{
	"id": "5bd68e9b-b265-4590-b348-56ee36da0f27",
	"created_at": "2026-04-06T00:10:14.32186Z",
	"updated_at": "2026-04-10T13:12:59.464609Z",
	"deleted_at": null,
	"sha1_hash": "83cc77beb6c371f8580623948176b27c3e927c75",
	"title": "Post-holiday spam campaign delivers Neutrino Bot | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 411875,
	"plain_text": "Post-holiday spam campaign delivers Neutrino Bot | Malwarebytes\r\nLabs\r\nBy Malwarebytes Labs\r\nPublished: 2017-01-10 · Archived: 2026-04-05 15:48:36 UTC\r\nThis post was co-authored by @hasherezade and Jérôme Segura\r\nDuring the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as\r\nonline criminals took a break from their malicious activities and popped the champagne to celebrate. It could also\r\nhave been a time to regroup and plan new strategies for the upcoming year.\r\nIn any case, over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft\r\nSecurity Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as\r\ntypically the malicious Office files are directly attached to the email. Instead, the files are hosted on various\r\nservers with a short time to live window.\r\nThe booby-trapped document asks users to enable macros in order to launch the malicious code.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 1 of 7\n\nNeutrino Bot\r\nIf the macro executes, the final payload will be downloaded and executed\r\n. \r\nThis is Neutrino bot – which we had analyzed over a year ago and that can:\r\nperform DDoS attacks\r\ncapture keystrokes, do form grabbing, take screenshots\r\nspoof DNS requests\r\ndownload additional malware\r\nAnalyzed sample\r\n2b796c0e248b02aa0c6fda288cb62531 – original sample\r\n621ea6c1f02470a137569be2f8412326 – unpacked stage 1 (loader)\r\n084f562da639bd4bfc6b92b7d5cdc014 – core bot\r\nDetails\r\nAfter deploying the sample, it installs itself in %APPDATA% in a folder called “UmJn“. This folder name is\r\ntypical for the particular edition of Neutrino Bot:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 2 of 7\n\nIt starts connecting to the C\u0026C in order to fetch the commands and perform the malicious actions by querying\r\na script called “tasks.php“.\r\nThe list of URLs is hardcoded in the bot in the form of a Base64 string:\r\nURLs extracted from this sample:\r\nhttp://saferunater.top/n/tasks.php http://saferunater.xyz/n/tasks.php http://saferunater.space/n/task\r\nNeutrino uses a very simple method of authentication – it sends a cookie with a hardcoded value:\r\nPOST %s HTTP/1.0 Host: %s User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Fi\r\nIn the previously described version it was md5(“admin”). This time it is:\r\n\"bc00595440e801f8a5d2a2ad13b9791b\" -\u003e md5(\"just for fun\")\r\nWhile the goals of the bot and major features didn’t change much, the code seems to be partially rewritten in\r\ncomparison to the leaked version 3.9.4.\r\nHere is the old version, reporting to the CnC:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 3 of 7\n\nThe new version – that seems to be 5.2 – is much less verbose. It doesn’t use any strings that will indicate purpose\r\nof any particular value. Additionally, some of the used functions are loaded dynamically and identified by\r\nchecksums for the purpose of decreasing code readability:\r\nThe features are also reorganized. For example, there is still a feature of making screenshots of the victim’s\r\ndesktop – but its implementation details have changed:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 4 of 7\n\nScreen grabbing is a triggered by a command from the C\u0026C:\r\nThe created screenshot is immediately sent to the C\u0026C.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 5 of 7\n\nIn the past, the same feature was implemented along with the keylogger.\r\nThe responsible thread is deployed and the screenshot taken periodically and saved to the logs along with other\r\ngrabbed content. When the logs’ size exceeds a defined threshold, they are uploaded to the C\u0026C:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 6 of 7\n\nThe implemented changes improved code quality separating the particular features and give the operator more\r\ncontrol on its execution. Still, the code is not obfuscated but the authors tried to hide some strings that explicitly\r\nshow the purpose of the particular commands.\r\nJust like in the previous case we are dealing with a fully-fledged multipurpose bot – with various features\r\nallowing to steal data and invade privacy, but also to use infected computers for DDoS attacks or download other\r\nmalware.\r\nProtection\r\nIt is important to remember to be particularly careful with Office documents masquerading as invoices, or other\r\nsuch reports that leverage the macro feature to execute code that will download and retrieve the actual payload. As\r\nan end user, do not enable macros unless you completely trust the file or are running it in a virtualized\r\nenvironment. As an IT admin, you can set policies to permanently disable macros.\r\nMalwarebytes users are protected from this threat via the web or exploit protection modules.\r\nIOCs:\r\nMalicious doc\r\n:\r\nagranfoundation[.]org/Microsoft[.]report[.]doc xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc\r\necpi[.]ro/Microsoft[.]report[.]doc ilkhaberadana[.]com/Microsoft[.]report[.]doc\r\ncincote[.]com/Microsoft[.]report[.]doc mallsofjeddah[.]com/Microsoft[.]report[.]doc\r\ndianasoligorsk[.]by/Microsoft[.]report[.]doc\r\n8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d\r\nNeutrino bot:\r\nwww.endclothing[.]cu[.]cc/nn.exe\r\n87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe\r\nb1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b\r\nca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111\r\nSource: https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/"
	],
	"report_names": [
		"post-holiday-spam-campaign-delivers-neutrino-bot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83cc77beb6c371f8580623948176b27c3e927c75.pdf",
		"text": "https://archive.orkl.eu/83cc77beb6c371f8580623948176b27c3e927c75.txt",
		"img": "https://archive.orkl.eu/83cc77beb6c371f8580623948176b27c3e927c75.jpg"
	}
}