{ "id": "f2722749-15a9-499b-8390-e30689952838", "created_at": "2026-04-06T00:12:23.324562Z", "updated_at": "2026-04-10T03:33:17.051273Z", "deleted_at": null, "sha1_hash": "e62786aff45ba93211980d281b071acf1e753fdb", "title": "Farewell to Kelihos and ZOMBIE SPIDER", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 917625, "plain_text": "Farewell to Kelihos and ZOMBIE SPIDER\r\nBy Brett.Stone-Gross.Tillmann.Werner.and.Bex.Hartley\r\nArchived: 2026-04-05 17:17:15 UTC\r\nThe Kelihos peer-to-peer botnet was one of the largest and longest-operating cybercrime infrastructures in existence. Its\r\norigins can be traced back to the Storm Worm, a botnet that emerged in 2007 and was one of the earliest criminal malware\r\ninfrastructures to leverage peer-to-peer technology. After the demise of Storm, it was replaced by another new botnet known\r\nas Waledac that also leveraged peer-to-peer communications. Waledac was taken over and neutralized by a group of\r\nresearchers in September 20101\r\n. The first generation of Kelihos emerged in December that year, three months after its\r\npredecessor Waledac was dismantled. Kelihos itself was subject to several2\r\n takeover3 operations4\r\n, each of which lead to the\r\nbotnet being rebuilt in a new, more robust manner. The fifth and last generation of the botnet had been around since summer\r\n2013, with an estimated size of 40,000 infected machines. It wasneutralized by the U.S. Department of Justice with technical\r\nassistance by CrowdStrike in April 20175\r\n. The Kelihos malware featured a wide assortment of plugins for different criminal\r\npurposes but was primarily used to deliver spam emails. Its peer-to-peer network protocol was designed to be difficult to\r\nreverse engineer, containing several layers of encryption, including RSA, Blowfish and a custom obfuscation algorithm that\r\nthe malware author referred to as “monkey” functions in the code. This design is a clear reaction to previous takedowns with\r\nthe goal to raise the bar for future attacks, but it ultimately failed to protect the botnet against attacks. The primary threat\r\nactor, who was tracked by CrowdStrike as ZOMBIE SPIDER, rose to prominence in the criminal underground under the\r\nmoniker Peter Severa. The individual behind this handle is Peter Yuryevich LEVASHOV6 who was arrested in Spain when\r\nthe final version of Kelihos was taken over in April 2017, and who recently pleaded guilty to operating the botnet for\r\ncriminal purposes7\r\n. The purpose of this blog is to summarize and share our findings about Kelihos and its operator. The first\r\nsection summarizes the results of our technical analysis of the Kelihos malware. The second section discusses attribution\r\nand provides some context around the threat actor. The blog concludes with an outlook section and we provide a YARA rule\r\nfor detection in the Appendix.\r\nTechnical Analysis of Kelihos\r\nModern spam botnets have to be flexible in the way they run campaigns in order to be able to quickly adapt to new detection\r\ntechniques. Kelihos, like many others, implemented a sophisticated spam engine that automatically constructs spam\r\nmessages from templates and additional inputs to avoid any patterns that can be used in filters. Despite the flexibility\r\nprovided by the template system, some spam campaigns exhibited recurring characteristics and several researchers believed\r\nthat there existed multiple simultaneously operated versions of the botnet. This was never the case. Spam jobs that were\r\ndistributed by the botnet operator defined a message template. A bot would populate this template with randomly generated\r\nstrings or information taken from additional dictionary files that contained, for example, subject lines or URLs. A captured\r\nspam template is shown below, with several variable fields highlighted in different colors.\r\nReceived: from %^C0%^P%^R3-6^%:qwertyuiopasdfghjklzxcvbnm^%^% () by %^A^% %^Fsendmailver^% with SMTP id %^Y%^C5%^R20-\r\n300^%^%^%037036; %^D%^V5^%^% Message-ID: \u003c%^O%^V6^%:%^R3-50^% %%^V0^%\u003eFrom: \"%^C4%^Fmynames^%^%\" \u003c%^Fnames^%@%^Fdomains^%\u003e\r\nTo: \u003c%^0^%\u003e Subject: %^Fpharma^% Date: %^D-%^R30-600^%^% MIME-Version: 1.0 Content-Type: text/plain; format=flowed;\r\ncharset=\"%^Fcharset^%\"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.%^C7%^Foutver.6^%^% X-MimeOLE: Produced By Microsoft MimeOLE\r\nV6.00.%^V7^% %^J%^Fpharma^% %^Fmirabella_links2^%^%\r\nThe following is an email constructed from this template.\r\nReceived: from iaw (\u003c232.59.54.125\u003e) by ppp-188-174-39-206.dynamic.mnet-online.de (8.13.1/8.13.1) with SMTP id\r\n201104051045037036; Tue, 5 Apr 2011 10:45:55 +0100 Message-ID: \u003c002101cbf36d$426b6370$e83b367d@seclabiaw\u003e From:\r\n\"Christina\" \u003cbcchiang@parteck.net\u003e To: \u003c\u003e Subject: Wonderful revealing effect on your libido. Date: Tue, 5 Apr\r\n2011 10:32:16 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=\"iso-8859-1\"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft\r\nOutlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Bring more enjoyment to\r\nyour life, get a magicpil! http://drokkies\u003c.\u003enl/dwg2c4v.html\r\nFor several years, pump-and-dump stock scams, dating ruses, credential phishing, money mule recruitment and rogue online\r\npharmacy advertisements were the most common spam themes. In 2017, however, Kelihos was frequently used to spread\r\nother malware such as LuminosityLink, Zyklon HTTP, Neutrino, Nymaim, Gozi/ISFB, Panda Zeus, Kronos, and TrickBot. It\r\nwas also observed spreading ransomware families including Shade, Cerber, and FileCrypt2.