The operators of the Glupteba botnet resurfaced in June 2022 as a part of a renewed and “upscaled” marketing campaign, months after Google disrupted the malicious exercise.
The continued assault is suggestive of the malware’s resilience within the face of takedowns, cybersecurity firm Nozomi Networks mentioned in a write-up. “As well as, there was a tenfold enhance in TOR hidden companies getting used as C2 servers because the 2021 marketing campaign,” it famous.
The malware, which is distributed by way of fraudulent advertisements or software program cracks, can also be outfitted to retrieve extra payloads that allow it to steal credentials, mine cryptocurrencies, and develop its attain by exploiting vulnerabilities in IoT gadgets from MikroTik and Netgear.
It is also an occasion of an uncommon malware that leverages blockchain as a mechanism for command-and-control (C2) since not less than 2019, rendering its infrastructure immune to takedown efforts as within the case of a standard server.

Particularly, the botnet is designed to go looking the general public Bitcoin blockchain for transactions associated to pockets addresses owned by the risk actor in order to fetch the encrypted C2 server deal with.
“That is made attainable by the OP_RETURN opcode that permits storage of as much as 80 bytes of arbitrary information inside the signature script,” the commercial and IoT safety agency defined, including the mechanism additionally makes Glupteba arduous to dismantle as “there isn’t any approach to erase nor censor a validated Bitcoin transaction.”
The strategy additionally makes it handy to exchange a C2 server ought to or not it’s taken down, as all that’s wanted for the operators is to publish a brand new transaction from the actor-controlled Bitcoin pockets deal with with the encoded up to date server.

In December 2021, Google managed to trigger a big dent to its operations, alongside submitting a lawsuit towards two Russian nationals who oversaw the botnet. Final month, a U.S. courtroom dominated in favor of the tech large.
“Whereas Glupteba operators have resumed exercise on some non-Google platforms and IoT gadgets, shining a authorized highlight on the group makes it much less interesting for different legal operations to work with them,” the web behemoth identified in November.
Nozomi Networks, which examined over 1,500 Glupteba samples uploaded to VirusTotal, mentioned it was capable of extract 15 pockets addresses that had been put to make use of by the risk actors courting all the way in which again to June 19, 2019.
The continued marketing campaign that commenced in June 2022 can also be maybe the most important wave up to now few years, what with the variety of rogue bitcoin addresses leaping to 17, up from 4 in 2021.
A kind of addresses, which was first lively on June 1, 2022, has transacted 11 occasions so far and is utilized in as many as 1,197 artifacts, making it probably the most extensively used pockets deal with. The final transaction was recorded on November 8, 2022.
“Risk actors are more and more leveraging blockchain know-how to launch cyberattacks,” the researchers mentioned. “By profiting from the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for quite a lot of assaults, starting from malware propagation to ransomware distribution.”