{ "id": "d5d5e0a7-3778-4cd1-8ce5-7a1023fac715", "created_at": "2026-04-06T01:30:46.399153Z", "updated_at": "2026-04-10T03:31:13.201619Z", "deleted_at": null, "sha1_hash": "8a722d07b6b1aa49d1cb58a9dea830f18545e17e", "title": "End of the Line for the Bredolab Botnet?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2671986, "plain_text": "End of the Line for the Bredolab Botnet?\r\nBy Alexei Kadiev\r\nPublished: 2010-12-20 · Archived: 2026-04-06 00:51:58 UTC\r\nOn 25 October 2010, the Dutch police force’s Cybercrime Department announced the shutdown of 143 Bredolab\r\nbotnet control servers. The next day at Armenia’s Yerevan international airport, one of those formerly responsible\r\nfor running the botnet was arrested. While it is certainly possible that this marked the end of Bredolab, the\r\ntechnologies behind it remain and can, unfortunately, still be used to create new botnets.\r\nA brief history of Bredolab\r\nMalicious programs from the Backdoor.Win32.Bredolab family were first detected by IT security labs as long ago\r\nas mid-2008. Bredolab’s key purpose is to download other malicious programs onto victim computers. The\r\ndownload management system, which includes a loader (Backdoor.Win32.Bredolab) and an administration panel,\r\nwas offered for sale on hacker forums. It is this software that shaped the foundation of the Bredolab botnet that\r\nappeared in mid-2009, and was, according to the Dutch police, comprised of approximately 30 million computers\r\nlocated in countries all over the world.\r\nOne of the botnet’s most distinguishing features was its method of operation: legitimate websites that had been\r\nhacked were used to spread the botnet’s payload. Visitors to these websites were redirected to malicious resources\r\nwhich resulted in their computers being infected with Backdoor.Win32.Bredolab — everything operated\r\nautomatically.\r\nHacked sites\r\nWhen the botnet was first created, it operated by hiding an iframe tag on hacked websites that linked to a\r\nmalicious resource. In late 2009, this iframe tag was replaced with obfuscated JavaScript code known as the\r\nTrojan-Downloader.JS.Pegel script downloader. When the code executed, the browser decrypted the tag script and\r\nplaced it on an HTML page with a link to a malicious resource. Pegel was designed to download exploits onto\r\nvictim computers; and in turn, these exploits downloaded Bredolab. The cybercriminals reverted to their former\r\nmethod of hidden iframe tags again in the summer of 2010.\r\nIt is worth noting that the scheme used to spread Bredolab is similar to that used by the creators of the Gumblar\r\nbotnet, while the obfuscation methods used with Pegel were reminiscent of the Gumblar script downloader’s\r\nfunctions.\r\nThe threat was essentially global: web resources containing malicious code were found in countries all over the\r\nworld.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 1 of 22\n\nDistribution of web resources infected by Trojan-Downloader.JS.Pegel by country:\r\nJanuary-October 2010\r\nUsers in many countries faced the risk of their computers becoming infected with Bredolab.\r\nDistribution of victim computers infected by Trojan-Downloader.JS.Pegel by country:\r\nJanuary-October 2010\r\nInternet forums were dotted with messages about obfuscated JavaScript code planted on legitimate websites; the\r\ncode was redirecting users to web resources controlled by cybercriminals.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 2 of 22\n\nAn example of a forum message\r\nAt the start of 2010, there were lots of forum messages similar to the example given here. At the time, one of the\r\nmain distinguishing features of Pegel were the /*GNU GPL*/, /*LGPL*/, /*CODE1*/ or /*Exception*/ comments\r\nplaced at the start of the malicious JavaScript code. The infected page’s code looked something like this:\r\nAn example of a legitimate web page that has been infected\r\nLater, the comments disappeared from the code script and the obfuscation became increasingly complex:\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 3 of 22\n\nAn example of an infected website in which the JavaScript code is more deeply obfuscated\r\nThe appearance of the links leading to the malicious resources used by Pegel during the early months of its\r\nexistence deserves special mention. The domain portion and the route to the malicious script in these links were\r\ncomposed of known domain names, one after the other, for example:\r\nhxxp://twitpic-com.fastclick.com.shinobi-jp.bestb***site.ru:8080/google.com/google.com/novoteka.ru/vagos.es/radikal.ru/\r\nhxxp://google-com-sa.scribd.com.google-hr.