{
	"id": "1f7a9136-920c-4714-802b-9ff4e5233633",
	"created_at": "2026-04-06T00:19:01.56038Z",
	"updated_at": "2026-04-10T13:12:11.683308Z",
	"deleted_at": null,
	"sha1_hash": "dc553660c329c77fb4c891980126752f0bdde3f9",
	"title": "Mariposa Botnet | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78434,
	"plain_text": "Mariposa Botnet | CISA\r\nPublished: 2014-01-20 · Archived: 2026-04-05 19:45:17 UTC\r\nOverview\r\nICS-CERT has received reports and investigated infections of the MariposaDefence Intelligence,\r\nhttp://defintel.com/docs/MariposaAnalysis.pdf, website last accessed March 15, 2010. botnet, which have affected\r\nthe business networks of multiple control system owners in recent months.\r\nICS-CERT has no information to indicate that these infections have specifically targeted United States Critical\r\nInfrastructure and Key Resources (CIKR), or any specific sector or organization.\r\nBackground\r\nIn May 2009, Defence Intelligence announced the discovery of a botnet, called “Mariposa.” An investigation\r\nfollowed this discovery and targeted bringing down the criminal network behind what has become one of the\r\nlargest botnets on record.\r\nAfter months of investigation by the Guardia Civil in Spain, the FBI, security firm Panda Security, and Defence\r\nIntelligence, authorities took down a 12.7 million strong zombie network in December. In February 2010, Spanish\r\nauthorities arrested three suspects in Spain.John Leyden,\r\nhttp://www.theregister.co.uk/2010/03/04/mariposapolicehuntmorebotherders/, website last accessed March 15,\r\n2010.\r\nAlthough the primary command and control (C2) infrastructure for the Mariposa botnet is considered to have been\r\nrendered inoperative by the Mariposa Working Group,PandaLabs, http://pandalabs.pandasecurity.com/mariposa-botnet/, website last accessed March 15, 2010. malware files that were used by the botnet are still thought to be on\r\ncomputers in production environments and should be identified and removed. Additionally, it is not uncommon for\r\nnew groups to assume control of old or abandoned botnets by compromising existing command and control or by\r\nestablishing new command and control infrastructure using slightly modified malware.\r\nDetails\r\nIn February 2010, a US utility company (USUTIL1) was notified by another US Utility partner company\r\n(USUTIL2) that a USUTIL1 employee had visited USUTIL2 with a Mariposa-infected laptop. There had been no\r\nindication from USUTIL1’s computer network defense mechanisms (Anti-Virus, Intrusion Detection Systems,\r\nFirewalls etc.) that an infection had occurred and USUTIL2’s notification was USUTIL1’s first indication that\r\nthere was an issue.\r\nUSUTIL1’s investigation found that the initial infection vector may have been a USB drive shared at an industry\r\nconference. An instructor shared a USB drive among participants at a training event attended by USUTIL1’s\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nPage 1 of 6\n\nemployee. It is believed that when the employee returned and connected his laptop to the corporate network, the\r\nmalware spread to multiple business systems.\r\nTo date, none of USUTIL1’s control systems are known to be affected by the botnet malware.\r\nUSUTIL1’s internal investigation found the malware file “Schl.exe” in deleted files on one system. USUTIL1’s\r\ncontinued searching and found other systems with this deleted file. These systems were also attempting to make\r\nUDP connections with systems outside of their firewall.\r\nICS-CERT was contacted and at the request of the organization, deployed a fly-away team to assist with\r\nidentification and analysis of the malware.\r\nAnalysis\r\nA dynamic analysis was made on the file schl.exe. The method used for code injection is similar to the method\r\ndescribed by Defence IntelligenceDefence Intelligence, http://defintel.com/docs/MariposaAnalysis.pdf, website\r\nlast accessed March 15, 2010. however, callbacks appeared to be unique. It should be noted that the following\r\ninformation is solely from ICS-CERT’s investigation into the malware variant found at USUTIL1. This\r\ninformation, along with other open source information should be leveraged in any comprehensive detection and\r\nmitigation activities.