{ "id": "84c15b12-5d0d-4046-a74e-99bacc168d6d", "created_at": "2026-04-06T01:30:50.207123Z", "updated_at": "2026-04-10T03:37:09.403789Z", "deleted_at": null, "sha1_hash": "8f174ac4529ba659c48c45d50307b72d83815665", "title": "Meet Kraken: A New Golang Botnet in Development", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1525069, "plain_text": "Meet Kraken: A New Golang Botnet in Development\r\nBy ZeroFox Team\r\nPublished: 2022-02-16 · Archived: 2026-04-06 00:21:03 UTC\r\nFebruary 22, 2022 Editor’s Note: Since conducting his initial research, ZeroFox Intelligence Researcher\r\nStephan Simon has uncovered additional details about the operators and the botnet. Updates have been\r\npublished here.\r\nIn late October 2021, ZeroFox Intelligence discovered a previously unknown botnet called Kraken. Though still\r\nunder active development, Kraken already features the ability to download and execute secondary payloads, run\r\nshell commands, and take screenshots of the victim’s system. It currently makes use of SmokeLoader—a piece of\r\nmalware used to install other malicious software—to spread, quickly gaining hundreds of bots each time a new\r\ncommand and control server is deployed. Despite having the same name, it should not be confused with the\r\nKraken botnet from 2008 as they have little else in common.\r\nDetails\r\nSince October 2021, ZeroFox Intelligence has been tracking Kraken – a previously unknown botnet targeting\r\nWindows that is currently under active development. Although the bot is simple in functionality, the author has\r\nbeen experimenting with new features while altering others. Current iterations of Kraken feature the ability to:\r\nMaintain persistence\r\nCollect information about the host for registration (varies per version)\r\nDownload and execute files\r\nRun shell commands\r\nSteal various cryptocurrency wallets\r\nTake screenshots\r\n“Open Source” Beginnings\r\nEarly versions of Kraken were based on code uploaded to GitHub on October 10, 2021. The project only had two\r\ncommits, and the source code pre-dated any binaries ZeroFox observed in the wild. It is not currently known if the\r\nGitHub profile belongs to the botnet’s operator or if the operator simply used the code to kickstart their\r\ndevelopment.\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 1 of 9\n\nFigure 1. GitHub repository page for an early version of Kraken\r\nSource: ZeroFox Intelligence\r\nObserved Infection Vector\r\nThanks to a tip by @abuse_ch, ZeroFox learned that Kraken originally spread in self-extracting RAR SFX files\r\ndownloaded by SmokeLoader. These SFX files contained a UPX-packed version of Kraken, RedLine Stealer, and\r\nanother binary used to delete Kraken. Current versions of Kraken are now downloaded by SmokeLoader directly.\r\nKraken binaries are still UPX-packed but are now further protected by the Themida packer as well.\r\nFigure 2. Screenshot of a Kraken SFX archive’s contents\r\nSource: ZeroFox Intelligence\r\nInstallation and Persistence\r\nDuring Kraken’s installation phase, it attempts to move itself into %AppData%\\Microsoft. The file name is\r\nhardcoded, though the author has changed it a few times. ZeroFox has observed file names such as taskhost.exe,\r\nRegistry.exe, and Windows Defender GEO.exe.\r\nTo stay hidden, Kraken runs the following two commands:\r\n1. powershell -Command Add-MpPreference -ExclusionPath %APPDATA%\\Microsoft\r\n2. attrib +S +H %APPDATA%\\Microsoft\\\u003cEXE_NAME\u003e\r\nThe PowerShell command tells Microsoft Defender not to scan Kraken's installation directory, while the attrib\r\ncommand is used to hide the copied EXE file from an Explorer window that has not enabled the “Show hidden\r\nfiles, folders, and drives” option.\r\nKraken also makes use of the Windows Run registry key to ensure it starts every time the victim logs in.\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 2 of 9\n\nFigure 3. Kraken’s Run key persistence\r\nSource: ZeroFox Intelligence\r\nA mix of fake and real information is stored in a new registry key under HKEY_CURRENT_USER\\Software; it is\r\nall currently unused after saving it during the installation. The name of the key is another hardcoded value, though\r\nit has also changed occasionally. Early versions of Kraken observed by ZeroFox created a key with the name\r\n“Networking Service” or some slight variation, such as “Networking5 Servic1e” and “Netrworking5r Servirc1er”.