\r\nMalware Distribution\r\nThe Kelihos malware distribution model involved affiliates of a pay-per-install service operated by ZOMBIE SPIDER. Each\r\naffiliate was provided with a custom malware binary with a unique tag hard-coded into the executable. The criminal\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 1 of 11\n\noperators of Kelihos were able to track and credit affiliates for infections based on these tags when the malware\r\ncommunicated with their backend infrastructure. Compared to other malware families, Kelihos executables are relatively\r\nlarge due to the use of several third-party libraries, including Crypto++ for handling encryption-related functions, the Boost\r\nlibrary that provides a wide variety of convenience functions, and the WinPcap library that is used for capturing credentials\r\nused in plaintext network protocols. Affiliates frequently distributed Kelihos executables through social engineering and\r\nexploit kits. In addition, the Kelihos peer-to-peer network provided a fast-flux DNS hosting service that was often used in\r\ncombination with spam campaigns to serve its own binaries. As an example, the URL http://betaler\u003c.\u003ecom/gl1_1.php\r\nwas hosted by that fast-flux service network. In this case, the content served from this URL was some simple JavaScript-based redirect code shown below:\r\n\u003c!DOCTYPE HTML\u003e\u003chtml\u003e\u003chead\u003e\u003cscript\r\ntype=\"text/javascript\"\u003eparent.location.href=\"http://combach\u003c.\u003ecom/adobe.html\";\u003c/script\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\r\n\u003c/html\u003e\r\nThe domain combach\u003c.\u003ecom from the redirect target was hosted on the Kelihos fast-flux service network as well. Visiting\r\nusers were presented with the fake Adobe Flash Player website shown in Figure 1 in an attempt to deceive them into\r\nclicking the installation link, which would, in turn, provide a Kelihos malware executable.\r\nFigure 1. Fake Adobe Flash Player Installer Website\r\nInstallation and Persistence\r\nThe malware establishes persistence by creating a registry name and value pair under the key\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run in the HKEY_LOCAL_MACHINE hive if the user has administrator\r\nprivileges, or the HKEY_CURRENT_USER hive, otherwise. The registry name consists of a word from the prefix noun list\r\nshown below concatenated with a word from an action suffix list. Its value points to the Kelihos executable on disk. Kelihos\r\nmodifies the file attributes on its own executable to hidden and read only. The following prefix nouns were used:\r\nConnection\r\nCrashReport\r\nDatabase\r\nDesktop\r\nFolder\r\nIcon\r\nMedia\r\nNetwork\r\nTime\r\nTray\r\nVideo\r\nThe following is the list of suffix nouns used to construct the name string:\r\nChecker\r\nInformer\r\nNotifyer\r\nSaver\r\nUpdater\r\nVerifyer\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 2 of 11\n\nUpon initial infection, the malware generates a 16-byte unique bot identifier that is used during peer-to-peer\r\ncommunications. This value is created from 15 randomly generated bytes plus a single-byte checksum that is computed by\r\nadding the 15 random bytes together. All Kelihos binaries start with a list of hard-coded peers to bootstrap the process of\r\njoining the peer-to-peer network. All analyzed samples had dozens of such hard-coded entries, each consisting of an IP\r\naddress, a TCP port number (which in all cases is 80), the last time a peer has been contacted (which defaults to 0 in the\r\nbootstrap list), a bot ID, and the number of seconds a peer has been live, also defaulting to 0. The peer list is stored in the\r\nWindows registry with the name determined by concatenating strings from three dictionaries. However, due to a bug in the\r\ncode, this name will always be DBSavedUse when the malware is executed for the first time. The value stored at this name\r\nalways starts with the magic byte pattern A2 49 4D F3 D9 1E 9F 88 01 that is used as a signature to identify serialized data\r\nand also present in each peer-to-peer protocol message. In addition to the peer list, Kelihos will create three more\r\nname/value pairs under this registry key that store (1) a master key value, (2) the last job ID value, and (3) the bot ID value\r\nencoded with Base64. Due to the bug mentioned earlier, these registry names will always be PersistentLocalizedName ,\r\nPlatformCompressedValid , and LineLoadedQuick . In addition, if Kelihos is running in router mode (see below), the\r\nregistry name RecordEnabledCheck will also be created. Despite the bug in the code, identifying the registry key that stores\r\nthe Kelihos configuration information is non-trivial. The precise location of the registry key is selected by computing a\r\nhistogram of the character length and the uppercase and lowercase frequencies for each key and subkey in the\r\nHKEY_CURRENT_USERS hive. The results of the histogram are then sorted, and the first entry in the list is chosen to hold the\r\nconfiguration information. Consequently, different infected machines will likely store the data in different locations.\r\nPeer-to-Peer Protocol\r\nInfected machines form a peer-to-peer network with a hierarchical architecture shown in Figure 2. There are three tiers,\r\nreferred to as job servers, router nodes, and worker nodes. When a system is infected, the malware checks the network\r\nadapter settings to determine whether it has a publicly routable IP address. If that is the case, the bot will start in the router\r\nmode of operation and create network services on TCP port 80 for peer-to-peer communications and on UDP port 53 for\r\nparticipating in the fast-flux network. If the system has no public IP address, the malware will start in worker mode and\r\nreceive tasks to generate spam emails.