\r\nbestb***site.ru:8080/bu520.com/bu520.com/google.com/56.com/ups.com/\r\nhxxp://staples-com.toysrus.com.ngoisao-net.\r\ncars***net.ru:8080/google.com/google.com/livedoor.biz/atwiki.jp/torrents.ru/\r\nSecond level domains were made up of a series of two or three English words that are usually not used together.\r\nThe creation of these malicious links that resembled the URLs of popular web resources was one of the most\r\nfavored methods of social engineering among cybercriminals as such a technique minimizes user suspicion.\r\nLater, the domain section of the links was also composed of second level domains:\r\nhxxp://help***ecare.at:8080/vkontakte-ru/google.com/chinahr.com.php\r\nhxxp://jui***ile.ru:8080/sify-com/google.com/last.fm.php\r\nhxxp://pass***tblues.ru:8080/google.com/kijiji.ca/pornhub.com.php\r\nhxxp://best***kstar.info:8080/google.com/travian.com/youjizz.com.php\r\nLater still, the long paths disappeared from the links, and the path was changed to index.php.\r\nFast-flux networks\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 4 of 22\n\nDomains containing malicious links were registered in several domain zones, including: ru, info, at, and com.\r\nEach domain was on five IP addresses and, in turn, each IP address was linked to numerous malicious domains.\r\nThe connections between IP addresses and malicious domains\r\nThe number of IP addresses fluctuated between twenty and forty. Over time, some addresses dropped off and new\r\nones appeared. Periodically, IP addresses connected to certain domains would change.\r\nA records at different points in time\r\nIt transpired that all of the IP addresses used belonged to a dedicated server, or virtual dedicated servers, of a\r\nvariety of hosting providers. Moreover, further analysis has shown that Port 80 on many such servers\r\ncommunicates with popular websites that have no links to any criminal activity. A detailed picture of the situation\r\nleads one to believe that the servers hosting malicious domains were potentially hacked. Cybercriminals used\r\nsome of the registered domains for DNS services on these very same hacked servers. Furthermore, the NS-records\r\n— like the A records — changed periodically.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 5 of 22\n\nNS records at various points in time\r\nThe details described above fit the profile of fast-flux networks, or more specifically, double-flux networks, where\r\nthe address of DNS servers also changes.\r\nThere is another interesting fact: in the overwhelming majority of cases, all malicious links pointed to Port 8080,\r\nwhile the HTTP headers contained ‘nginx’ as the server’s response in the Server field. Nginx is a very commonly\r\nused HTTP server that is often employed as a reverse proxy. Users who follow the malicious link were routed to\r\nproxy servers that then redirected the request to the botnet’s actual control center.\r\nA fast-flux network consisting of proxy servers helps to conceal the botnet’s command center from IT security\r\nprofessionals. All of the requests to download malicious code sourced from the malicious JavaScript and exploits,\r\nas well as Bredolab requests sent to the command center, passed through the fast-flux network’s proxy servers.\r\nMost domains on the fast-flux network were registered by the cybercriminals themselves. However, in the early\r\nsummer of 2010, some domains appeared that were actually third-level subdomains:\r\nkollinsoy.skyef***on.com\r\naospfpgy.dogpl***tation.com\r\noployau.fancou***logger.com\r\nhosotpoyu.credi***brary.com\r\nWhile the third-level domains pointed to Bredolab’s fast-flux network proxy servers, the second-level domains\r\nfrom these links were planted on legitimate sites. The IP addresses of the third-level and second-level domains\r\nwere different from one another. Somehow, probably by hacking user account details or another similar method,\r\nthe cybercriminals were able to control the DNS settings of these websites.