\r\nFigure 4. Kraken registry information\r\nSource: ZeroFox Intelligence\r\nAside from the hard-coded name for the registry key, the following information shown in Figure 4 has remained\r\nthe same in every version ZeroFox has encountered in the wild: \r\nID - obfuscated UUID\r\nINSTALL - installation timestamp\r\nLAST - empty\r\nNAME - obfuscated binary and Run key name (minus file extension)\r\nREMASTER - always “nil”\r\nVERSION - always “0.5.6”\r\nFeatures\r\nKraken’s feature set is simplistic for a botnet. Although not present in earlier builds, the bot is capable of\r\ncollecting information about the infected host and sending it back to the command and control (C2) server during\r\nregistration. The information collected seems to vary from build to build, though ZeroFox has observed the\r\nfollowing being collected:\r\nHostname\r\nUsername\r\nBuild ID (TEST_BUILD_ + the timestamp of the first run)\r\nCPU details\r\nGPU details\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 3 of 9\n\nOperating system and version\r\nThe botnet also features the ability to download and execute files. Originally, Kraken contained separate but\r\nsimilar functions for downloading files for different situations, such as updating the bot itself, executing secondary\r\npayloads, and receiving files through direct socket connection. These functions have since been combined into\r\none, while the redundant functions were removed.\r\nKraken’s operators are able to run shell commands on infected hosts from the dashboard as well, returning the\r\nresults back to the C2 server.\r\nSSH brute-forcing functionality was added to some builds but was quickly removed. This function was hardcoded\r\nto attempt logging in as the root user of a given target and assumed a server would be listening on the default port.\r\nZeroFox did not see any evidence of this feature being used, likely explaining its quick removal.\r\nUpon execution, Kraken immediately takes a screenshot to send to the C2. A “ScreenShot” command also exists if\r\nthe operator decides to take screenshots of the victim’s system on demand.\r\nThe most recent feature addition is the ability to steal various cryptocurrency wallets from the following locations:\r\n%AppData%\\Zcash\r\n%AppData%\\Armory\r\n%AppData%\\bytecoin\r\n%AppData%\\Electrum\\wallets\r\n%AppData%\\Ethereum\\keystore\r\n%AppData%\\Exodus\\exodus.wallet\r\n%AppData%\\Guarda\\Local Storage\\leveldb\r\n%AppData%\\atomic\\Local Storage\\leveldb\r\n%AppData%\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\r\nCurrently supported commands are:\r\nPosition - Unknown\r\nScreenShot - take a screenshot\r\nSHELL - run a Windows shell command with cmd\r\nUPLOAD - download and execute an EXE\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 4 of 9\n\nFigure 5. Original regular expressions used to parse received commands\r\nSource: ZeroFox Intelligence\r\nDashboards\r\nMultiple versions of the administration panel or dashboard have been created since October 2021. While the\r\noriginal code found on GitHub did include a server, it did not have a web-based interface for interacting with the\r\nbotnet.\r\nKraken Panel\r\nThe initial panel, aptly named “Kraken Panel,” was simple in terms of features. It offered basic statistics, links to\r\ndownload payloads, an option to upload new payloads, and a way to interact with a specific number of bots. This\r\nversion did not appear to allow the operator(s) to choose which victims to interact with.\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 5 of 9\n\nFigure 6. English-translated version of the Kraken C2 panel\r\nSource: ZeroFox Intelligence\r\nAnubis Panel\r\nThe current version of the C2 has undergone a total redesign—complete with a new name, Anubis. The Anubis\r\nPanel provides far more information to the operator(s) than the original Kraken Panel. In addition to the\r\npreviously provided statistics, it is now possible to view command history and information about the victim.\r\nFigure 7. Dashboard for the Anubis Panel\r\nSource: ZeroFox Intelligence\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 6 of 9\n\nA later update to the Anubis Panel added the ability for the operator(s) to be more selective when choosing targets\r\nfor commands. In previous versions, the operator(s) could only choose the number of victims to target with the\r\ncommand. With this update, targets can be chosen individually or by group using their external IP or geographic\r\nlocation.