{
	"id": "8a17967e-3c95-4f75-b0c6-f1785edad31a",
	"created_at": "2026-04-06T00:21:37.781047Z",
	"updated_at": "2026-04-10T13:11:39.60758Z",
	"deleted_at": null,
	"sha1_hash": "b482d536a1801d27373cc4bf00db6d028c6fd4d4",
	"title": "The Link Between AWM Proxy \u0026 the Glupteba Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1098395,
	"plain_text": "The Link Between AWM Proxy \u0026 the Glupteba Botnet\r\nPublished: 2022-06-29 · Archived: 2026-04-05 13:35:16 UTC\r\nOn December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the\r\nGlupteba botnet, a global malware menace that has infected millions of computers over the past decade. That\r\nsame day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly\r\nwent offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows\r\nAWM Proxy’s founder is one of the men being sued by Google.\r\nAWMproxy, the storefront for renting access to infected PCs, circa 2011.\r\nLaunched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their\r\nmalicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually\r\nall of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a\r\nstealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating\r\nsystem boots up.\r\nIn March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that\r\nsteals passwords and other access credentials, disables security software, and tries to compromise other devices on\r\nthe victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other\r\nmalicious traffic.\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 1 of 7\n\nA report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far\r\nthe biggest malware threat in 2021.\r\nLike its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via\r\ntraffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals\r\nwho already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their\r\nmalware.\r\nIn a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example\r\n—to the service, which in turn charges per thousand successful installations, with the price depending on the\r\nrequested geographic location of the desired victims. One of the most common ways PPI affiliates generate\r\nrevenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for\r\ndownload via the web or from file-sharing networks.\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 2 of 7\n\nAn example of a cracked software download site distributing Glupteba. Image: Google.com.\r\nOver the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first\r\ncovered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across\r\ndozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any\r\ngiven day, and Glupteba had grown to more than one million infected devices worldwide.\r\nThere is also ample evidence to suggest that Glupteba may have spawned Meris, a massive botnet of hacked\r\nInternet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and\r\nmost disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.\r\nBut on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and\r\nfiled a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime\r\nmachine. AWM Proxy’s online storefront disappeared that same day.\r\nAWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer\r\nbalances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 3 of 7\n\ntakedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the\r\nropes and frequently switching domains ever since.\r\nEarlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “RSOCKS” botnet, a\r\ncompeting proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of\r\nRSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.\r\nThe employees who kept things running for RSOCKS, circa 2016.\r\nShortly after last week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of Spur.us, a\r\nstartup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined\r\nlegal sneak attack and technical takedown targeting Glupteba.\r\n“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that\r\nnumber went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the\r\nsame people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their\r\nmalware.”\r\nKilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each\r\nInternet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the\r\napplication programming interfaces (APIs) used by both services to keep track of infected systems were virtually\r\nidentical, once again suggesting strong collaboration.\r\n“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And\r\nthe IP port combinations they give you when you access an individual IP were the same as from AWM.”\r\nIn 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but\r\nKilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 4 of 7\n\ndetermine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and\r\nGlupteba.\r\nIF YOUR PLAN IS TO RIP OFF GOOGLE…\r\nSupporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to\r\nspread, further research shows the RSOCKS owner also had an ownership stake in AD1[.]ru, an extremely\r\npopular Russian-language pay-per-install network that has been in operation for at least a decade.\r\nGoogle took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in\r\nonline advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these\r\noperations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in\r\n2008 (UA-3816536).\r\nThat analytics code also was present on a handful of other sites over the years, including the now-defunct Russian\r\ndomain name registrar Domenadom[.]ru, and the website web-site[.]ru, which curiously was a Russian company\r\noperating a global real estate appraisal business called American Appraisal.\r\nTwo other domains connected to that Google Analytics code — Russian plastics manufacturers techplast[.]ru and\r\ntekhplast.ru — also shared a different Google Analytics code (UA-1838317) with web-site[.]ru and with the\r\ndomain “starovikov[.]ru.”\r\nThe name on the WHOIS registration records for the plastics domains is an “Alexander I. Ukraincki,” whose\r\npersonal information also is included in the domains tpos[.]ru and alphadisplay[.]ru, both apparently\r\nmanufacturers of point-of-sale payment terminals in Russia.\r\nConstella Intelligence, a security firm that indexes passwords and other personal information exposed in past data\r\nbreaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of\r\nthose email addresses start with some variation of “uai@” followed by a domain from one of the many Russian\r\nemail providers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].\r\nBut Constella also shows those different email addresses all relied on a handful of passwords — most commonly\r\n“2222den” and “2222DEN.” Both of those passwords have been used almost exclusively in the past decade by the\r\nperson who registered more than a dozen email addresses with the username “dennstr.”\r\nThe dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from\r\nUkraine, but those clues ultimately led nowhere promising. And maybe that was the point.\r\nThings began looking brighter after I ran a search in DomainTools for web-site[.]ru’s original WHOIS records,\r\nwhich shows it was assigned in 2005 to a “private person” who used the email address lycefer@gmail.com. A\r\nsearch in Constella on that email address says it was used to register nearly two dozen domains, including\r\nstarovikov.ru and starovikov[.]com.\r\nA cached copy of the contact page for Starovikov[.]com shows that in 2008 it displayed the personal information\r\nfor a Dmitry Starovikov, who listed his Skype username as “lycefer.”\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 5 of 7\n\nFinally, Russian incorporation documents show the company LLC Website (web-site[.]ru)was registered in 2005\r\nto two men, one of whom was named Dmitry Sergeevich Starovikov.\r\nBringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:\r\nThe cover page for Google’s lawsuit against the alleged Glupteba botnet operators.\r\nMr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last\r\nmonth filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients\r\nhad any knowledge of the scheme.\r\nDespite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as\r\nhealthy as ever, although the service has been branded with a new name and there are dubious claims of new\r\nowners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its\r\nmalware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly\r\n65,000 of these systems are currently online.\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 6 of 7\n\nAWM Proxy, as it exists today.\r\nMeanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances\r\nwill soon be migrated over to a new location.\r\nMany people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the\r\nlargely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in\r\nany gaps in the workforce whenever cybercriminals face justice.\r\nWhile that may be true for many low-level cyber thieves today, investigations like these show once again how\r\nsmall the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on\r\ntargeting and disrupting the relatively small number of established hackers who remain the real force multipliers\r\nof cybercrime.\r\nSource: https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nhttps://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it\u0026utm_medium=twitter"
	],
	"report_names": [
		"?utm_source=dlvr.it\u0026utm_medium=twitter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434897,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b482d536a1801d27373cc4bf00db6d028c6fd4d4.pdf",
		"text": "https://archive.orkl.eu/b482d536a1801d27373cc4bf00db6d028c6fd4d4.txt",
		"img": "https://archive.orkl.eu/b482d536a1801d27373cc4bf00db6d028c6fd4d4.jpg"
	}
}