{
	"id": "bb5bbcb5-c383-4845-980c-66acc988c5ff",
	"created_at": "2026-04-06T00:06:44.5295Z",
	"updated_at": "2026-04-10T03:20:20.803075Z",
	"deleted_at": null,
	"sha1_hash": "b631cb8cda0ca265bb3b8e9060f3605ad0b66845",
	"title": "FBI shuts down 11-year-old NetWire RAT malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1304489,
	"plain_text": "FBI shuts down 11-year-old NetWire RAT malware\r\nBy Joshua Long\r\nPublished: 2023-03-16 · Archived: 2026-04-05 14:13:28 UTC\r\nMalware\r\nPosted on March 16th, 2023 by\r\nAfter nearly 11 years in operation, law enforcement has shut down the distribution of the shady NetWire Remote\r\nControl software. NetWire was a commercially sold, cross-platform remote access trojan (RAT) with capabilities\r\ndesigned for spying on victims. Antivirus products commonly detect NetWire under names such as Netweird,\r\nNetWeirdRC, Netwire, or Wirenet.\r\nIn a press release, the U.S. Department of Justice detailed what had transpired. On Tuesday, March 7, 2023, the\r\nDOJ seized the domain worldwiredlabs[.]com . This site, doing business as World Wired Labs, had been selling\r\nNetWire since May 2012. Now it simply displays an FBI seizure splash screen.\r\nhttps://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/\r\nPage 1 of 4\n\nThe notice on the seized domain reads, in part:\r\nThis Website Has Been Seized as part of a coordinated law enforcement action taken against the\r\nNetWire Remote Access Trojan. This domain has been seized by the Federal Bureau of Investigation in\r\naccordance with a seizure warrant… as part of a joint international law enforcement operation and\r\naction…\r\nLaw enforcement authorities in Croatia arrested the alleged site operator on the same day. According to reports\r\nfrom Brian Krebs and Croatian news (English translation), 40-year-old Mario Zanko allegedly distributed the\r\nmalware. Krebs’ research indicates that Zanko went by the hacker pseudonym Dugidox. Croatian authorities will\r\nreportedly prosecute the accused malware maker.\r\nZanko reportedly made nearly $1 million selling the software, which sold for anywhere from $60 to $140 per\r\nlicense over the years. This would seem to suggest that World Wired Labs likely sold at least 10,000 licenses.\r\nIn addition to the site seizure and Zanko’s arrest, the DOJ reports that Swiss authorities seized the server that\r\nhosted the RAT’s infrastructure. It is not clear whether this prevents existing infections from being able to phone\r\nhome to command and control servers for specific NetWire deployments.\r\nThe history of NetWire Remote Control\r\nIntego has written about this malware since the first Mac version was first discovered in 2012. Variants of the Mac\r\nversion of this malware have been known under names such as OSX/NetWeirdRC.A, OSX/NetWeirdRC.B,\r\nOSX/NetWeirdRC.C, OSX/Netweird, OSX/Netwire, and OSX/Wirenet.\r\nhttps://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/\r\nPage 2 of 4\n\nNetWire Remote Control’s virtual box art. NetWire was commercial spyware.\r\nNetWire Remote Control was billed as “an advanced remote control solution,” but binary analyses made its actual\r\npurpose clear. As we explained in our August 2012 analysis, the first Mac version was capable of stealing\r\npasswords from Web browsers and e-mail clients, namely Firefox, Opera, SeaMonkey, and Thunderbird.\r\nCredential stealing is not behavior one would expect from legitimate computer monitoring or remote\r\nadministration software. The DOJ also notes that NetWire “was advertised on hacking forums, and numerous\r\ncyber security companies and government agencies have documented instances of the NetWire RAT being used in\r\ncriminal activity.”\r\nApple added detection for one NetWire variant to its XProtect definitions in September 2016.\r\nIn June 2019, miscreants spread NetWire malware in a broad public attack, leveraging a zero-day vulnerability in\r\nFirefox.\r\nThe end of an era; a sign of things to come?\r\nThe FBI began investigating World Wired Labs in the year 2020—around eight years after the malware surfaced,\r\nand three years before the coordinated law enforcement actions took place.\r\nThe logo of World Wired Labs, NetWire’s distributor\r\nAlthough it’s unfortunate that it took law enforcement 11 years to stop this malware’s development and\r\nproliferation, we’re glad that it has finally happened. We hope that international law enforcement agencies will\r\nlearn from this experience and more quickly neutralize similar malware threats in the future.\r\nhttps://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/\r\nPage 3 of 4\n\nHow can I learn more?\r\nWe talked about the takedown of NetWire Remote Control on episode 283 of the Intego Mac Podcast:\r\nEach week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including\r\nsecurity and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to\r\nfollow the podcast to make sure you don’t miss any episodes.\r\nYou can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest\r\nApple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:  \r\n         \r\nCyber agent photo credit: FBI, via recruitment site.\r\nAbout Joshua Long\r\nJoshua Long (@theJoshMeister), formerly Intego’s Chief Security Analyst, is a renowned security researcher\r\nand writer, and an award-winning public speaker. Josh has a master’s degree in IT concentrating in Internet\r\nSecurity and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh\r\nfor discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for well over\r\n25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X/Twitter, LinkedIn,\r\nFacebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. — View all posts by\r\nJoshua Long →\r\nSource: https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/\r\nhttps://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/"
	],
	"report_names": [
		"fbi-shuts-down-11-year-old-netwire-rat-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b631cb8cda0ca265bb3b8e9060f3605ad0b66845.pdf",
		"text": "https://archive.orkl.eu/b631cb8cda0ca265bb3b8e9060f3605ad0b66845.txt",
		"img": "https://archive.orkl.eu/b631cb8cda0ca265bb3b8e9060f3605ad0b66845.jpg"
	}
}