{
	"id": "a69de578-455d-4cde-b780-02f575397c42",
	"created_at": "2026-04-06T00:19:35.167593Z",
	"updated_at": "2026-04-10T13:11:48.700472Z",
	"deleted_at": null,
	"sha1_hash": "f092604f700432c2453e382060774e1854c2fc43",
	"title": "What’s Next in Malware After Kuluoz?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 141939,
	"plain_text": "What’s Next in Malware After Kuluoz?\r\nBy Ryan Olson\r\nPublished: 2015-08-10 · Archived: 2026-04-05 18:22:04 UTC\r\nRegular readers of this blog have heard all about the infamous Kuluoz malware. This family was the latest\r\nevolution of the Asprox malware and at its peak in 2014 it accounted for 80% of all malware sessions we observed\r\nin WildFire. When the team published our Threat Landscape Review in December of last year, we highlighted this\r\nfamily as a scourge that impacted nearly every company Palo Alto Networks protected in 2014. Kuluoz was\r\nprimarily distributed through e-mail, which means we saw large numbers of SMTP sessions, but also downloads\r\nover a variety of webmail clients.\r\nEven if you didn’t read our blogs, you probably dealt with Kuluoz. Throughout 2014, most of the waves of spam\r\ne-mails carrying fake court notices, voicemail messages and package delivery alerts carried a Kuluoz attachment.\r\nIf you opened these attachments you quickly became part of the botnet, sending copies of the malware to other\r\nvictims while the botmaster silently installed additional malicious software on your system.\r\nGiven all of this activity, we were quite surprised when the malware all but disappeared at the end of December\r\n2014.\r\nThe screenshot above shows the number of malware sessions per week that we tagged as “Kuluoz” in the\r\nAutoFocus service. When we first noticed the drop-off, our suspicion was that we were “missing” the new Kuluoz\r\nsamples. Just weeks earlier we published a report that highlighted their tactics -- a tactical shift in response would\r\nnot have been unprecedented.\r\nAs weeks turned into months, we found that Kuluoz didn’t return. We weren’t the only ones who noticed; Brad\r\nDuncan wrote a blog for the SANS indicating that the e-mails which had previously carried Kuluoz were now\r\njust…spam.\r\nBased on the data we’ve collected, the Kuluoz command and control infrastructure largely shut down in January\r\nand the botnet is no more. We continue to capture new samples of Kuluoz in WildFire as orphaned infections\r\ncontinue sending out newly-crypted variants of the malware, but the numbers are a tiny fraction of Kuluoz at its\r\npeak.\r\nThe original Asprox botnet has gone through multiple incarnations since it came online in 2007. We’ve not yet\r\nseen any indication that the individuals behind these attacks have been arrested or forced to stop operating, so it’s\r\nhttps://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/\r\nPage 1 of 2\n\nlikely that they’ve shut down this botnet to regroup and redeploy after they’ve found ways to evade the detections\r\ndeployed by the security industry. After all, sending 80% of all malware puts you pretty high on everyone’s list of\r\npriorities.\r\nIf you are wondering what malware has replaced Kuluoz as our top family, the reigning champion is Upatre,\r\nwhich is a downloader that typically installs the Dyre banking Trojan or the CryptoWall Ransomware. It’s not\r\nnearly as prevalent as Kuluoz, but it’s certainly making an impression:\r\nSource: https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/\r\nhttps://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/"
	],
	"report_names": [
		"whats-next-in-malware-after-kuluoz"
	],
	"threat_actors": [],
	"ts_created_at": 1775434775,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f092604f700432c2453e382060774e1854c2fc43.pdf",
		"text": "https://archive.orkl.eu/f092604f700432c2453e382060774e1854c2fc43.txt",
		"img": "https://archive.orkl.eu/f092604f700432c2453e382060774e1854c2fc43.jpg"
	}
}