Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Spamhaus Botnet Threat Update: Q1-2020

2020-04-21 11:59:46 UTC   |   by Spamhaus Malware Labs   |   Category:  bulletproof hosting, malware, botnet, dns
Recent News Articles

Spamhaus Blocklist (SBL) listings are moving

The conundrum that is the modern use of NAT at a carrier grade level

QNAME Minimization and Spamhaus DNSBLs

The beta nature of the Threat Intel Community Portal

Want to submit data? Be our guest!

The return of the ASN-DROP

Qakbot - the takedown and the remediation

Poor sending practices trigger a tidal wave of informational listings

Older News Articles:
Spamhaus News INDEX

In the past quarter, the number of botnet Command & Controllers (C&Cs) associated with fraudulent sign-ups, reduced by 57%. Good news, we hope. However, a new malware has burst onto the scene and is making the most of one particular cloud operator’s infrastructure. Last but not least, it’s all changed (again) when it comes to the country that hosted more botnet C&Cs than any other.

Welcome to the Spamhaus Botnet Threat Update Q1 2020.

Spotlight: Raccoon Stealer

At the end of 2019, a newcomer joined the cyber threat landscape: Raccoon Stealer. This piece of malware is usually delivered to the end-user through spam campaigns, dropper, or exploit kits by malware that is already present on the victim’s machine.

Raccoon Stealer is a credential and information stealer that runs on MS Windows. However, it is also being used by threat actors to install additional malware. What makes Raccoon Stealer rather unique is where its botnet C&Cs are hosted: on the Google Cloud.

We discovered the first instance of Raccoon Stealer on November 19, 2019. Since then, we have identified several dozen new Raccoon Stealer C&Cs – all of them hosted on the Google Cloud. But why would a threat actor use Google to host their botnet infrastructure? To answer this question, let’s have a look at Spamhaus’ “World’s worst spam support ISPs”.

In Q1 2020, Spamhaus listed Google as the second-worst Internet Service Provider (ISP), in regards to spam support. The reason for this poor ranking is simple: Google takes a long time to handle abuse reports regarding spammer or phishing sites. In addition to this, it also takes a long time to handle abuse reports relating to botnet C&Cs hosted on their Cloud (Google Compute Engine).

At the time of publishing this update, many abuse reports remain unanswered. This provides a perfect environment for the bad actors abusing Google’s infrastructure to host malicious and harmful content, which is something the operator of Raccoon Stealer quickly noticed. Why bother looking for a shady and expensive bulletproof hosting provider when you can host your botnet infrastructure reliably and at minimal cost at Google?

Large Cloud operators can dramatically reduce the amount of badness on the internet by monitoring infrastructure for abuse, and where it’s reported taking rapid action to remediate. Earlier this year, we highlighted the efforts of Amazon Webs Services (AWS), who blocked port 25 outbound, resulting in a huge reduction of spam. Where a concerted effort is made, positive outcomes follow.

Number of botnet C&Cs observed, Q1 2020

What is a ‘fraudulent sign-up’?

This is where a miscreant is using a fake, or stolen identity to sign-up for a service, usually a Virtual Private Server (VPS) or a dedicated server, for the sole purpose of using it for hosting a botnet C&C.

In the first quarter of 2020, Spamhaus Malware Labs identified a total number of 2,738 new botnet Command & Controllers (C&Cs). Out of these, 2,014 (average 671 per month) were under the direct control of miscreants i.e. as a result of a fraudulent sign-up. That’s a decrease of 57% compared to Q4 2019. This is welcome news for internet users, following the significant increases throughout 2019.

The reason for this decrease is currently unproven. Having said that, we believe it could be partially related to a VPN provider who refuses to take action on abuse reports and is failing to shut down traffic from existing botnet C&Cs. If botnet C&Cs, which have been detected and reported, are allowed to continue to operate, there is no reason why miscreants should spin up new ones.

The drop in the number of newly registered botnet C&Cs we observed and blocked started to fall in December 2019, as the following chart indicates:

Geolocation of botnet C&Cs in Q1 2020

USA is back on top: In Q4 2019, Russia took the top spot from the United States (US). However, in Q1 2020, the US has returned to the #1 spot, accounting for approximately 35% of botnet C&C traffic.

Departures: Lithuania, Serbia, Cyprus, Greece and India.

