Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Spamhaus Botnet Threat Update: Q3-2021

2021-10-14 08:28:38 UTC   |   by Spamhaus Malware Team   |   Category:  botnet, trends, statistics
Recent News Articles

The return of the ASN-DROP

Qakbot - the takedown and the remediation

Poor sending practices trigger a tidal wave of informational listings

Spamhaus Botnet Threat Update: Q4-2021

SERVICE UPDATE | Spamhaus DNSBL users who query via Cloudflare DNS need to make changes to email set-up

Spamhaus Botnet Threat Update: Q3-2021

Spammer Abuse of Free Google Services

Spamhaus Botnet Threat Update: Q2-2021

Older News Articles:
Spamhaus News INDEX

Q3 has seen a massive 82% rise in the number of new botnet command and controllers (C&Cs) identified by our research team. They have observed an explosion in the use of backdoor malware with nefarious operators hiding behind FastFlux. In turn, this has caused several new countries and service providers to be listed in our Top 20 charts. Welcome to the Spamhaus Botnet Threat Update Q3 2021.

FastFlux emerging again

What is FastFlux?

FastFlux is a technique used by phishers, malware authors, and botnet operators to hide the actual location of their infrastructure behind a network of compromised hosts that are acting as a proxy, forwarding the malicious traffic to the real backend.

After analyzing this quarter’s statistics, it is evident that FastFlux is once again rising in popularity. Here’s a quick FastFlux refresher, including a deeper dive into how cybercriminals use it to make their infrastructure resilient against takedowns.

What makes FastFl to cybercriminals?

All FastFlux networks that are currently in business can be rented as a service on the dark web. This makes life easy for botnet operators. All they have to do is register domains required for the botnet C&Cs and point them to the FastFlux operator’s service. FastFlux takes care of the rest, ensuring that the A records rapidly change.

Here’s an example of a FluBot botnet C&C domain hosted on a FastFlux botnet:

; IN A

Domain TTL RecordType IP Address 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A

As you can see, the botnet C&C domain uses ten concurrent A records with a time to live (TTL) of only 150 seconds. Monitoring these A records reveals that the underlying FastFlux botnet consists of 100 to 150 active FastFlux nodes per day.

Generally, these nodes are compromised devices, commonly Customer Premise Equipment (CPE), insecurely configured (e.g., running vulnerable software or using standard login credentials), and accessible directly from the internet.

These kinds of devices are a soft target for cybercriminals. They simply need to conduct internet-wide scans to discover these vulnerable devices and compromise them. This whole process can all be automated, making it quick, easy, and effective.

Operators of FastFlux botnets choose the geolocation of their target devices they use for FastFlux hosting carefully. As you will notice when reading through this report, many FastFlux C&C nodes are hosted in places that are relatively well “digitized,” i.e., have good internet connections but are not as advanced along the maturity curve in terms of cybersecurity.

Latin America is commonly a target, e.g., Brazil, Chile, Argentina, Uruguay, and Asian countries such as Korea. The newcomers to the geolocation statistics in this update reflect this.

Number of botnet C&Cs observed, Q3 2021

In Q3 2021, Spamhaus Malware Labs identified 2,656 botnet C&Cs compared to 1,462 in Q2 2021. This was an 82% increase quarter on quarter! The monthly average increased from 487 per month in Q2 to 885 botnet C&Cs per month in Q3.

Geolocation of botnet C&Cs, Q3 2021

Given FastFlux’s influence over the past quarter, it isn’t surprising that there’s a clear pattern to the newcomers entering the chart for Q3 2021. Many of the countries joining the charts were responsible for hosting a large percentage of TeamBot, and FluBot botnet C&C servers - utilizing Fastflux - and fit the profile of countries with extensive internet coverage but less security-focused.

Significant increases in Russia

The number of botnet C&Cs located in Russia has dramatically risen. This is the second increase quarter on quarter that Russia has experienced:

  • Q1 to Q2 – 19% increase
  • Q2 to Q3 – 64% increase
Therefore, it comes as no surprise that in Q3 Russia overtook the United States for the #1 spot.

Continued increases across Europe

The trend that started in Q2 continued in Q3. Once again, there was an uptick in the number of botnet C&C servers hosted in various European countries, including the Netherlands (+63%), Germany (+45%), France (+34%), and Switzerland (+34%).


Malware associated with botnet C&Cs, Q3 2021

Here are the top malware families associated with newly observed botnet C&Cs in Q3, 2021 *.

TeamBot and FluBot emerging

Have you ever heard of TeamBot? Probably not. While it is neither a new nor severe threat, TeamBot sits at the top of the charts with FluBot, both backdoors.

Our threat hunters believe that TeamBot and FluBot are using the same FastFlux infrastructure, rotating the same botnet C&C IP addresses every few minutes, hence the shared listing below.

This quarter, there was an explosion in backdoor malware, making it the most prevalent type of malware associated with botnet C&Cs in Q3 2021.