\r\nInfection of victim computers\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 6 of 22\n\nAfter Pegel or iframe assisted in redirecting the user’s browser to a malicious site, JavaScript code was\r\ndownloaded:\r\n…that looked like this after deobfuscation:\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 7 of 22\n\nAfter executing, the JavaScript code planted the following HTML-code on the page:\r\nYet another JavaScript code was downloaded from the link.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 8 of 22\n\n…and following deobfuscation, its fragment looked like this:\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 9 of 22\n\nThis code redirected user requests in the browser to exploits.\r\nThese exploits took advantage of the following vulnerabilities in certain Adobe Acrobat functions, including:\r\nutil.printf (CVE-2008-2992), Collab.collectEmailInfo (CVE-2008-0655), Collab.getIcon (CVE-2009-0927), and\r\nmedia.newPlayer (CVE-2009-4324); whilst in the virtual Java machine they took advantage of (CVE-2010-0886)\r\nand the MDAC RDS.Dataspace ActiveX component (CVE-2006-0003).\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 10 of 22\n\nA fragment of deobfuscated JavaScript code in a PDF exploit\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 11 of 22\n\nThe Java exploit is downloaded in two stages: the first download is the Applet1.html page, which contained an tag\r\nnamed as a jar file. The exploits are downloaded next.\r\nThe Applet1.html page that downloads a java exploit\r\nOnce this process has taken place, the exploits are downloaded onto the victim computer and proceed to launch\r\nthe malicious Backdoor.Win32.Bredolab, which then downloads and launches other malicious programs.\r\nThe stages of infection of a victim computer\r\nThe botnet in action\r\nOnce it has launched on a victim computer, and in order to download more malicious programs, the bot will send\r\na request like the one below to its command center:\r\nhttp://ba***il.ru:8080/new/controller.php?\r\naction=bot\u0026entity_list=\u0026first=1\u0026rnd=981633\u0026id=1\u0026guid=3676040431.\r\nIn the body of the reply from the botnet’s command center, we can see encrypted executables, usually in the form\r\nof three or four files, which follow one after the other.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 12 of 22\n\nA command center reply containing encrypted malware\r\nThe header of the reply contains the Entity-Info field, which is composed of a list of elements separated by a\r\nsemicolon. Each element describes one of the executables found in the body of the reply. The element is separated\r\nfrom a numeric field by a colon — for example; the field immediately following each element contains the size of\r\nthe respective executable file. In this way, it is possible to identify where one file ends and the next begins.\r\nThe reply header’s Magic-Number field contains the key to deciphering the body of the reply. It is composed of\r\nnumbers separated by the ‘|’ symbol. The first number is the length of the key, and the second denotes the\r\ndeciphering algorithm. The number 1 being a typical XOR; the rest of the field is the deciphering key. Note that\r\nthe malicious JavaScript code, the exploits, Bredolab, and the other malicious programs that were installed by\r\nBredolab on the victim computer were all downloaded from the same domains on the Bredolab botnet’s fast- flux\r\nnetwork.\r\nBredolab downloaded a fairly wide variety of malicious programs to victim computers:\r\nTrojan-Spy.Win32.Zbot,\r\nTrojan-Spy.Win32.SpyEyes,\r\nTrojan-Spy.Win32.BZub,\r\nBackdoor.Win32.HareBot,\r\nBackdoor.Win32.Blakken,\r\nBackdoor.Win32.Shiz,\r\nTrojan-Dropper.Win32.TDSS,\r\nTrojan-Ransom.Win32.PinkBlocker,\r\nTrojan.Win32.Jorik.Oficla.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 13 of 22\n\nThis list is far from complete.\r\nSome of these malicious programs are transmitted in replies to the command center using parameters that denote a\r\npartner’s identification number. For example, Backdoor.Win32.Shiz, when downloaded by Bredolab, transmits the\r\nparameter seller=15, which means that it was installed on the system via Bredolab. The transmission of these ID\r\nnumbers to the command center usually means that the malicious program is being spread via partners. This, in\r\naddition to the variety of software downloaded by Bredolab, points to the way in which the owners of the\r\nBredolab botnet were making money from their creation: they were generating revenue from downloads. In other\r\nwords, they sold the software to other cybercriminals in the form of downloads.