{ "id": "1a91b1d0-0973-4bfd-976f-67885fc9d445", "created_at": "2026-04-06T00:10:59.812619Z", "updated_at": "2026-04-10T03:37:08.620837Z", "deleted_at": null, "sha1_hash": "cc5f5ac8d5bb992f7d8fecfc442a77f54dc69733", "title": "New Golang botnet empties Windows users\u0026rsquo; cryptocurrency wallets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1353230, "plain_text": "New Golang botnet empties Windows users\u0026rsquo; cryptocurrency\r\nwallets\r\nBy Sergiu Gatlan\r\nPublished: 2022-02-18 · Archived: 2026-04-05 16:31:50 UTC\r\nA new Golang-based botnet under active development has been ensnaring hundreds of Windows devices each time its\r\noperators deploy a new command and control (C2) server.\r\nFirst spotted in October 2021 by ZeroFox researchers who dubbed it Kraken, this previously unknown botnet uses\r\nthe SmokeLoader backdoor and malware downloader to spread to new Windows systems.\r\nAfter infecting a new Windows device, the botnet adds a new Registry key to achieve persistence between system restarts. It\r\nwill also add a Microsoft Defender exclusion to ensure that its installation directory is never scanned and hides its binary in\r\nWindow Explorer using the hidden attribute.\r\nhttps://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nKraken has a limited and simplistic feature set, allowing attackers to download and execute additional malicious payloads on\r\ncompromised devices, including the RedLine Stealer malware.\r\nRedLine is currently the most widely deployed information stealer capable of harvesting victims' passwords, browser\r\ncookies, credit card info, and cryptocurrency wallet info.\r\n\"Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had\r\nfocused entirely on pushing information stealers – specifically RedLine Stealer,\" ZeroFox said.\r\n\"It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end\r\ngoal is for creating this new botnet.\"\r\nBuilt-in crypto wallet theft capabilities\r\nHowever, the botnet also features built-in information theft capabilities and can also steal crypto wallets before dropping\r\nother info stealers and cryptocurrency miners.\r\nAccording to ZeroFox, Kraken can steal info from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic,\r\nand Jaxx Liberty crypto wallets.\r\nBased on info collected from the Ethermine cryptocurrency mining pool, this botnet seems to be adding roughly USD 3,000\r\nevery month to its masters' wallets.\r\n\"While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on\r\nmultiple occasions, only for another to appear a short time later using either a new port or a completely new IP,\" the\r\nresearchers added.\r\nNevertheless, \"by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes\r\nthe C2.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/\r\nhttps://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/" ], "report_names": [ "new-golang-botnet-empties-windows-users-cryptocurrency-wallets" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434259, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc5f5ac8d5bb992f7d8fecfc442a77f54dc69733.pdf", "text": "https://archive.orkl.eu/cc5f5ac8d5bb992f7d8fecfc442a77f54dc69733.txt", "img": "https://archive.orkl.eu/cc5f5ac8d5bb992f7d8fecfc442a77f54dc69733.jpg" } }