{ "id": "d4c03f6a-cd81-421e-bdd0-cc199096835d", "created_at": "2026-04-06T00:08:19.788729Z", "updated_at": "2026-04-10T03:20:47.756116Z", "deleted_at": null, "sha1_hash": "fd5e906b1f18bda06040c863e56294b03480af1e", "title": "World's Largest Spam Botnet Finds a New Way to Avoid Detection... For Now", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1024164, "plain_text": "World's Largest Spam Botnet Finds a New Way to Avoid Detection... For\r\nNow\r\nBy Catalin Cimpanu\r\nPublished: 2018-04-27 · Archived: 2026-04-05 20:17:29 UTC\r\nNecurs, the world's largest spam botnet, with millions of infected computers under its control, has updated its arsenal and is\r\ncurrently utilizing a new technique to infect victims.\r\nThis new technique consists of sending an email to a potential victim containing an archive file, which unzips to a file with\r\nthe extension of .URL. This is a typical Windows shortcut file that opens a web page directly into a browser, instead of a\r\nlocation on disk.\r\nThe final destination of this link is a remote script file that downloads and automatically executes a final payload.\r\nhttps://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nNecurs dropping Quant Loader via .URL shortcut files\r\nFor this particular spam run, Necurs had been infecting victims with Quant Loader, a run-of-the-mill and nothing-special\r\nmalware family that is intended only to gain boot persistence and download another strain of more potent malware down the\r\nroad.\r\nWhile this technique is most likely not new entirely, as crooks have abused .URL files in the past, it is new for Necurs. What\r\nmakes this technique stand out is the simplified infection chain, which now relies only on delivering a zipped .URL shortcut\r\nfile.\r\nFor the past six years, since Necurs has been around, the botnet's operators have rarely used such a simple spam technique\r\nand have always relied on complicated infection chains.\r\nWe've seen stuff like one-time or double-zipped archives delivering WSF files, JS files, Visual Basic scripts, and all sorts of\r\nOffice file formats, either boobytrapped with macros or leveraging exploits to infect victims.\r\nNew technique evades email malware scanners\r\nThe purpose of this much simpler routine is to avoid malware scanners that analyze emails, looking for malicious links or\r\nboobytrapped attachments. Such solutions work on preset rules, many of which have been set up by security researchers\r\nbased on previously observed malicious patterns.\r\nThe deployment of a simple .URL file is not a game-breaker, as security researchers only need to update existing detection\r\nrules with a new one, but this will give the Necurs botnet time to breathe and infect victims easier in the following weeks, as\r\nemail malware scanners will receive updated detection rules.\r\nAt that point, just like we've seen Necurs in the past years, botnet operators will just make a small tweak to the infection\r\nchain —like putting the .URL file inside a double-zipped file instead of a one-time zipped file— and this whole cat and\r\nmouse game will start anew.\r\nHow users can protect themselves\r\nWhat users need to know —or remember, if they're old enough to have seen this trick before— is that .URL files work like\r\ntypical Windows shortcut file, such as .LNK, and hence, can use custom icons.\r\nTrend Micro, the cyber-security firm who spotted this recent Necurs .URL-based malspam campaign, warns that crooks are\r\nusing the standard folder icon to hide .URL files.\r\nThis makes it somewhat easy to trick users into thinking the email file attachment they just unzipped has created a folder\r\nthat they need to enter and view the actual file. Unfortunately, this is what crooks want because trying to access this faux\r\nfolder will launch the infection chain.\r\nBut there is a giveaway that may protect users. Just like every other typical Windows shortcut file, .URL files also show the\r\nclassic arrow icon on the bottom-left corner of the folder icon, like in the image below.\r\nhttps://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/\r\nPage 3 of 5\n\nIf you ever spot such markers on files you received via email attachments, these files are malicious 100 percent, and users\r\nshould avoid opening them.\r\nhttps://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/\r\nhttps://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/" ], "report_names": [ "worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now" ], "threat_actors": [], "ts_created_at": 1775434099, "ts_updated_at": 1775791247, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd5e906b1f18bda06040c863e56294b03480af1e.pdf", "text": "https://archive.orkl.eu/fd5e906b1f18bda06040c863e56294b03480af1e.txt", "img": "https://archive.orkl.eu/fd5e906b1f18bda06040c863e56294b03480af1e.jpg" } }