\r\nOf all of the downloaded software, Trojan-PSW.Win32.Agent.qgg deserves special mention. Once it is installed\r\non a victim machine, this Trojan attempts to find the passwords for FTP accounts saved on the following clients:\r\nFilezilla 3 Ftp Explorer\r\nFtp Navigator FlashFXP\r\nBulletProof Ftp FTPRush\r\nCuteFtp Firefox\r\nALFTP Auto FTP\r\nFar 2 Total Command\r\nFrigate 3\r\nWhen it finds any passwords, the Trojan sends them to the cybercriminals’ server.\r\nTrojan-PSW.Win32.Agent.qgg is interesting because the server to which the Trojan sends its stolen passwords\r\nbelonged to the owner of the Bredolab botnet. The stolen FTP account passwords helped the cybercriminals to\r\ninfect legitimate sites with malicious code. This vicious cycle turned out to be very effective indeed.\r\nThe malicious cycle\r\nAfter close examination, it became clear how the botnet was created.\r\n1. 1 When visiting a site infected by Pegel or iframe, users’ browsers download a page containing malicious\r\nJavaScript code.\r\n2. 2 This code initiates the download of Bredolab onto the victim computer. In turn, Bredolab downloads\r\nother malicious programs, including a Trojan that steals passwords to FTP accounts. All of these operations\r\ntake place via reverse-proxy servers which conceal the botnet’s actual command center.\r\n3. 3 After some time, the website for which the account details were stolen also becomes infected. Using\r\nstolen usernames and passwords for FTP accounts, some, though not all of the website’s contents are\r\ndownloaded from the server. Only those files that start with index*, default* and main* are targeted, as\r\nwell as all of the files with the *.js extension. These files are then uploaded back onto the website having\r\nbeen injected with malicious code. Remarkably, the download and subsequent upload operations take place\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 14 of 22\n\nvia numerous IP addresses. Each file can be downloaded from one IP address, and then uploaded from\r\nanother.\r\n4. 4 After another user visits the infected site, the process described above begins all over again.\r\nClearly, the computers that ended up participating in the infection of the website are proxy servers. The\r\ncybercriminals employed two groups of proxy servers: one for infecting victim computers, and a second for\r\ninfecting websites. These two server groups do not appear to interact in any way.\r\nA fragment of the FTP log illustrating the website infection process\r\nHow the Bredolab botnet was created\r\nThis method of proliferation was employed by the cybercriminals throughout Bredolab’s entire existence.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 15 of 22\n\nTraffic\r\nThe botnet’s self-sustaining capability as described above is no doubt effective, if only for the way that it\r\nautomated the process of infecting ever more computers. However, it does have one flaw. The scheme starts to\r\nwork the moment the user is redirected from the infected legitimate resource to a malicious domain on the fast-flux network. Furthermore, the number of victim computers infected by Bredolab that have administrative access\r\nto some kind of website is limited. This in turn reduces the number of web resources that cybercriminals can infect\r\nusing stolen FTP account credentials. Malware was removed from sites with high hit-rates relatively quickly. The\r\nlarger the number of visitors a site had, the higher the probability a user would notice something suspicious and\r\nfile a report with the website’s administrators. So, although the self-sustaining capability is effective as mentioned\r\npreviously, the actual number of infected machines resulting from this approach turned out to be too low for the\r\ncybercriminals’ purposes.\r\nIn order to boost the effectiveness of their attacks, the cybercriminals needed to increase traffic, that is to say, the\r\nnumber of visitors redirected to malicious fast-flux network domains, so they tried a variety of methods to\r\naccomplish this goal.\r\nStarting in December 2009, many legitimate websites, including some very popular ones, were infected with\r\nobfuscated JavaScript code in order to redirect users to malicious resources. Had an Internet user opened the page\r\nin their browser, the code view may well have looked like this example:\r\nAn example of code from an infected website\r\nAfter the browser deciphered the code, the page was seeded with a code containing Trojan-Downloader.JS.Pegel,\r\nwhich then redirected the user to a malicious resource.