RedLine wins, Raccoon loses

In 2021, we’ve been observing a battle for pole position between RedLine and Raccoon, both credential stealers, available for sale on the dark web. While we saw a huge increase (571%) of Raccoon botnet C&C servers in Q2 2021, RedLine malware experienced a 71% increase in Q3 2021, displacing Raccoon from its top spot.

IcedID disappears

IcedID has been relatively inactivate this year, making a brief appearance at #18 in Q2 before disappearing again this quarter. The reason behind this is unknown. However, our researchers don’t believe its silence will continue indefinitely. IcedID is one of the Trojans available to ransomware groups for purchase on the dark web.
These Trojans sell access to corporate networks - a very lucrative business.


Malware type comparisons between Q2 and Q3 2021

Most abused top-level domains, Q3 2021

No changes at the top of the chart

In Q3, .com and .xyz continued to stay at the top of our ranking. The situation deteriorated for these two TLDs, particularly .com, which experienced a 90% increase. We hope that VeriSign, the owner of this TLD, will take all necessary steps to improve this situation and increase their TLD’s reputation.

Three new TLDs

Two new gTLDs and one ccTLD joined our Top 20: .club, .co and .monster. All have seen a significant increase in the number of new botnet C&C domains registered through their service.

Most abused domain registrars, Q3 2021

We observed significant increases across most of the domain registrars listed in our Top 20. China is home to the largest percentage of domain registrars, followed by Canada and the United States. While Canada’s and India’s percentage share has dropped, many other listed countries have increased this quarter. *

In Q2 you saw Arsys, now you don’t

A nod of approval to Arsys, who was a new entry at #5 in Q2. They appear to have taken positive steps to ensure their TLD remains as clean as possible and dropped off the Top 20 in Q3, along with HiChina, 1API,, and Excellent work to all these registrars.

Reseller issues

In Q3, we saw the biggest increases in newly registered botnet C&C domains at CentralNic (+488%), Tucows (+266%), RegRU (+252%), (+168%), and Network Solutions (+163%).

The vast majority of fraudulent domain name registrations originate from poor resellers who have inappropriate or non-existent customer vetting in place.

Registrars can struggle to penalize these dirty resellers for many reasons, including poorly written Terms of Services (ToS). However, other matters can also come into play, such as a vested financial interest or a fundamental lack of motivation to take responsibility for these issues.

We hope that these registrars will improve their reputation quickly by implementing stricter measures on their resellers to ensure they strive to fight against the registration of fraudulent domain names.


Location of Most Abused Domain Registrars

Networks hosting the most newly observed botnet C&Cs, Q2 2021

As usual, there were many changes in the networks hosting newly observed botnet C&Cs. Notably, there was an influx of networks hosting FastFlux botnet C&Cs, used by cybercriminals to host backdoor malware.

Does this list reflect ho dealt with at networks?

While this Top 20 listing illustrates that there may be an issue with customer vetting processes, it doesn’t reflect on the speed abuse desks deal with reported issues. See “Networks hosting the most active botnet C&Cs” to view networks where abuse isn’t dealt with in a timely manner.

We have seen a 69% increase in the number of new botnet C&C servers installed at the Dutch hosting provider Our researchers believe that this increase is predominantly due to their downstream customer, which tends to attract botnet operators.

Making positive changes

In last quarter’s update, we reported that a botnet hosting operation had moved from Amazon to DigitalOcean, causing the latter’s listings to rocket. We want to congratulate DigitalOcean for dropping off our Top 20 list in Q3 2021, along with other networks, including Google, who were at #2, HostSailor, Microsoft, M247, and Off Shore Racks.

Networks hosting the most active botnet C&Cs, Q3 2021

Finally, let’s take a look at the networks that hosted a large number of active botnet C&Cs in Q3 2021. Hosting providers who appear in this ranking either have an abuse problem or do not take the appropriate action when receiving abuse reports.

An increase in botnet C&C abuse

Sadly, the situation in terms of active botnet C&C servers deteriorated for many ISPs who were on our Top 20 in Q2. (FR), (US), (VN), and openvpn (SE) all have one thing in common: Instead of taking appropriate measures against the abuse on their infrastructure, the number of active botnet C&C servers increased in these networks. &

These two ISPs are new to our Top 20 this quarter and have taken #1 and #2 spots due to the vast number of FastFlux bots hosted on their networks.

In fact, the majority of the newcomers to this chart are due to hosting FastFlux bots on their networks and not responding quickly to abuse reports. All these companies are providing a resilient botnet C&C infrastructure for botnet operators.

That’s all for now. Stay safe and see you in January!

Updated 18 Oct 2021:

  1. CobaltStrike was reported as being a Remote Access Tool when this report was originally published. We have updated to reflect it is Threat Emulation Software. ↩︎
  2. Two registrars (NameSilo & Tucows) were reported as being US-based providers when this report was originally published. We have updated the text and data to reflect they are based in Canada. ↩︎

Download the Spamhaus Botnet Report 2021 Q3 as PDF

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Spamhaus Botnet Threat Update: Q3-2021

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2023 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy