{
	"id": "2296779c-aa07-4096-bbdb-d56f6d831b0f",
	"created_at": "2026-04-06T00:13:36.407336Z",
	"updated_at": "2026-04-10T03:30:33.924992Z",
	"deleted_at": null,
	"sha1_hash": "899e8e19dc06eb52ffa2f08a74c7776d36b31063",
	"title": "New action to disrupt world’s largest online criminal network - Microsoft On the Issues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38321,
	"plain_text": "New action to disrupt world’s largest online criminal network -\r\nMicrosoft On the Issues\r\nBy Tom Burt\r\nPublished: 2020-03-10 · Archived: 2026-04-05 14:01:35 UTC\r\nToday, Microsoft and partners across 35 countries took coordinated legal and technical steps to disrupt one of the\r\nworld’s most prolific botnets, called Necurs, which has infected more than nine million computers globally. This\r\ndisruption is the result of eight years of tracking and planning and will help ensure the criminals behind this\r\nnetwork are no longer able to use key elements of its infrastructure to execute cyberattacks.\r\nA botnet is a network of computers that a cybercriminal has infected with malicious software, or malware. Once\r\ninfected, criminals can control those computers remotely and use them to commit crimes. Microsoft’s Digital\r\nCrimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012 and have\r\nseen it distribute several forms of malware, including the GameOver Zeus banking trojan.\r\nThe Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every\r\ncountry in the world. During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.\r\nNecurs is believed to be operated by criminals based in Russia and has also been used for a wide range of crimes\r\nincluding pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. It has also\r\nbeen used to attack other computers on the internet, steal credentials for online accounts, and steal people’s\r\npersonal information and confidential data. Interestingly, it seems the criminals behind Necurs sell or rent access\r\nto the infected computer devices to other cybercriminals as part of a botnet-for-hire service. Necurs is also known\r\nfor distributing financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed\r\ndenial of service) capability that has not yet been activated but could be at any moment.\r\nOn Thursday, March 5, the U.S. District Court for the Eastern District of New York issued an order enabling\r\nMicrosoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim\r\ncomputers. With this legal action and through a collaborative effort involving public-private partnerships around\r\nthe globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new\r\ndomains to execute attacks in the future.\r\nThis was accomplished by analyzing a technique used by Necurs to systematically generate new domains through\r\nan algorithm. We were then able to accurately predict over six million unique domains that would be created in the\r\nnext 25 months. Microsoft reported these domains to their respective registries in countries around the world so\r\nthe websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control\r\nof existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.\r\nMicrosoft is also taking the additional step of partnering with Internet Service Providers (ISPs) and others around\r\nthe world to rid their customers’ computers of malware associated with the Necurs botnet. This remediation effort\r\nhttps://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/\r\nPage 1 of 2\n\nis global in scale and involves collaboration with partners in industry, government and law enforcement via the\r\nMicrosoft Cyber Threat Intelligence Program (CTIP). Through CTIP, Microsoft provides law enforcement,\r\ngovernment Computer Emergency Response Teams (CERTs), ISPs and government agencies responsible for the\r\nenforcement of cyber laws and the protection of critical infrastructure with better insights into criminal cyber\r\ninfrastructure located within their jurisdiction, as well as a view of compromised computers and victims impacted\r\nby such criminal infrastructure.\r\nFor this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in\r\nMexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others. Each of us has a\r\ncritical role to play in protecting customers and keeping the internet safe.\r\nTo make sure your computer is free of malware, visit support.microsoft.com/botnets.\r\nTags: botnet, CTIP, cyberattacks, cybercrime, Microsoft Cyber Threat Intelligence Program, necurs, The Digital\r\nCrimes Unit\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/"
	],
	"report_names": [
		"necurs-botnet-cyber-crime-disrupt"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434416,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/899e8e19dc06eb52ffa2f08a74c7776d36b31063.pdf",
		"text": "https://archive.orkl.eu/899e8e19dc06eb52ffa2f08a74c7776d36b31063.txt",
		"img": "https://archive.orkl.eu/899e8e19dc06eb52ffa2f08a74c7776d36b31063.jpg"
	}
}