\r\nFigure 2. Kelihos Botnet Architecture\r\nThere are two primary types of peer-to-peer messages: peer lists and jobs. All peer-to-peer communications occur over TCP\r\nport 80, with peer lists being exchanged over a custom binary protocol and jobs being distributed using the same protocol\r\nwith the addition of HTTP encapsulation. This distinction comes from the fact that messages related to tasking are being\r\nprocessed by the HTTP-based backend servers, whereas all other messages are exchanged between nodes that are part of the\r\ndynamic, self-organizing, peer-to-peer network — there is no need to encapsulate these in HTTP sessions. The custom\r\nnetwork protocol used for all message types makes use of RSA to perform a key exchange among peers and subsequently\r\nencrypt data with this session key. The first packet of the key exchange is similar to the following:\r\n00000000 d5 e2 57 60 6c 55 55 45 03 10 48 40 99 5b 9f ad ..W`lUUE ..H@.\u003c.. 00000010 72 1e 36 2f 44 e1 00 0c\r\n16 dd 9e 04 30 46 02 41 r.6/D... ....0F.A 00000020 00 d0 5f a9 4d e0 34 a9 21 c8 e4 30 43 47 aa 7a .._.M.4.\r\n!..0CG.z 00000030 00 6f ea 0d a4 8f d6 3f b1 c9 6b c9 c4 93 54 5f .o.....? ..k...T_ 00000040 d7 70 1a de 1c\r\nb1 5c 4d ca cf 61 86 14 a4 31 63 .p....\\M ..a...1c 00000050 75 60 9e 9b 69 b4 8e d7 19 26 1f 56 66 49 ab bd\r\nu`..i... .\u0026.VfI.. 00000060 e3 02 01 11 79 e2 f6 4d f4 56 c1 22 6c 23 90 3a ....y..M .V.\"l#.: 00000070 60 4f\r\nbe 69 a3 78 f2 a0 bc c5 ff ca 99 c7 7c 18 `O.i.x.. ......|. 00000080 1b 65 26 2b 0f dd 1b e6 3a f4 13 e0 64\r\nbf 25 89 .e\u0026+.... :...d.%. 00000090 86 ba e2 1f 5d d0 f1 06 e8 71 2e ea a5 b8 64 ef ....\u003e... .q....d.\r\n000000A0 ae bf 8d a7 ....\r\nThe first DWORD in the hexdump above specifies the protocol version. Its value has been generated by a bit-scrambling\r\nfunction with random entropy to obfuscate the actual version number, which was 5 in the last generation of the botnet. The\r\nsecond DWORD is the size of the message, which is obfuscated using another bit-scrambling function. The four bytes at\r\noffset 8 serve as a header for the payload data, which is composed of serialized blocks. This header has the following\r\nstructure:\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 3 of 11\n\n1. Number of blocks (0x03)\r\n2. Size of the first block: 16-byte session key (0x10)\r\n3. Size of the second block: peer’s RSA public key in BER format (0x48)\r\n4. Size of the third block: RSA signature of the 16-byte session key (0x40)\r\nThe remote peer responds with a message similar to the following:\r\n00000000 1a 28 72 06 f2 55 55 45 02 40 a1 01 40 b7 fd 8e .(r. .@..@... 00000010 e0 d1 88 4f ab cd 1d c3 fc\r\ne5 bf e2 5f 03 46 3f ...O.... ...._.F? 00000020 2f f3 43 92 67 15 ac ed 3c 68 49 88 27 55 5a b5 /.C.g...\r\n\u003chI.'UZ. 00000030 cf a4 92 c2 38 74 27 12 a8 1e e7 62 ef 63 49 9b ....8t'. ...b.cI. 00000040 e9 4f 85 3c 69\r\n1f d2 b6 d8 e6 52 38 04 88 3a 93 .O.\u003ci... ..R8..:. 00000050 41 b0 f8 b6 ef e0 a7 64 68 47 70 1a 2c 86 b7 93\r\nA......d hGp.,... 00000060 55 cd d3 c2 c5 8d b0 39 24 7c 20 bd 8d c4 35 10 U......9 $| ...5. 00000070 97 73\r\n1d 1c 0a 3c 29 92 8c 30 b6 bf ac cf a2 61 .s...\u003c). .0.....a 00000080 92 40 61 e7 06 32 11 74 41 c9 1c 3b b5\r\n9f 2d c4 .@a..2.t A..;..-. 00000090 d4 64 4e 04 e6 8f d9 69 27 e2 0a ae 6c 12 d8 59 .dN....i '...l..Y\r\n000000A0 3f 06 97 92 04 39 88 9b 57 1d cf 49 7f 78 ce 0e ?....9.. W..I.x.. 000000B0 ef b3 ea 31 3d f9 44 c0\r\n0a 30 ca e2 f4 50 84 0b ...1=.D. .0...P.. 000000C0 2a d7 34 b8 cb 5d 11 70 52 4f 86 76 3e 6e b4 e1 *.4..\u003e.p\r\nRO.v\u003en.. 000000D0 94 a5 b0 94 2e 7c 7e 9b d6 41 ad 0b 48 3c 8b b0 .....|~. .A..H\u003c.. 000000E0 60 d9 a3 1b 19\r\nc7 84 d7 1f ac 97 5e 1e `....... ...^.\r\nThis packet contains the same header structure as described above, with the payload consisting of a Blowfish key encrypted\r\nwith the local peer’s RSA public key. This Blowfish key is used to decrypt the second data block, which contains a block\r\nstructure that is identical to the initial request, containing the session key, the remote peer’s RSA public key, and the remote\r\npeer’s signature of the 16-byte session key. If all values match, the cryptographic session has been successfully established.\r\nAfter the public key exchange is complete, Kelihos serializes subsequent messages and uses the session key to determine a\r\nsequence of “monkey” function calls in order to scramble and thus obfuscate the payload. Finally, the message is encrypted\r\nusing a random 16-byte Blowfish key that is, in turn, encrypted with the remote peer’s RSA public key. Each peer-to-peer\r\nprotocol message has a type identifier. The following list shows existing message types and their purpose:\r\n0 job task message\r\n1000 peer list exchange message\r\n1002 job request message\r\n1003 ping request\r\n1004 pong response\r\n1005 email harvest results message\r\nThe inner layer of the peer-to-peer protocol is a serialized message format processed by a library called ANMP that was later\r\npublished as open-source software (see the Attribution section). This library implements a basic run-length encoding of\r\nprimitive data types like integers, lists, lists of strings, maps and binary objects. Complex data types are supported in the\r\nform of vectors that combine multiple primitives. The serialization and deserialization code is relatively sound and of better\r\nquality than most malware code, however, it contains some mistakes that can result in crashes or worse. Serialized data is\r\nreduced in size with the Lempel-Ziv compression algorithm before being encrypted with the Blowfish cipher in CBC mode.\r\nWe developed our own code to be able to parse and generate Kelihos peer-to-peer protocol messages. The following sections\r\ninclude the output of several parsed messages as generated by our tools to visualize their structure.