\r\nFigure 8. Selecting a victim by external IP to run a shell command\r\nSource: ZeroFox Intelligence\r\nThe Anubis Panel also allows the operator(s) to view task and command history via the dashboard and TASK\r\npage. The TASK page shows information such as the ID generated for the task, the command being sent, how\r\nmany victims the command should be sent to, the targeted geolocation, and a timestamp of when the task was\r\ninitiated.\r\nInitially, every task investigated by ZeroFox resulted in a version of RedLine Stealer being downloaded and\r\nexecuted on the victim’s machine. Some shell commands were observed as well, though these were only used to\r\ndownload more RedLine payloads using curl.\r\nFigure 9. TASK page showing command history\r\nSource: ZeroFox Intelligence\r\nAs the operator(s) behind Kraken continued to expand and gather more victims, ZeroFox began observing other\r\ngeneric information stealers and cryptocurrency miners being deployed. As of this writing, the botnet appears to\r\nbe collecting around USD 3,000 every month.\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 7 of 9\n\nFigure 10. Mining statistics from the cryptocurrency mining pool Ethermine\r\nSource: ZeroFox Intelligence\r\nRecommendations\r\nEnsure antivirus and intrusion detection software is up to date with all patches and rule sets.\r\nEnable two-factor authentication for all organizational accounts to help mitigate phishing and credential\r\nstuffing attacks.\r\nMaintain regularly scheduled backup routines, including off-site storage and integrity checks.\r\nAvoid opening unsolicited attachments and never click suspicious links.\r\nLog and monitor all administrative actions as much as possible. Alert on any suspicious activity.\r\nReview network logs for potential signs of compromise and data egress.\r\nConclusion\r\nWhile in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server\r\non multiple occasions, only for another to appear a short time later using either a new port or a completely new IP.\r\nBy using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the\r\nC2. Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the\r\noperator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently\r\nunknown what the operator intends to do with the stolen credentials that have been collected or what the end goal\r\nis for creating this new botnet.\r\nMITRE ATT\u0026CK\r\nID Description\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1033 System Owner/User Discovery\r\nT1047 Windows Management Instrumentation\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 8 of 9\n\nT1082 System Information Discovery\r\nT1113 Screen Capture\r\nT1132.001 Data Encoding: Standard Encoding\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1571 Non-Standard Port\r\nIOCs\r\n65.21.105.85\r\n91.206.14.151\r\n95.181.152.184\r\n185.112.83.22\r\n185.112.83.96\r\n185.206.212.165\r\n213.226.71.125\r\n1d772f707ce74473996c377477ad718bba495fe7cd022d5b802aaf32c853f115\r\nd742a33692a77f5caef5ea175957c98b56c2dc255144784ad3bade0a0d50d088\r\nddf039c3d6395139fd7f31b0a796a444f385c582ca978779aae7314b19940812\r\ndcaaef3509bc75155789058d79f025f14166386cec833c2c154ca34cfea26c52\r\n54d36e5dce2e546070dc0571c8b3e166d6df62296fa0609a325ace23b7105335\r\n095c223b94656622c81cb9386aefa59e168756c3e200457e98c00b609e0bb170\r\n0f0cabb24d8cc93e5aed340cfc492c4008509f1e84311d61721a4375260a0911\r\n2ced68e4425d31cca494557c29a76dfc3081f594ff01549e41d2f8a08923ef61\r\n3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36\r\nef3e0845b289f1d3b5b234b0507c554dfdd23a5b77f36d433489129ea722c6bb\r\n7c76ca5eb757df4362fabb8cff1deaa92ebc31a17786c89bde55bc53ada43864\r\n48c2f53f1eeb669fadb3eec46f7f3d4572e819c7bb2d39f22d22713a30cc1846\r\n43f46a66c821e143d77f9311b24314b5c5eeccfedbb3fbf1cd484c9e4f537a5d\r\n8c4294e3154675cd926ab6b772dbbe0e7a49cae16f4a37d908e1ca6748251c43\r\nSource: https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nhttps://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/" ], "report_names": [ "meet-kraken-a-new-golang-botnet-in-development" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439050, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f174ac4529ba659c48c45d50307b72d83815665.pdf", "text": "https://archive.orkl.eu/8f174ac4529ba659c48c45d50307b72d83815665.txt", "img": "https://archive.orkl.eu/8f174ac4529ba659c48c45d50307b72d83815665.jpg" } }