\r\nThe following information can be used to develop detection signatures:\r\nFile: SCHL.EXE\r\nSize: 140800\r\nMD5: 645C4DD7508B3DC83807FCF9918FE1C7\r\nSHA1: d452e2df58fad206b2213683356033822ff335c9\r\nType: PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nAntivirus Identification\r\nMicrosoft: Trojan:Win32/Meredrop\r\nMcafee: Backdoor-EEC.gen\r\nSymantec: Trojan Horse\r\nDNS Lookups\r\nhnox[dot]org\r\nsocksa[dot]com\r\nronpc[dot]net\r\nCallbacks\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nPage 2 of 6\n\nDomain IP Protocol/Port\r\nhnox[dot]org 92.241.165.162 UDP 21039\r\nsocksa[dot]com 92.241.164.82 UDP 21039\r\nronpc[dot]net 92.241.164.82 UDP 21039\r\nNote: All network traffic in/out is UDP\r\nThe initial outbound packet is 49 bytes (7 bytes encrypted payload) to hnox[dot]org or socksa[dot]com, using\r\nUDP port 21039, for the purpose of establishing the C2 channel. The C2 server responds from 21039 to the same\r\nlocal port, with a UDP packet of varying length and encrypted payload. C2 command syntax appears to be\r\nconsistent with the Mariposa botnet.\r\nMalware Files\r\nschl.exe – dropper\r\njack.exe – dropped file\r\nconfig.inf – dropped file\r\ndesktop.ini – dropped file (0-byte file located at source of originally executed file)\r\nBotnets, including Mariposa, are highly dynamic. C2 operators frequently update their code to evade detection or\r\nimplement new features. Other files may also be associated with Mariposa, so the list above is not a complete list\r\nof files used by Mariposa. For example, Defence IntelligenceeDefence Intelligence,\r\nhttp://defintel.com/docs/MariposaAnalysis.pdf, website last accessed March 15, 2010. has also identified\r\nblackjackson.exe, which provided Mariposa with distributed denial-of-service (DDoS) capability by using the\r\nBlackEnergy DDoS bot.\r\nWindows Registry Modifications\r\nKey: [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon]\r\nValue: \"Taskman\" = \"\u003cfile_path\u003e\\schl.exe\"\r\nNote: Where \"file path\" = location of schl.exe when executed\r\nDomain Names Observed as C2 Servers\r\nThe following domain names have been observed as command and control servers:\r\nbf2back.sinip.es\r\nbfisback.no-ip.org\r\nbfisback.sinip.es\r\nbinaryfeed.in\r\nbooster.estr.es\r\nbutterfly.BigMoney.biz\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nPage 3 of 6\n\nbutterfly.sinip.es\r\ndefintelsucks.com\r\ndefintelsucks.net\r\ndefintelsucks.sinip.es\r\nextraperlo.biz\r\ngusanodeseda.mobi\r\ngusanodeseda.net\r\ngusanodeseda.sinip.es\r\nlalundelau.sinip.es\r\nlegion.sinip.es\r\nlegionarios.servecounterstrike.com\r\nmierda.notengodominio.com\r\nqwertasdfg.sinip.es\r\nsexme.in\r\nshv4.no-ip.biz\r\nshv4b.getmyip.com\r\ntamiflux.net\r\ntamiflux.org\r\nthejacksonfive.biz\r\nthejacksonfive.mobi\r\nthejacksonfive.us\r\nthesexydude.com\r\nyouare.sexidude.com\r\nyougotissuez.com\r\nICS-CERT Identified Malware Files\r\nICS-CERT identified the following three malware files during analysis:\r\nschl.exe\r\njack.exe\r\nconfig.inf\r\nOutbound Command \u0026 Control Attempts\r\nICS-CERT observed attempted UDP C2 connections with the following IP addresses:\r\n24.173.86.145\r\n67.210.170.32\r\n92.241.165.162\r\n62.128.52.191\r\n74.208.162.142\r\n200.74.244.84\r\n66.197.176.41\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nPage 4 of 6\n\n76.73.56.12\r\n204.16.173.30\r\n67.210.170.131\r\n87.106.179.75\r\nMariposa M alware UDP Ports\r\nMariposa malware has been observed using the following UDP ports:\r\n3431\r\n3435\r\n5907\r\n3433\r\n3437\r\n21039\r\n3434\r\n5906\r\nAffected Operating Systems\r\nAlthough botnet malware can affect any operating system, most current botnets including Mariposa target\r\nWindows systems.Zeng, Hu, \u0026 Shin, “Detection of Botnets Using Combined Host- and Network-Level\r\nInformation,” 16th ACM Conference on Computer and Communications Security, November 2009:2.\r\nImpact\r\nAlthough the primary Mariposa C2 is believed to be inactive, the malware is still spreading. The possibility exists\r\nthat another actor will attempt to “commandeer” the existing C2 or create a new C2 infrastructure. Without C2\r\ndirection, the malware won’t perform malicious actions; however, the malware still presents a risk and any\r\nremaining Mariposa malware should be identified, removed, and systems should be properly re-imaged or\r\nrestored if re-imaging is not feasible.\r\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT\r\nrecommends that organizations evaluate the impact of this vulnerability based on their environment, architecture,\r\nand product implementation.\r\nRecommendations\r\nBecause IP addresses, UDP ports, and domains used by the C2 structure of Mariposa changed continually, it\r\ncreated a difficult challenge for security administrators to mitigate the capabilities of this botnet. The best\r\nmitigation strategy is to track down compromised systems using all information available about the malware.