\r\nPeer List Messages\r\nThe most important part of any peer-to-peer network is the ability for peers to exchange lists of other nodes in order to share\r\ninformation about nodes that have joined the network with neighbors. This allows the network to self-organize dynamically\r\nin order to maintain connectivity between peers. It further eliminates a single point of failure as there is no central control\r\ninstance, which makes the network more resilient to disruption and takeover attempts. Each Kelihos peer exchange can\r\nprocess up to 500 entries, although peers maintain lists of up to 3,000 entries. Bots initiate a peer list exchange by sending\r\ntheir current peer list to another node. The receiving node will merge the remote peer’s list with its own and construct a\r\nresponse from the results. This design exhibits a fatal weakness that allows for active propagation of fake information in the\r\npeer-to-peer network. Peer list exchange messages contain an m_external_info_packed field that is digitally signed with\r\nRSA. This field contains a list of IP addresses and ports for job servers — central systems that are controlled by the botnet\r\noperator. This information is critical for router nodes to know where to proxy traffic upstream. The protocol also supports a\r\nfield for list of special router node entries, called m_trusted_routers , that is also digitally signed with RSA; however, we\r\nnever observed populated values in this field. The list appeared to be designed as a resiliency measure to regain control of a\r\nrouter node by replacing its peer list with entries controlled by the Kelihos threat actor. Since whoever controls either of\r\nthese fields can easily take over the network, they were protected against misuse by digital signatures. An example of a\r\nparsed peer list is shown below (some fields are truncated for readability):\r\nm_client_id (1): cf735914-32ed-4aef-bbea-13237b7525f7 m_current_time (3): 2017-03-31 19:58:07 GMT (58deb4cf)\r\nm_success (4): 22626 m_bootstrap_list (5): m_clients_list (j): (500 elements) m_ip (b): 176.223.45\u003c.\u003e2\r\nm_listening_port (d): 80 m_last_active_time (g): 2017-03-31 19:03:40 GMT (58dea80c) m_client_id (p): 3b7813a4-\r\nc61f-43d0-8351-cc6b0765bf98 m_live_time (x): 468 m_ip (b): 100.82.77\u003c.\u003e2 m_listening_port (d): 80\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 4 of 11\n\nm_last_active_time (g): 2017-03-31 19:05:01 GMT (58dea85d) m_client_id (p): 42639ffe-2a48-4a61-9ec7-\r\n6f6340e9db9a m_live_time (x): 2676\" m_last_start_build (a): 0 m_current_time (y): 1970-01-01 00:00:00 GMT\r\n(00000000) m_listening_port (s): 0 m_real_target_ip (v): 178.56.138\u003c.\u003e29 m_external_info_packed (vf):\r\nm_external_info_id (g): 2017-02-16 08:05:17 GMT (58a55d3d) m_external_data_blob (d): (encrypted blob)\r\nm_job_servers (2): (4 elements) m_ip (2): 194.165.16\u003c.\u003e66 m_port (6): 80 m_ip (2): 194.165.16\u003c.\u003e69 m_port\r\n(6): 80 m_ip (2): 91.195.103\u003c.\u003e13 m_port (6): 80 m_ip (2): 91.195.103\u003c.\u003e14 m_port (6): 80 m_list_id (7):\r\n2017-02-16 08:05:17 GMT (58a55d3d) m_external_data_signature (h): string (256 bytes): 0x00000000 65 29 8e 69 a7\r\n59 e5 37 f8 37 73 49 0c 44 2b 31 0x00000010 db 2f bb 12 d4 96 85 bf cc 76 0c 4a 08 7f d6 f9 ...\r\nm_trusted_routers (0): m_external_info_id (g): string (8 bytes): 71f010f05b6bdcfe m_external_data_blob (d):\r\nstring (0 bytes): m_external_data_signature (h): string (0 bytes):\r\nGolden Parachute Domain\r\nEvery Kelihos sample had a hard-coded domain name that the author referred to as a “golden parachute domain.” The\r\npurpose of this domain is to assist a bot in regaining access to the peer-to-peer network if no nodes in its peer list are\r\nreachable. This may occur naturally if an infected system has been offline for a period of time. The golden parachute domain\r\nis hosted by the Kelihos fast-flux DNS service and resolves an IP address of a current router node, which is sufficient for the\r\nbot to bootstrap and regain connectivity with the network. The last golden parachute domains we observed were\r\ngorodkoff\u003c.\u003ecom and goloduha\u003c.\u003einfo . Resolution attempts for these may be indicative of a Kelihos infection.\r\nJob Messages\r\nKelihos provides configuration information and commands to infected systems through job messages. Requests for jobs are\r\nsent as HTTP requests using a word from the path list shown below, appended with an .htm extension.\r\ndefault\r\nfile\r\nhome\r\nindex\r\ninstall\r\nlogin\r\nmain\r\nonline\r\nsearch\r\nsetup\r\nstart\r\nwelcome\r\nAn example Kelihos job request appears similar to the following:\r\nGET /file.htm HTTP/1.1 Host: 103.229.85.197 Content-Length: 7515 User-Agent: Mozilla/5.0 (Windows NT 6.2)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36\r\nThis HTTP request is anomalous, as it combines the GET method with binary data in the body. To make network signature\r\ngeneration more difficult, Kelihos randomizes the User-Agent string from a list that is hard-coded into the malware.\r\nDownload-and-Execute Commands Kelihos has the ability to push arbitrary second-stage payloads to infected systems. This\r\nfeature can be used to update the binary or deliver additional malware. The command provides a digitally signed URL to\r\nprevent unauthorized delivery of payloads.\r\nSpam Jobs\r\nAs mentioned above, the primary purpose of Kelihos is to distribute spam emails. The botnet operates as a service that\r\nallows other criminals to pay to deliver their own spam. The behavior of the Kelihos SMTP spam engine is controlled by the\r\nm_mail_section configuration section in a job task. This provides the infected system with all the instructions necessary to\r\ncarry out a spam campaign, such as the email address target list, name servers for MX records, and the email content.