breakdown by countries for the first seven days of March 2020 is given by the following table where the\r\ninfection counter is measured by distinct IP addresses reaching our sinkholes - as stated above the botnets are\r\nbigger and these numbers cover only a part of them:\r\nCountry Infections %\r\nIndia 90563 13.59%\r\nIndonesia 69530 10.43%\r\nTurkey 51605 7.74%\r\nVietnam 49190 7.38%\r\nMexico 40129 6.02%\r\nThailand 37081 5.56%\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 3 of 7\n\nIran 32807 4.92%\r\nPhilippines 24097 3.62%\r\nBrazil 16122 2.42%\r\nPakistan 11311 1.70%\r\nArgentina 11289 1.69%\r\nSpain 10223 1.53%\r\nVenezuela 9825 1.47%\r\nAlgeria 9806 1.47%\r\nMalaysia 8250 1.24%\r\nColombia 7832 1.18%\r\nItaly 7640 1.15%\r\nRomania\r\nRomania 7191 1.08%\r\nUAE 6916 1.04%\r\nPeru 6584 0.99%\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 4 of 7\n\nUS 5757 0.86%\r\nSouth Africa 5519 0.86%\r\nSerbia 5293 0.79%\r\nBangladesh 4963 0.74%\r\nFrance 4892 0.73%\r\nOthers 132089 19.82%\r\nCommand and Control\r\nFor the Necurs infected systems to communicate with the botnet command and control (C2), the developers have\r\nimplemented a layered approach using a mixture of a centralized and peer-to-peer (P2P) communication channels\r\nin order to prevent botnet disruption by law enforcement, network operators and researchers. Necurs\r\ncommunicates with its operators via the following:\r\nAs a primary communication mechanism, an embedded list of IPs and occasionally static domains are\r\nembedded in the malware sample itself.\r\nIf they are not working, Necurs uses its domain generation algorithm (DGA):\r\nA dummy DGA that produces domains to be used to see if the malware is running in a simulated\r\nenvironment.\r\nA second DGA-like fetches .bit domains that are not generated algorithmically but hard-coded.\r\nThe .bit TLD is an alternative DNS model, maintained by Namecoin, that uses a blockchain\r\ninfrastructure and is harder to disrupt when compared with ICANN regulated TLDs.\r\nThe main DGA kicks in if none of the other methods were able to get an active C2. This DGA\r\nproduces 2048 possible C2 domains every 4 days across 43 TLDs, including .bit. The DGA depends\r\non the current date and a seed hardcoded in the binary. All domains are tried until one resolves and\r\nresponds using the correct protocol.\r\nEven if all methods above fail, the C2 domain is retrieved from the P2P network that is always active and\r\nacts as the main channel to update C2s. An initial list of about 2000 peers is hardcoded in the binary but\r\ncan be updated at any given time as needed. The peers in this list are known as supernodes: victim systems\r\nwith elevated status within the infrastructure.\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 5 of 7\n\nTo make itself difficult to monitor there is another layer: the malware uses an algorithm that converts the IP\r\naddresses received through DNS to the real IP addresses of its servers. When connecting to that IP address, if it\r\nresponds with the proper protocol the malware knows it’s communicating with an active C2.\r\nThe command and control complexity is completed with a tiered approach of the C2 infrastructure. When an\r\ninfected system communicates with a C2, it is, in reality, communicating with multiple layers of C2 proxies; this\r\nis another way operators try to hide their core infrastructure and is common in more complex malware.\r\nThe first tier of C2 are cheap VPS in countries such as Russia, Ukraine, etc. that reverse proxy all communications\r\nto the C2 upstream in tier-2, that normally are hosted in Europe and sometimes Russia, until the communication\r\nreaches the backend. The following diagram shows the relationship between what is seen in the first and second\r\ntiers - other tiers are out of scope of this post:\r\nNecurs C2 flow between tier-1 and tier-2\r\nThe diagram shows that the C2 have three main components that are aligned with the malware capabilities:\r\n1. The main module is the core of Necurs. In the HTTP communication, the HTTP path could be used to\r\ndifferentiate each botnet. The tier-1 C2 reverse proxies all communication to a group of upstream C2 in\r\ntier-2 that are configured in nginx in a round-robin fashion.\r\n2. The spam module is configured in the same way as the main module in a tier-1 C2, but uses different\r\nHTTP paths (dotted lines in the diagram above for paths /forum/userdata.php and /forum/module.php\r\nbelong to the spam module).\r\n3. The Proxy/DDoS module (see more here) also has its component in the C2 and a different upstream C2. It\r\nuses an upstream server and also two Tor hidden services to communicate with the bot operators.\r\nThese two C2 tiers are proxies to the backend C2 system, for network defenders only the first tier is really\r\nimportant and it’s enough to harden their networks against this threat.\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 6 of 7\n\nWith this joint action we hope to further Bitsight’s mission of creating a safer Internet and digital ecosystem. We\r\nknow in advance that Necurs was in idle mode for a while and was already been replaced by others (Emotet) but,\r\nnevertheless, there were still an estimated 2 million infected bots waiting for their master commands - and that\r\ncould happen at any time if no action was taken.\r\nA list of indicators of compromise is shared at the end of this post, composed by malware samples hashes,\r\ndomains, C2 and supernodes IP addresses, all collected in a three-year period by Bitsight and our partners in\r\nregard to this operation. With this, we hope that researchers and network defenders can hunt and clean up Necurs\r\ninfections in their networks in order to better eradicate it.\r\nHappy hunting. Over and out.\r\nRead the Microsoft announcement here\r\nReferences\r\nhttps://www.bitsight.com/blog/monitoring-necurs-the-tip-of-the-iceberg\r\nhttps://www.bitsight.com/blog/necurs-proxy-module-with-ddos-features\r\nhttps://www.johannesbader.ch/2015/02/the-dgas-of-necurs/\r\nhttps://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/\r\nhttps://www.virusbulletin.com/virusbulletin/2014/04/curse-necurs-part-1\r\nhttps://www.virusbulletin.com/virusbulletin/2014/05/curse-necurs-part-2\r\nhttps://www.virusbulletin.com/virusbulletin/2014/06/curse-necurs-part-3\r\nhttps://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/\r\nIndicators of Compromise\r\nThe following links allow you to download IOCs files in multiple formats - please note that DGA domains are not\r\nincluded:\r\nIOCs in MISP JSON format\r\nIOCs in CSV format\r\nSource: https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nhttps://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs"
	],
	"report_names": [
		"joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs"
	],
	"threat_actors": [],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ee088bf5c23231e6f3e8c0fa94e5ee6fe9f589d.pdf",
		"text": "https://archive.orkl.eu/7ee088bf5c23231e6f3e8c0fa94e5ee6fe9f589d.txt",
		"img": "https://archive.orkl.eu/7ee088bf5c23231e6f3e8c0fa94e5ee6fe9f589d.jpg"
	}
}