{
	"id": "9724697c-d983-49d5-82a2-248db0aba529",
	"created_at": "2026-04-06T00:08:50.558542Z",
	"updated_at": "2026-04-10T13:11:21.105274Z",
	"deleted_at": null,
	"sha1_hash": "d1be6dcef9e8410ea7e6a3368823351d8832584d",
	"title": "Notorious cybercrime gang’s botnet disrupted - Microsoft On the Issues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37467,
	"plain_text": "Notorious cybercrime gang’s botnet disrupted - Microsoft On the\r\nIssues\r\nBy Amy Hogan-Burney\r\nPublished: 2022-04-13 · Archived: 2026-04-05 13:12:04 UTC\r\nToday, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to\r\ndisrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals,\r\nschools, and homes around the world and is run by a global internet-based organized crime gang operating\r\nmalware as a service that is designed to steal and extort money.\r\nWe obtained a court order from the United States District Court for the Northern District of Georgia allowing us to\r\ntake control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its\r\nbotnet. The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s\r\ncriminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that\r\ncreates additional domains as a fallback or backup communication channel for the botnet. In addition to the\r\nhardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA\r\ndomains. We are also working to block the future registration of DGA domains.\r\nDuring our investigation, we identified one of the perpetrators behind the creation of a component used in the\r\nZLoader botnet to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean\r\nPeninsula. We chose to name an individual in connection with this case to make clear that cybercriminals will not\r\nbe allowed to hide behind the anonymity of the internet to commit their crimes. Today’s legal action is the result\r\nof months of investigation that pre-date the current conflict in the region.\r\nOriginally, the primary goal of Zloader was financial theft, stealing account login IDs, passwords and other\r\ninformation to take money from people’s accounts. Zloader also included a component that disabled popular\r\nsecurity and antivirus software, thereby preventing victims from detecting the ZLoader infection. Over time those\r\nbehind Zloader began offering malware as a service, a delivery platform to distribute ransomware including Ryuk.\r\nRyuk is well known for targeting health care institutions to extort payment without regard to the patients that they\r\nput at risk.\r\nDCU led the investigative effort behind this action in partnership with ESET, Black Lotus Labs (the threat\r\nintelligence arm of Lumen), and Palo Alto Networks Unit 42, with additional data and insights to strengthen our\r\nlegal case from our partners the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the\r\nHealth Information Sharing and Analysis Center (H-ISAC), in addition to our Microsoft Threat Intelligence\r\nCenter and Microsoft Defender team. We also recognize the additional contribution from Avast in supporting our\r\nDCU field in Europe.\r\nOur disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized\r\ncriminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader’s operations.\r\nWe referred this case to law enforcement, are tracking this activity closely and will continue to work with our\r\nhttps://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/\r\nPage 1 of 2\n\npartners to monitor the behavior of these cybercriminals. We will work with internet service providers (ISPs) to\r\nidentify and remediate victims. As always, we’re ready to take additional legal and technical action to address\r\nZloader and other botnets.\r\nTags: cyberattacks, cybercrime, ransomware, The Digital Crimes Unit\r\nSource: https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/\r\nhttps://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/"
	],
	"report_names": [
		"zloader-botnet-disrupted-malware-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434130,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1be6dcef9e8410ea7e6a3368823351d8832584d.pdf",
		"text": "https://archive.orkl.eu/d1be6dcef9e8410ea7e6a3368823351d8832584d.txt",
		"img": "https://archive.orkl.eu/d1be6dcef9e8410ea7e6a3368823351d8832584d.jpg"
	}
}