\r\nKelihos nodes running in worker mode (those with a non-public IP address) conduct direct SMTP spam activities. This\r\nprevents Kelihos router nodes from getting blacklisted by anti-spam services. An example spam template configuration is\r\nshow below (some fields have been removed or truncated for brevity):\r\nm_mail_section (b3): m_generic_config (g): m_threads_count (c): 0 m_send_queue_max_size (v): 20000\r\nm_reports_mode (b): 0 m_adress_per_client (n): 10000 m_smart_mailing (s): 1 m_smart_threads_max (f9): 0\r\nm_smart_level (k): 70 m_sockets_max (p): 1024 m_errors_num_to_ban (e): 300 m_sleep_when_ban (w2): 3600\r\nm_dns_list (x): (string list with 11 elements): 156.154.71\u003c.\u003e22 208.67.220\u003c.\u003e220 ... m_dns_ip (u5):\r\n156.154.71\u003c.\u003e22 m_smtp_ip (h6): 98.136.216\u003c.\u003e26 m_tasks (v): m_task (d): (4 elements) m_address (e):\r\n(string list with 2500 elements): mc@wanadoo\u003c.\u003efr ma@wanadoo\u003c.\u003efr ... m_body (r): string (323 bytes):\r\nReceived: from unknown (HELO localhost) (%^C0%^Fnames^%@%^Fdomains^%^%@%^C6%^ I^%.%^I^%.%^I^%.%^I^%^%) by\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 5 of 11\n\n%^A^% with ESMTPA; %^D%^R20-300^%^% From: %^V0^% To: %^0^% Subject: Can you have enjoyment 5 times a\r\nnight? Date: %^D-%^R30-600^%^% Unbelievable revealing effect on male health\r\nhttp://infinitive.zfjvyfhw\u003c.\u003eru/ m_name (g): string (1 bytes): 2 m_address (e): (string list with 2500\r\nelements): cric@optusnet\u003c.\u003ecom.au claire_fri@health.qld\u003c.\u003egov.au ...\r\nDistributed Denial-of-Service Attacks\r\nA relatively unknown feature of Kelihos is the bot’s capability to participate in DDoS attacks. To command an attack, the\r\nbotnet operators simply included a special section with parameters specifying the target, type, and intensity in the tasking\r\nmessages that are periodically requested by each infected machine. The following is a representation of a parsed example\r\nconfiguration that would instruct the bot to perform HTTP requests against the specified IP address, with 50 simultaneous\r\nconnections and a delay of one second between cycles.\r\nm_ddos_config (jz): m_config_id (y): 2017-03-14 13:43:57 GMT (58c7f39d) m_attack_list (z5): (string list\r\nwith 1 elements): 185.53.168\u003c.\u003e141:80 m_sockets_count (s): 50 m_sleep_msec (e): 1000 m_flags (w): 01\r\nDDoS commands in the Kelihos botnet were rare. We observed an attack in November 2016, followed by several months\r\nwithout the feature being used before more attacks were launched between March 14 and 17, 2017. The first of these new\r\nattacks started on March 14, 2017 at 13:43:57 GMT and targeted the host 185.53.168\u003c.\u003e141. According to historic DNS\r\ninformation, this IP address was at that time associated with the website ikra\u003c.\u003etop , a Russian internet portal for running\r\nadvertisement campaigns on websites. This attack configuration was last observed on March 15, 2017 at 18:44:54 GMT,\r\nimmediately followed by an attack against 104.31.253\u003c.\u003e10, and later against other IP addresses in the 104.16.0\u003c.\u003e0/12\r\nnetwork range. This network is operated by Cloudflare, a provider of DDoS protection services. The previously targeted\r\nadvertisement service appears to have moved to Cloudflare following the initial attack, which may be the reason for the\r\nreconfigured targeting. A second attack that targeted the host 154.46.32\u003c.\u003e129 started on March 14, 2017 at 14:44:42 GMT.\r\nThis IP address was associated with the Russian Bitcoin exchange online service utbs\u003c.\u003ews. After five hours, the target was\r\nreconfigured to 151.139.244\u003c.\u003e11, an IP address operated by DDoS protection service provider StackPath, headquartered in\r\nTexas, that took over the hosting of the exchanger’s website. A short-term reconfiguration to 107.154.147\u003c.\u003e104 — an\r\naddress operated by protection service provider Incapsula — cannot definitively be associated with this attack but it is likely\r\nrelated. The botnet operators’ motives behind these attacks are unclear. Kelihos was primarily used for the distribution of\r\nspam emails. Of note, both targeted sites offered Russian-language online services that were potentially attractive for\r\ncriminals acting out of Russia. It is possible that the operator of Kelihos was engaged in a business relationship with the\r\ntargets and launched retaliatory attacks after non-beneficial deals, or in order to inhibit a competitor. Another possible\r\nexplanation is that these attacks were an attempted vehicle for extortion.\r\nClick Fraud\r\nLevashov constantly sought new ways to monetize infections. To further increase criminal revenue, a feature was added to\r\ngenerate fake clicks on websites. This became part of a click-fraud affiliate program that was started at the end of 2013 and\r\noperated at the website sevpod\u003c.\u003ecom . However, for unknown reasons, the click fraud operation was suspended in 2016\r\nand the clicker feature has rarely been used since then. We observed that this feature was use, in this case, for the purpose of\r\nwhat appears to be a DDoS attack. The clicker code was still present in the final build of Kelihos, and job servers still\r\nprovided a configuration for the module until its demise. The clicker operates by instantiating an IWebBrowser2 Object\r\nLinking and Embedding (OLE) object to control an Internet Explorer browser in a hidden desktop. The m_sites_list field\r\nin job tasks specified a list of URLs to visit. The webpage is parsed using the IHTMLDocument2 interface to extract the links\r\non the page. After extraction, the Kelihos clicker module tries to blend in with normal user behavior by moving the mouse to\r\nrandom locations with varying speeds (between 50-300 pixels per second) before clicking on the site’s links — which in the\r\nevent of a click fraud campaign would include online advertisements. An example of a (blank) clicker configuration is\r\nshown below.