New entries: Sweden (#13), Hong Kong (#14), Turkey (#17), Malaysia (#19) and Vietnam (#20).

Malware associated with botnet C&Cs, Q1 2020


Emotet is a former e-banking Trojan that targeted e-banking customers globally. In 2018 Emotet ceased its e-banking fraud activities and started to offer infected computers on a ‘Pay-Per-Install’ model. Throughout 2019 Emotet became one of the most dangerous botnets and is still considered so in 2020.

Credential Stealers & RATs: A vast majority of newly detected botnet C&Cs in Q1 2020 were either associated with Remote Access Tools (RATs) or credential stealers. There were only a few exceptions in our top 20 list: Gozi (e-banking Trojan), TrickBot and Emotet (both Droppers/Backdoors).

Lokibot: In Q4 2019, Lokibot’s activity reduced; nonetheless, we saw a 33% increase in newly observed Lokibot C&Cs, from 403 in Q4 2019, to 535 in Q1 2020. Lokibot has held the #1 position on our Top Twenty list for over two years now!

AZORult: While we have seen a decrease in botnet activity associated with AZORult, it remained the second largest threat in Q1 2020.

NanoCore and Remcos: These two malware families appear to be fighting for dominance in the RAT market. While Remcos has never recorded more newly detected botnet C&Cs than NanoCore, the margin separating these two RATs is becoming smaller.

Most abused top-level domains, Q1 2020

.la: The most significant change in this Top Twenty list is the appearance of country code top-level domain (ccTLD) .la (Laos). Not only did .la make its way onto the chart, but it also entered at #2!

.com: Throughout 2019, we reported that the vast majority of botnet C&C domains were registered in the generic top-level-domain (gTLD) .com. This trend continued in Q1 2020 with .com accounting for approximately 45% of the top-level botnet C&C domains.

.pw & .xyz: These two TLDs have appeared in the Top Twenty for over a year, although there was a significant increase in the number of botnet C&C domain registrations associated with these TLDs in Q1 2020, placing them at #3 & #4 respectively.

Most abused domain registrars, Q1 2020

Poor processes leave operators open to abuse

To register a domain name, a botnet operator must choose a domain registrar. These registrars play a crucial role in fighting abuse: they not only vet the domain registrants, but also can suspend domain names. Unfortunately, many domain registrars' customer vetting processes are poor, leaving their service open to abuse.

Namecheap: The USA based domain registrar ‘Namecheap’ continued to be the favorite place for malware authors to register their botnet C&C domains.

Key Systems: German based ‘Key Systems’ became the domain registrar with the second largest number of newly registered botnet C&C domains in Q1 2020.

This registrar only appeared on the Top Twenty List in Q3 2019, illustrating how quickly miscreants take advantage of weak vetting processes.

Hosting Concepts: Last year, this Dutch domain registrar was responsible for a large number of botnet C&C domain registrations, particularly relating to bulletproof hosting. We are pleased to see that it appears Hosting Concepts is improving its registration processes, dropping from #3 in Q4 2020 to #7 in Q1 2020.

Internet Service Providers (ISPs) hosting botnet C&Cs, Q1 2020


While Cloudflare does not directly host any content, it provides services to botnet operators, masking the actual location of the botnet controller and protecting it from DDoS attacks.

Compared to Q4 2019, there was little change in the hosting provider landscape. The usual suspects were still present in Top Twenty, including Cloudflare (US), Google (US), OVH (FR) and Hetzner (DE). It would appear that these big players in the Cloud hosting market did little to improve the situation.

Cloudflare: We continue to see, a US-based content delivery network (CDN) provider, being one of the preferred options by cybercriminals to host botnet C&C servers. This trend has been evident since 2018.

In Q4 2019, Alibaba knocked Cloudflare off the #1 spot, but Cloudflare is back as the leader in Q1 2020, with more than 300 botnet C&Cs on their network. Disappointingly, we have still not seen any visible attempts from Cloudflare to battle the ongoing abuse on their network regarding botnet hosting and other hostile infrastructure.

You can download the 2020 Q1 Botnet Threat Report as PDF. We look forward to seeing you in July when we’ll be providing you with Quarter 2’s update.

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Spamhaus Botnet Threat Update: Q1-2020

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2024 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy