Security News > 2022 > December > Glupteba malware is back in action after Google disruption
The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.
Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.
Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.
Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.
Finally, Nozomi used passive DNS records to hunt for Glupteba domains and hosts and examined the latest set of TLS certificates used by the malware to uncover more information about its infrastructure.
The Nozomi investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, with the most recent one starting in June 2022, six months after Google's disruption.