\r\nm_clicker_config (8): m_config_id (4): 2017-04-03 18:02:01 GMT (58e28e19) m_sites_list (p): (0 elements)\r\nIP Filter List\r\nThere were a total of four successful takeovers of the Kelihos botnet through peer list poisoning. With the exception of the\r\nlast, Levashov purchased new infections and recreated the botnet from scratch in each case. To make future disruption\r\nefforts more difficult, the author of the Kelihos malware added countermeasures to prevent researchers from tampering with\r\nthe peer-to-peer network. One such measure is an IP address blacklist that instructs infected systems to prevent\r\ncommunications with any suspicious peers.\r\nm_ip_filter_config (34): m_config_id (y): 2017-03-31 22:40:09 GMT (58dedac9) m_block_loopback_ip (r): 1\r\nm_hosts (e): (string list with 1403 elements): 0.0.0\u003c.\u003e0 0.0.0\u003c.\u003e1 0.0.0\u003c.\u003e2 0.0.0\u003c.\u003e3 127.0.0\u003c.\u003e1\r\n87.226.16\u003c.\u003e42 ...\r\nFast-Flux DNS Hosting\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 6 of 11\n\nOne of the most important features of Kelihos, beyond its spam abilities, was its ability to serve as a fast-flux hosting\r\nservice. To facilitate this service, the botnet implemented a technique known as double-flux DNS where both DNS A\r\nrecords, the one for the nameserver and the one for the domain itself, point to infected machines. These entries used a time-to-live (TTL) value of 0 to prevent caching. This could be observed by performing a DNS query for the domain\r\nns1.goloduha\u003c.\u003einfo , as shown below:\r\n; \u003c\u003c\u003e\u003e DiG 9.9.5 \u003c\u003c\u003e\u003e ns1.goloduha.info ;; global options: +cmd ;; Got answer: ;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY,\r\nstatus: NOERROR, id: 53362 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT\r\nPSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.goloduha.info. IN A ;; ANSWER\r\nSECTION: Ns1.goloduha.info. 0 IN A 27.147.125\u003c.\u003e109\r\nSimilarly, performing a DNS request for the domain goloduha\u003c.\u003einfo produced the following output:\r\n; \u003c\u003c\u003e\u003e DiG 9.9.5-3ubuntu0.8-Ubuntu \u003c\u003c\u003e\u003e goloduha.info ;; global options: +cmd ;; Got answer: ;; -\u003e\u003eHEADER\u003c\u003c-\r\nopcode: QUERY, status: NOERROR, id: 43375 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:\r\n1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;goloduha.info. IN A ;;\r\nANSWER SECTION: goloduha.info. 0 IN A 112.185.217\u003c.\u003e57\r\nA parsed configuration that instructs a subset of router nodes to participate in the fast-flux service is shown below. The\r\nm_domains field specifies a list of domains for which queries should be answered, and the m_hosts field provides a\r\nmapping for these domains to a list of router node IP addresses. The code in the malware responsible for checking queried\r\ndomains against the list uses regular expression pattern matching and makes sure that arbitrary subdomains resolve as well.\r\nAny HTTP request for a website hosted on the fast-flux network was forwarded upstream through a router node.\r\nm_dns_config (j): m_config_id (5): 2017-03-30 18:42:40 GMT (58dd51a0) m_domains (yy): (string list with 9\r\nelements): betaler\u003c.\u003ecom greystoneexpress\u003c.\u003ecom gorodkoff\u003c.\u003ecom combach\u003c.\u003ecom shoponlinesoft\u003c.\u003ecom\r\ngoloduha\u003c.\u003einfo zavodchikshop\u003c.\u003ecom ykxitfaf\u003c.\u003eru m_hosts (d): (string list with 29 elements): 101.96.39\u003c.\u003e79\r\n112.185.217\u003c.\u003e57 ... m_domain_ips (a): (0 elements)\r\nSOCKS Proxy Service\r\nKelihos utilized two primary methods to distribute spam: via direct SMTP using its built-in spam engine, and by leveraging\r\nstolen email credentials to authenticate and spam through legitimate mail servers. In order to mask the origin of a spam run,\r\nKelihos hosted a SOCKS5 proxy service on router nodes. Access to this proxy network was rented out to other criminal\r\ngroups and was restricted by providing a list of allowed IP addresses in job tasks. An example configuration is shown below:\r\nm_socks_config (d): m_config_id (s): 2017-02-12 14:21:44 GMT (58a06f78) m_allowed_ip (f): (string list with\r\n1377 elements): 102.118.103\u003c.\u003e102 102.121.102\u003c.\u003e117 ...\r\nNetwork Packet Capture\r\nKelihos utilized the WinPcap library to snoop on a host’s network traffic, searching for the plaintext protocols HTTP, FTP,\r\nPOP, and SMTP. Captured credentials were exfiltrated to the job servers via router nodes.\r\nFTP Account Harvesting\r\nKelihos has built-in support for stealing credentials stored in password managers for 51 different programs. In the past,\r\nZOMBIE SPIDER has used these stolen credentials to host malicious content on the respective servers. The following list\r\nshows all programs targeted by the Kelihos FTP credential harvester:\r\n32bit FTP\r\n3DFTP\r\nALFTP\r\nBitKinex\r\nBlaze\r\nBulletProof\r\nClassic FTP\r\nCoffeeCup\r\nCore FTP\r\nCuteFTP\r\nCyberDuck\r\nDeluxe\r\nDirectory Opus\r\nExpanDrive\r\nFAR Manager FTP\r\nFFFTP\r\nFilezilla\r\nFlashFXP\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 7 of 11\n\nFreeFTP/DirectFTP\r\nFrigate3\r\nFTP Control\r\nFTP Explorer\r\nFTPGetter\r\nFTPRush\r\nGlobal Downloader\r\nIE\r\nLeapFTP\r\nLeech\r\nLinas\r\nMyFTP\r\nNetDrive\r\nNetfile\r\nNexus\r\nNotepad++\r\nNovaFTP\r\nPutty\r\nRobo\r\nSecureFX\r\nSherrod\r\nSmartFTP\r\nSoftX FTP Client\r\nStaff\r\nTFTPInfo\r\nTurboFTP\r\nWebDrive\r\nWebSitePublisher\r\nWindows/Total Commander\r\nWinSCP\r\nWISE\r\nWisper/Surfer\r\nXFTP\r\nUSB Spreader\r\nKelihos has built-in support for spreading via removable drives. The spreading process replaces directories on removable\r\ndrives with a .lnk file that, when accessed, executes a Kelihos binary before displaying the expected directory contents.