\r\nUsers may well have received a link to malicious content labeled “with home delivery” in a spam email. In June\r\n2010, the Trojan-Downloader.JS.Pegel.g variant ranked first among the most prevalent malicious attachments in\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 16 of 22\n\nemail traffic.\r\nThe most widespread malicious files delivered by email in June 2010.\r\nSome malicious spam attacks were relatively sophisticated. In June 2010, there was also a wave of spam\r\npurporting to be messages from popular websites such as Twitter, YouTube, Amazon, Facebook, Skype and others.\r\nThese emails contained either HTML attachments infected with Pegel, or links to infected websites.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 17 of 22\n\nAn example of a spam email with links to a malicious website\r\nIf a user clicked on the link, the infected site would load an HTML page with the following code into the browser:\r\nPLEASE WAITING 4 SECOND…\r\nAfter a few seconds, the meta-refresh tag would redirect the user to the Canadian Pharmacy website, which sells\r\nViagra and other medication.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 18 of 22\n\nThe Canadian Pharmacy website\r\nMeanwhile, the link containing the iframe tag would redirect users to one of the proxy servers in the fast-flux\r\nnetwork in order to infect the computer with Bredolab.\r\nIn August 2010, another source of traffic was also identified. The Asprox spambot, which is capable of injecting\r\nSQL into websites written in ASP, started to infect legitimate websites by injecting an iframe with a link to the\r\n****n.ru/tds/go.php?sid=1 path .\r\nGET /page.asp?id=425;\r\ndeclare%20@s%20varchar(4000);set%20@s=cast(0x6445634c417245204054207661526368615228\r\n323535292c406320…5205461424c655f435552736f7220%20as%20varchar(4000));exec(@s);-\r\nAn example of an SQL injection used by the Asprox bot\r\nAfter a user had visited the infected site, their browser would close the link containing the iframe tag. This link\r\nwas injected with a TDS (traffic distribution system), which then redirected the browser to malicious domains that\r\nbelonged to the owners of Bredolab’s fast-flux network in order to infect the user’s computer with Bredolab.\r\nApproximately 10 thousand users per day were redirected in this way.\r\nFinally, in September 2010 the latest method used to redirect users to Bredolab’s fast-flux network domains was\r\ndiscovered. Legitimate websites were hacked using the OpenX banner generator. A vulnerability was used in the\r\nOpen Flash Chart 2 component, allowing cybercriminals to download files of their choice to the server. As a\r\nresult, popular websites such as thepiratebay.org, tucows.com, afterdawn.com, esarcasm.com, and tutu.ru had\r\nbanner ads replaced. The banner ads were flash files containing ActionScript code that redirected users to\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 19 of 22\n\nmalicious resources. At the same time, a DDoS attack was launched against the official OpenX project site,\r\nleaving users unable to download engine updates to patch the vulnerability for several days.\r\nA fragment of a malicious SWF file\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 20 of 22\n\nA fragment of ActionScript code planted in an HTTP page tag script with a link to a malicious site\r\nAfter a strong upsurge in June related to the spread of spam with links to the botnet’s malicious resources, Pegel\r\nactivity diminished. Nevertheless, the threat could have remained very real — if the Bredolab botnet had not been\r\nshut down.\r\nConclusion\r\nThe owners of the Bredolab botnet created and controlled a network of over 30 million zombie computers that\r\nfunctioned over a long period of time. In order to keep the botnet up and running, the cybercriminals skillfully and\r\neffectively concealed the botnet’s command center using fast-flux network techniques. This scheme not only\r\nprovided reliable sustainability for the botnet’s command center, it also simplified management of malicious\r\ncontent: instead of having to manage malicious sites on multiple nodes, all the cybercriminals had to do was place\r\none such site on the command and control centre and set up redirectors.