{ "id": "8ac325a0-2a71-4c29-81ac-34db32850b9f", "created_at": "2026-04-06T00:16:48.99166Z", "updated_at": "2026-04-10T03:36:36.897822Z", "deleted_at": null, "sha1_hash": "818b5635b91cbb59771f7571db40bbaa26580bc8", "title": "Necurs botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55660, "plain_text": "Necurs botnet\r\nBy Contributors to Wikimedia projects\r\nPublished: 2016-06-27 ยท Archived: 2026-04-05 19:01:33 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nThe Necurs botnet is a distributor of many pieces of malware, most notably Locky.\r\nAround June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running\r\nNecurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying\r\neither a temporary spike in the botnet's activity or return to its normal pre-June 1 state.[1][2]\r\nIn a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.[3]\r\nDistributed malware\r\n[edit]\r\nSource:[4]\r\nBart\r\nDridex\r\nLocky\r\nRockLoader\r\nGlobeimposter\r\nConficker\r\nCommand and control (malware)\r\nGameover ZeuS\r\nOperation Tovar\r\nTimeline of computer viruses and worms\r\nTiny Banker Trojan\r\nTorpig\r\nZeus (malware)\r\nZombie (computer science)\r\n1. ^ French, Jon (27 June 2016). \"Necurs BotNet Back With A Vengeance Warns AppRiver\". Retrieved 27\r\nJune 2016.\r\n2. ^ \"Pump and dump spam: Incapta Inc (INCT)\". Retrieved 22 Mar 2017.\r\n3. ^ \"Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide\". The Hacker News.\r\n4. ^ \"Hackers behind Locky and Dridex start spreading new ransomware\". Retrieved 27 June 2016.\r\nhttps://en.wikipedia.org/wiki/Necurs_botnet\r\nPage 1 of 2\n\nSource: https://en.wikipedia.org/wiki/Necurs_botnet\r\nhttps://en.wikipedia.org/wiki/Necurs_botnet\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/Necurs_botnet" ], "report_names": [ "Necurs_botnet" ], "threat_actors": [ { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434608, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/818b5635b91cbb59771f7571db40bbaa26580bc8.pdf", "text": "https://archive.orkl.eu/818b5635b91cbb59771f7571db40bbaa26580bc8.txt", "img": "https://archive.orkl.eu/818b5635b91cbb59771f7571db40bbaa26580bc8.jpg" } }