\r\nThe executable filename was randomly chosen from the list below, appended with an .exe suffix. The USB spreader could\r\nbe enabled or disabled based on the variable m_use_hello_friends in the m_general_settings section of job messages.\r\nThe malware executable’s file attributes were set to hidden so that it will not appear in a standard directory listing.\r\nclick\r\ngame\r\nhentai\r\ninstall\r\ninstaller\r\npassword\r\nporn\r\nrun\r\nscreensaver\r\nsetup\r\nBitcoin Mining and Theft\r\nPrior versions of Kelihos had the ability to mine Bitcoins; however, the mining process has become too computationally\r\nexpensive for modern CPUs. As a result, the malware has switched to stealing wallets from infected systems instead.\r\nKelihos specifically searches for the following Bitcoin wallet files on a victim’s system and exfiltrates them if they exist:\r\n%APPDATA%\\Bitcoin\\wallet.dat\r\n%APPDATA%\\Roaming\\Bitcoin\\wallet.dat\r\nAttribution\r\nThe main threat actor behind ZOMBIE SPIDER, CrowdStrike’s name for the Kelihos operation, is Peter Yuryevich\r\nLEVASHOV. He used the moniker Peter Severa or Severa. Levashov was a member of several Russian underground forums\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 8 of 11\n\nwhere he advertised his products and voiced his opinions. The avatar used by Levashov was a dragon-like character shown\r\nin Figure 3. Figure 3. Avatar Used by Severa Shortly after his arrest, forum accounts\r\nassociated with the user Severa were banned, removing his contact information and historical posts.Prior to Levashov’s\r\narrest, the actor was routinely communicating in the underground marketplace under the alias Severa to advertise his botnet\r\nand spam services, his click-fraud affiliate program (SevPod), his fake antivirus program (SevAntiVir) and access to\r\ncriminal infrastructure. Severa regularly advertised his spam services on criminal forums ranging in price from $200-500\r\nUSD, depending on the service required. Services varied — from pharmaceutical advertising to employment lures to Trojan\r\ndistribution. In 2014, during a period in which several countries imposed sanctions against Russia, Severa offered customers\r\na discount on his spam service for one month, if it was used against countries that played a part in setting the sanctions (for\r\nexample, Ukraine or countries in the European Union or North America).\r\nPossible Ties to the Russian Government?\r\nThere has been speculation that some criminal threat actors, including Severa, have had ties to the Russian government9 10.\r\nIn criminal underground forums, members discussed Severa having connections to the Russian government, such as the\r\nFederal Security Service (FSB), possibly due to his frequent displays of patriotism for Russia. There is no clear evidence\r\nthat these claims were legitimate, but Severa played into these rumors with a forum post on April Fools’ Day in 2013. In this\r\npost, Severa discussed an offer that he allegedly received from the FSB to lead a team in their Center for Information\r\nSecurity, in a new division called the OSBIB (Separate Special Battalion of Information Security). He claimed that he was\r\nordered to hire the first 100 members of this team (out of the 500 required within the first year) and that he had been given\r\nsignificant latitude in the recruitment process. Severa described the intent of this new department as protecting Russia from\r\nelectronic threats and providing a reactive response if required. The post instructed interested applicants to submit a resume\r\nand specifically requested details about illegal hacking activities and botnet development. Severa also remarked that if an\r\napplicant conducted criminal activity but was hired into the program, they would be given full amnesty. The primary\r\nrequirements for applicants was that they have Russian citizenship, be between 18 and 45 years of age, have a strong\r\nknowledge of computer security, work well in teams, and possess excellent problem-solving skills. Applicants with a higher\r\neducation in a technical field as well as those with past military experience were preferred. Severa also stated that those who\r\nwere successful in the interview process would be subject to a trial period and would receive official officer ranks thereafter.\r\nThe post explains that the office would be based in Moscow and those employed would receive a full FSB benefits package,\r\nincluding family accommodation, and a salary starting from 150,000 Rubles per month. Severa concluded the post with a\r\nmessage of Russian solidarity, stating that it was time to pay back the motherland. Although this post was written on April\r\nFools’ Day (Severa had also written a post on the prior April Fools’ Day about working for Microsoft), there is a possibility\r\nthat the timing was intentional for plausible deniability. The most concrete evidence that Levashov may have had a\r\nrelationship with the Russian government is from when he appeared in a Spanish court in September 2017 to fight\r\nextradition to the United States. During the trial, Levashov stated that he had worked as a military officer for Russian\r\npresident Vladimir Putin’s United Russia party for the last ten years, gathering information on the opposition11\r\n. However,\r\nhis claim was later denied by United Russia.