\r\nDue to its complexity, the Bredolab botnet was most likely controlled by more than one person. However, at this\r\npoint only one cybercriminal has been arrested in connection with this botnet. It is possible that the other\r\nparticipants in this criminal group are still engaging in these activities, since the scheme that they came up with\r\nand put into operation is rather effective. The technologies used to create and maintain the botnet’s performance\r\n— obfuscated JavaScript code that downloads exploits, the repetitive cycle of building up zombie networks, and\r\nthe creation of network infrastructure using fast-flux, among other things — is a worthy addition to the\r\ncybercriminals’ arsenals.\r\nOne of the key features of the Bredolab botnet is the closely repeating cycle it used to build up its zombie\r\nnetworks, in which infected computers subsequently infected websites, which in turn infected new victim\r\ncomputers. Furthermore, the search for new ways to redirect users to malicious domains was ongoing. The main\r\nsource of threat in this instance was the infected websites that, when visited, would download malicious programs.\r\nInformation from the infected user computers could then be used to infect new websites.\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 21 of 22\n\nIn order to protect yourself against this type of threat, you should follow the security recommendations below\r\nregarding computers and websites:\r\nProtecting your computer\r\nPromptly install updates and patches for your operating system and third-party applications, as most\r\nexploits and worms take advantages of software vulnerabilities for which patches are already available.\r\nOf course, you must also install a proprietary antivirus program and keep your antivirus database up to\r\ndate. Antivirus programs are not a panacea, but they can significantly minimize the risk of computer\r\ninfection.\r\nAlways avoid clicking on links in spam emails, instant messaging apps and in messages from people you\r\nare not familiar with on social networks. No further explanation needed.\r\nProtecting websites\r\nVulnerabilities in website coding can be used to infect a website. In order to minimize the chances that\r\ncybercriminals will take advantage of a vulnerability, monitor the software updates released and promptly\r\nupdate your website’s software.\r\nKeep in mind that some services provide malware code scanning and scanning for unauthorized content\r\nchanges.\r\nFor security purposes, it is best to switch off any autosave functionality for FTP passwords and FTP clients.\r\nRemember, many programs that steal FTP account passwords, particularly Bredolab’s Trojan-PSW.Win32.Agent.qgg, search for passwords that have been saved on an infected computer.\r\nIt may be useful to make a backup copy of your website from time to time, including any databases and\r\nfiles that may contain important data, so that your data is safe in the event of infection.\r\nIf your site becomes infected despite your best efforts to protect it, simply deleting malicious code from the\r\nsite may not be sufficient. For example, if your FTP password is stolen, the site may be re-infected at a\r\nlater date. Take the following steps to resolve the issue fully:\r\n1. Check for any updates for the website’s software and download them, this will help to prevent\r\ninfection taking place through vulnerabilities.\r\n2. Use a proprietary antivirus product with the most up-to-date antivirus databases, and do a full scan\r\nof your computers that have access to the FTP website.\r\n3. Change the password to your FTP account regularly.\r\n4. Remove malicious code from the site.\r\nBy following the above recommendations, you can help to minimize the risk of your computer resources\r\nbecoming part of a botnet. Don’t forget — it’s always much easier to prevent an infection than it is to deal with the\r\nconsequences of an infection.\r\nSource: https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nhttps://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" ], "report_names": [ "36335" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439046, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a722d07b6b1aa49d1cb58a9dea830f18545e17e.pdf", "text": "https://archive.orkl.eu/8a722d07b6b1aa49d1cb58a9dea830f18545e17e.txt", "img": "https://archive.orkl.eu/8a722d07b6b1aa49d1cb58a9dea830f18545e17e.jpg" } }