After Google’s disruption, Glupteba malware has returned to action

After being shut down by Google nearly a year ago, the Glupteba botnet malware has reactivated and infected devices around the world.

Google caused a in the blockchain-enabled botnet on December 20, 2021. It secured court orders to control the botnet’s infrastructure, and filed complaints against two Russians.

Nozomi reports now that TLS certificate registrations and blockchain transactions have been registered. Reverse engineering Glupteba sample shows a large-scale Glupteba operation that began in June 2022. It is currently ongoing.

The blockchain is your secret weapon

Glupteba, a modular, blockchain-enabled malware, infects Windows computers to steal passwords and cookie information, then deploy proxies onto Windows and IoT devices.

Later, these proxies can be sold to cybercriminals as “residential proxy”.

Malvertising on Pay-per-Install (PPI) networks, traffic distribution systems, (TDS), pushing installers (misleading them as free software, movies, or videos) is the main way that malware is distributed.

Glupteba uses the Bitcoin blockchain for its ability to evade disruption. It receives updated lists from command and control servers that it should contact to get commands executed.

Clients of the botnet retrieve C2 server addresses using a discovery function. This discover function enumerates Bitcoin wallets servers and retrieves transactions. It then parses these to locate an AES encrypted address.

Discover function used for retrieving C2 domains


This strategy, which offers resilience against takedowns, has been used by Glupteba for many years.

Because blockchain transactions can’t be deleted, C2 addresses takedown efforts only have limited effect on the botnet.

Additionally, without a Bitcoin Private Key, law enforcement can’t place payloads onto the controller addresses. This makes it impossible for botnet takeovers and global deactivations such as the one that .

There is one downside to the Bitcoin blockchain: it is openly accessible. Anyone can view transactions and gather information.

The Return of Glupteba

that Glupteba uses the blockchain the same way today. Therefore, its analysts scanned all of the blockchain to uncover hidden C2 domains.

It was a huge effort that involved the examination of 1500 Glupteba specimens uploaded to VirusTotal in order to extract wallet addresses. Also, the attempt to decrypt transaction payload information using the keys associated to the malware.

Nozomi finally used passive DNS records for Glupteba hosts and domains, and then examined the most recent TLS certificate used by malware to reveal more about the infrastructure.

Nozomi’s investigation revealed 15 Bitcoin addresses that were used in four Glupteba campaign campaigns. The most recent started in June 2022. This was six months after Google lost its disruption. The campaign continues.

The botnet is now more resilient than ever thanks to this campaign, which uses more Bitcoin addresses.

Diagrams of blockchain transactions. Left to right: 2022 (most complicated), 2020 (most sophisticated), and 2019 campaigns (Nozomi).

Moreover, the C2 server use of TOR’s hidden services has increased tenfold since 2021, when the campaign was launched. This is due to a similar redundancy strategy.

It had 11 transactions, and sent 1,197 samples. The last activity was registered November 8, 2022.

Nozomi reports that there have been many Glupteba domain names registered as recently as November 22nd, 2022. This was also confirmed via passive DNS data.

The above shows that the Glupteba Botnet is back. It’s also more powerful than ever and could be even more resilient. This means it has a lot of backup addresses, which can resist being taken down by law enforcement and researchers.