\r\nThe Author of the Kelihos Malware\r\nWhile Levashov was the operator of the Kelihos botnet, he likely did not write the malware. At least one of the actors\r\nresponsible for authoring the malware appears to be a Russian individual named Andrey SABELNIKOV. There are several\r\nstrong links associated with Sabelnikov, including his Github page8\r\nshown in Figure 4. The project, known as epee, contains\r\na significant portion of the non-malicious parts of Kelihos, including a custom and complex serialization library, network\r\nfunctions, registry tools, hashing routines, and an SMTP client.\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 9 of 11\n\nFigure 4. Screenshot of Sabelnikov’s Public GitHub Page\r\nOutlook\r\nWith the Kelihos spam botnet no longer in operation and Levashov behind bars, multiple criminal operators turned to\r\ndifferent spam botnets to distribute their crimeware.Spam botnets such as CraP2P (often wrongly identified as Necurs,\r\nwhich is a for-sale rootkit that is used by multiple botnets) and Cutwail are viable replacement options.CraP2P has\r\nfrequently been used to distribute other malware such as Locky and Dridex, but also supported large scale spam campaigns\r\nfor dating advertisement and pump-and-dump scams after the demise of Kelihos. Both these spam campaign types were\r\npreviously distributed by the Kelihos spam botnet, indicating that respective ZOMBIE SPIDER customers may have\r\nswitched services. One spam alternative was offered by a criminal actor who is thought to have been one of ZOMBIE\r\nSPIDER’s main competitors, having had previous disagreements on who provides better services. This individual reminded\r\nusers of his spam services in a forum thread about Severa’s arrest, posted just three days later.\r\nAppendix\r\nAlthough the Kelihos botnet is now inactive and no longer under control by ZOMBIE SPIDER, there may be some\r\ninfections left. In order to help identifying them and cleaning them up, we share the YARA rule below that looks for the\r\nthree RSA keys mentioned above. Since Kelihos executables are packed with various packers, this rule is unable to detect\r\nvariants on disk. Instead, it should be used for scanning the memory of running processes.\r\nrule kelihos_e : kelihos commodity spambot { meta: copyright = \"CrowdStrike, Inc\" description = \"Kelihos.E\r\nembedded RSA keys\" version = \"1.0\" last_modified = \"2018-11-29\" malware_family = \"Kelihos.E\" in_the_wild =\r\ntrue strings: $rsakey_extinfo =\r\n\"MIIBCAKCAQEArhNkAqO5rfZkXRlmtrZQ4lB0HDPCF9pROK0upgPxKamx7W8mY7GBe3Qk6npYNxHNtV6DN1g+EoSQaMfhpxxlcvMCnvuivJdLN6oQg7UWfqx2CKNvCLObIKEXjlBW\r\n$rsakey_jobinfo =\r\n\"MIIBCAKCAQEAn5+cs80qt/4pslfUwTspXxTxVzmk0f9Oxt8on/jyQiuIG/oAhvefsYaDX/xivlvft34T0PhF/8/oAuXCfH4KPJ+GYFLe1hFR7EVdPfVKPRcTd4RB7tUHXpPUQ/m0\r\n$rsakey_routers =\r\n\"MIIBCAKCAQEAqQ8pkPATx8TUt7IaMWXcUwGpkZKmyrHyZj4Asf0f/gXi/FjisO91yNEbuG0ilVNQg+Y4jaycxp/o+iEoEF9CmozwP5F8I9UclBnopTpcHoDdlnWzC99IAkuqpqIM\r\ncondition: all of them }\r\nFootnotes\r\n1. https://blogs.technet.microsoft.com/microsoft_blog/2010/02/24/cracking-down-on-botnets/\r\n2. https://securelist.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-the-hluxkelihos-botnet-15/31058/\r\n3. /content/crowdstrike-www/language-masters/global/en/blog/p2p-botnet-kelihosb-100000-nodes-sinkholed/\r\n4. /content/crowdstrike-www/language-masters/global/en/blog/peer-peer-poisoning-attack-against-kelihosc-botnet/\r\n5. https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0\r\n6. https://krebsonsecurity.com/tag/peter-severa/\r\n7. https://www.justice.gov/opa/pr/russian-national-who-operated-kelihos-botnet-pleads-guilty-fraud-conspiracy-computer-crime\r\n8. https://github.com/sabelnikov/epee\r\n9. https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html\r\n10. https://www.forbes.com/sites/thomasbrewster/2017/03/20/alexsey-belan-yahoo-fbi-hacker-allegations/\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 10 of 11\n\n11. https://www.bloomberg.com/news/articles/2018-09-12/russion-who-ran-kelihos-botnet-pleads-guilty-in-connecticut\r\nLearn More:\r\nFor more information on how to incorporate intelligence on threat actors like ZOMBIE SPIDER into your security strategy,\r\nplease visit the Falcon Intelligence product page. Download the CrowdStrike 2020 Global Threat Report. Learn more about\r\nCrowdStrike’s next-gen AV solution, by visiting the Falcon Prevent product page. Test Falcon Prevent for yourself with a\r\nfree 15-day trial today.\r\nSource: https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nhttps://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/" ], "report_names": [ "farewell-to-kelihos-and-zombie-spider" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e312df00-4c6f-44c3-b717-4b72800c7697", "created_at": "2023-01-06T13:46:39.03345Z", "updated_at": "2026-04-10T02:00:03.190159Z", "deleted_at": null, "main_name": "ZOMBIE SPIDER", "aliases": [], "source_name": "MISPGALAXY:ZOMBIE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3c3ca3f2-9a6a-463e-869c-e9bf02d398d7", "created_at": "2022-10-25T16:07:24.59432Z", "updated_at": "2026-04-10T02:00:05.047762Z", "deleted_at": null, "main_name": "Zombie Spider", "aliases": [], "source_name": "ETDA:Zombie Spider", "tools": [ "Hlux", "Kelihos", "Waledac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775791997, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e62786aff45ba93211980d281b071acf1e753fdb.pdf", "text": "https://archive.orkl.eu/e62786aff45ba93211980d281b071acf1e753fdb.txt", "img": "https://archive.orkl.eu/e62786aff45ba93211980d281b071acf1e753fdb.jpg" } }