\r\nOrganizations should establish firewall rules to block communication from malware to known command and\r\ncontrol sites and monitor their network for this activity to identify compromised machines. Additionally, UDP\r\nconnections are used for Mariposa communication, so observance of your network activity is the best place to\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nPage 5 of 6\n\nstart. If one system is frequently sending outbound UDP packets, regardless of port, mark it as suspicious and\r\ninvestigate the source of the traffic on the system.\r\nIt is important to identify all of the infected machines and to disable them simultaneously to prevent re-infection\r\nof your assets. Advanced threats such as botnets can be extremely difficult to eradicate. If a compromised system\r\nis missed, the threat can re-infect “clean” systems. Clean systems should be isolated while the remainder of the\r\nnetwork is cleaned, or the clean systems risk being re-infected. In large networks, this can be a challenging\r\nexercise.\r\nAs mentioned, IP addresses, ports, and domains used by Mariposa’s C2 system have continually changed. These\r\nchanges created new malware variants (mariposa had over 1,500 variants) resulting in a persistent and dynamic\r\nbotnet. It is important to use all available information when eradicating and defending against a botnet infection to\r\nensure that all variants are detected and properly removed.\r\nHere are some general guidelines for dealing with Mariposa malware:\r\nAny infected systems should be immediately isolated from the network.\r\nAny systems sharing network drives with the infected systems, including file servers hosting said network\r\ndrives, should also be isolated from the network.Reimage infected hosts prior to returning to normal\r\noperation.\r\nConsider maintaining an infected system for more detailed analysis (i.e., digital media analysis, malware\r\ncollection).\r\nReview antivirus software specific removal guidelines for the malware if re-imaging is not possible.\r\nUsers should refrain from or be administratively prohibited from browsing the Internet using Windows\r\naccounts with Administrator-level privileges. This reduces the potential damage an infection can inflict\r\nupon a system.\r\nOrganizations should warn users about the risks of using USB drives on business systems. For more\r\ninformation, review ICS-CERT CSAR -10-090-01- USBs Used as Attack Vectorg and US-CERT Cyber\r\nSecurity Tip ST08-001, “Using Caution with USB Drives.”US-CERT Cyber Security Tip, http://www.us-cert.gov/cas/tips/ST08-001html, website last accessed March 15, 2010.\r\nKeep systems up to date with the latest patches and antivirus signatures.\r\nEstablish an internet proxy service and monitor it for suspicious activity.\r\nMonitor IDS/IPS solutions for connections to the malicious domains and IP addresses listed in ICS-CERT\r\nadvisories and US-CERT CIINs.\r\nDo NOT trust unsolicited e-mail.\r\nDo NOT click links and attachments in unsolicited e-mail messages.\r\nEmploy the use of a spam filter.\r\nTo educate users about social engineering and phishing attacks, review US-CERT Cyber Security Tip ST04-\r\n014, “Avoiding Social Engineering and Phishing Attacks.”\r\nTo learn more about botnets, review US-CERT Cyber Security Tip ST06-001, “Understanding Hidden\r\nThreats: Rootkits and Botnets.\"\r\nSource: https://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nhttps://www.us-cert.gov/ics/advisories/ICSA-10-090-01\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ics/advisories/ICSA-10-090-01"
	],
	"report_names": [
		"ICSA-10-090-01"
	],
	"threat_actors": [
		{
			"id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d",
			"created_at": "2022-10-25T16:07:24.402328Z",
			"updated_at": "2026-04-10T02:00:04.97641Z",
			"deleted_at": null,
			"main_name": "Wild Neutron",
			"aliases": [
				"Butterfly",
				"Morpho",
				"Sphinx Moth",
				"The Postal Group",
				"Wild Neutron"
			],
			"source_name": "ETDA:Wild Neutron",
			"tools": [
				"HesperBot",
				"Jiripbot",
				"JripBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434741,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc553660c329c77fb4c891980126752f0bdde3f9.pdf",
		"text": "https://archive.orkl.eu/dc553660c329c77fb4c891980126752f0bdde3f9.txt",
		"img": "https://archive.orkl.eu/dc553660c329c77fb4c891980126752f0bdde3f9.jpg"
	}
}