When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft names and shames a perpetrator behind ZLoader botnet to deter others

Neowin · with 1 comment

A person sitting in front of multiple computer screens and servers in an unclean environment

Microsoft has announced today that it has disrupted a major criminal botnet called ZLoader. Our readers may remember that this is also one of the botnets using XLM macros as an attack surface. Microsoft's latest actions include technical and legal activities to damage the operations of the criminal group leveraging ZLoader as malware-as-a-service.

More interestingly, the Redmond tech giant has also explicitly named and shamed one of the criminals who developed a component that is used by ZLoader to distribute ransomware. The person in question is Denis Malikov of Simferopol on the Crimean Peninsula. This identity was revealed during Microsoft's investigation and the company believes that publicly disclosing it will send a clear message to other criminals that they can't hide behind masks of digital anonymity.

Microsoft has also procured a court order to take control of 65 domains that the criminal gang is using to grow its botnet. The botnet usually consists of infected PCs belonging to hospitals, schools, homes, and businesses globally. The tech firm says:

The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.

Microsoft's General Manager for the Digital Crimes Unit (DCU) Amy Hogan-Burney says that ZLoader's original goal was financial and credential theft. However, now it also sells malware-as-a-service to distribute ransomware such as Ryuk, which targets healthcare institutions.

DCU has praised the support of several other companies and groups including ESET, Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Microsoft Defender, and Microsoft Threat Intelligence Center in this endeavor.

Microsoft has noted that this is a major disruption but it expects the criminal gang to try and revive the botnet again. However, it will be closely targeting its activities and it hopes that it latest technical and legal actions will deter people involved in this gang.

Report a problem with article
Proton Calendar screenshots
Next Article

Proton Calendar is now available on Android devices with encrypted events

Gru meme where he says he will buy an NFT for 29 million and sell it for 50 million but is surprised
Previous Article

Nobody wants to pay more than $7,000 for NFT of Jack Dorsey's tweet which first sold for $2.9M

Join the conversation!

Login or Sign Up to read and post a comment.

1 Comment - Add comment