News & Insights

On Tuesday 29th August 2023, the US DoJ and FBI, together with other global law enforcement partners, announced a disruption action against the Qakbot botnet. This involved the FBI deleting the Qakbot malware from infected victim computers under US court order. As part of their operation, the FBI acquired a copy of the threat actor’s database of historical Qakbot infections, which covered the period July 2019 to August 2023. This database contains a record of over 700,000 discrete Qakbot bot infections in 230 countries. Shadowserver is sharing elements of this dataset as a one-off Special Report, to allow historical Qakbot infections to be investigated and any secondary malware identified and remediated by system defenders.

On Tuesday 29th August 2023, the US Department of Justice (DoJ) and US Federal Bureau of Investigations (FBI) - along with law enforcement partners in France, Germany, the Netherlands, and the United Kingdom - announced a disruption action against the very long running Qakbot botnet. The outcomes from the coordinated law enforcement action included deleting the Qakbot malware from infected victim computers (to reduce the risk of further harm), taking down the Qakbot technical infrastructure and seizing $8.6M of alleged illicit cryptocurrency profits. The Shadowserver Foundation is happy to support our law enforcement partners in this major cybercrime disruption operation.

After many years of not having public interface for exploring our extensive cyber threat intelligence data sets, Shadowserver are very excited to make available our new public Dashboard, kindly funded by the UK FCDO. Use our Dashboard to dig into two years of aggregated country level data about many different type of threats, including some unique data sets and vantage points, then visualize the data in various ways that can be easily shared via URLs. Free to use (with attribution) for research, informing policy makers and by journalists/news media in educating the public about cyber security threats.

In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. A new Shadowserver Cyclops Blink Special Report was issued to our free daily network report subscribers today, detailing IP addresses believed likely to be infected with the Cyclops Blink malware, and the associated C2 servers.

Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and compared their observed demographics with data from the previous decade of spambot takedowns.

A joint operation by International Law Enforcement Agencies today arrested the alleged administrator of the DarkScandals child sexual exploitation website sites and protected victims by seizing the sites. The Shadowsever Foundation was happy to play a small role in the successful operation by providing technical support to our LE partners.

The Dridex botnet was sinkholed in October 2015 and the infected victims remediated via Shadowserver's free daily network reports. In December 2019, the US DoJ, FBI and UK NCA unsealed criminal charges against other actors alleged to be behind the Dridex botnet’s activities, via an organization self described as “Evil Corp”. This included a record US $5M FBI Most Wanted cyber criminal reward being offered.

The US DoJ, FBI and international LE partners announce multiple indictments against the alleged operators and customers of the Goznym malware, controlled via the Avalanche platform. Sinkhole data continues to be available from The Shadowserver Foundation, as part of ongoing sinkholing over over 20 Avalanche malware strains.

The huge Mirai Botnet #14 IoT botnet attacks were successfully stopped and sinkholed by the German BKA and The Shadowserver Foundation, and the actor behind them was identified, arrested and prosecuted in both Germany (with the BKA) and the UK (with the NCA). Sentencing details were made public in the UK today.

Year 3 of our ongoing Avalanche operations with international law enforcement continue to provide protection for over 2 million unique IP addresses per day against 20+ different strains of malware, including the Andromeda dropper from year two. This has required an unprecedented blocking/seizing of over 2.4 million malicious domain names to date. Sinkhole data continues to be available to subscribers via our free daily network reports.