Russian hackers are fighting with the West by using the Trojan Kelihos

As is apparent from the investigation lab Bitdefender, self-proclaimed Russian group hakerska released to the network, the malware under the guise of a program that, according to the makers is designed to silently attack Western countries government bodies Europe and the United States. Whereas in view of the current conflict in Ukraine, hackers have used the situation to implement your spam, which was to help achieve the goal was to spread a Trojan.






Messages were sent mainly to those who supported the Russian "right" and disagreed with the sanctions taken against their country. Users who clicked on a link to a malware became without the participation of the voluntary part of the botnet and helped in further distributing risk. The Trojan installs three harmless files used to monitor network traffic (WinPcap npf. sys, packet .dll, wpcap. dll) that are capable of extracting sensitive information from browsers, network traffic, and other personal information.

According to the Russian-speaking technologists Bitdefendera in a message that includes a link to the malicious software could read:

We are a group of hackers from the Russian Federation, we are concerned about the incomprehensible for us sanctions that have been imposed by Western Governments in our country.

When you click the link, the victim will seize the executable file known as the Kelihos. The Trojan alluded from connectivity command and control through the exchange of encrypted messages using the HTTP protocol and it received further information. Depending on the type of load, the Kelihos is able to:

  • Communicate with other infected computers,
  • Steal wallets bitcoins
  • Send spam messages,
  • Stealing FTP credentials and electronic mail, as well as the access data to these accounts made to the browser,
  • Retrieve and perform other malicious software files on the infected system,
  • Traffic monitoring protocols FTP, POP3 and SMTP.

Bitdefendera laboratories after accurate analysis of one of the last waves of spam noted that all of the messages was the file extension eml and lead to links that ended on/setup.exe, and were associated with the 49 independent IP addresses. Thanks to a more detailed assessment also managed to determine that at least 40 percent of the infected servers is in Ukraine.

"Some of them may be specialised servers to distribute malware, and other infected computers, which have become part of a botnet Kelihosa." Comments working for the Bitdefendera in the section Virus Analysis Doina Cosovan. "The irony is that most of the infected IP addresses come from Ukraine. This could mean that the attack was measured largely in computers in the country, or even that they infect servers have been placed in this country. "

BitDefender finally confirms that blocks malicious waves of spam Trojan Kelihos, protecting its users from infecting their computers. To convince you of its authenticity of the greater number of users, Russian hackers added a touch of marketing "glitter" to his word. They found that their program works silently, with no more than 10 to 50 megabytes of links per day and does not burden the processor.

After you restart your computer, the program terminates, and if you want, you can run it again "in spam also appeared. "If necessary, disable the antivirus software at this time.

Of course, disabling security solutions is not a good idea. Instead, you should install them and update, just like other programs of the operating system, because malware programs frequently use the vulnerabilities found in the software niezaktualizowanym.


Also known as the Hlux botnet, Kelihos was discovered four years ago. It is most often used to steal bitcoins and spamming. It has the structure of a peer-to-peer network, where each node can act as a command and control servers for the entire botnet, by increasing its durability.


In January 2012 was discovered a new version of the botnet, which resulted in that Microsoft brought the matter to the Court with the announcement on Russian citizen who was an alleged botnet source code developer Kelihos.


This article is based on the spam samples courtesy of scientist section spam Bitdefender Adriana Miron and the technical information provided by Bitdefender Security Analyst Diona Cosovan and Alexandru MAXIMCIUC.



Source: Bitdefender



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.