Spamhaus Botnet Threat Update: Q1-2021

After a quiet(ish) finish to 2020 in Spamhaus’ botnet world, the primary quarter of this yr kicked off in type. The main information surrounded the takedown of the Emotet botnet in January.

Nonetheless, as one malware departs, others arrive on the scene, as proved by the 24% improve within the whole variety of botnet C&Cs Spamhaus researchers noticed.
Welcome to the Spamhaus Botnet Threat Update Q1 2021.

Emotet is gone, however different threats are rising

In January 2021, a world coalition together with authorities from varied international locations undertook a global action against the notorious Emotet botnet. Law enforcement companies shut down infrastructure operated by the Emotet gang, sending Emotet botnet visitors to a sinkhole.

The operation seems to have been a hit, because the botnet has remained inactive for over two months. However, Spamhaus Malware Lab consultants deem that it’s extremely doubtless that Emotet will come again into circulation.

Over the previous few years, Emotet has flourished, incomes itself the label of being one of the crucial harmful on-line threats. Miscreants used it to achieve an preliminary foothold in company networks, permitting them to maneuver laterally throughout the victims’ community, which in lots of instances led to encryption with ransomware.

Sadly, there’s no relaxation within the botnet world; no sooner is one botnet extinguished than it’s changed. Rapidly, different botnet operators have rushed to fill the void that Emotet has left.

Miscreants working botnets like IcedID, Dridex, Quakbot, and TrickBot despatched out giant volumes of spam emails containing malicious paperwork this quarter. For most of those threats, the modus operandi is much like that of Emotet’s, i.e., achieve a foothold in company networks and encrypt them with ransomware.

Number of botnet C&Cs noticed, Q1 2021

First of all, let’s take a look at the variety of newly noticed botnet Command & Control servers (C&Cs) in Q1 2021. In whole, Spamhaus Malware Labs has recognized 1,660 new botnet C&Cs in comparison with 1,337 in This autumn, 2020.

This is a 24% improve, with a mean of 553 botnet C&Cs per 30 days.

Number of recent botnet C&Cs detected by Spamhaus since late 2020:

Geolocation of botnet C&Cs, Q1 2021

In some international locations, we’ve got seen a rise of newly noticed botnet C&Cs whereas different international locations have dropped out of our Top 20.

The United States holds onto #1 Despite a small 3% drop within the variety of newly noticed botnet C&Cs, the United States stays prime of the chief board.

Increases throughout Europe The Netherlands has overtaken Russia and finds itself in second place, with a complete of 207 botnets, a 27% improve on This autumn, 2020. Additional European international locations have skilled will increase in new botnet infrastructures, together with Germany (+77%), France (+82%), Switzerland (+23%), and United Kingdom (+9%).

Top 20 places of botnet C&Cs

Malware related to botnet C&Cs, Q1 2021

Emotet: In Q1 2021, Emotet jumped to the highest of this Top 20. This comes as no shock, given our efforts in serving to Law Enforcement companies take down Emotet botnet infrastructure in January 2021.

Raccoon: Raccoon is a credential stealer that’s new on the town. In Q1 2021, we recognized 45 botnet C&Cs related to this new malware.

FickerStealer: Another credential stealer that has been noticed for the primary time in Q1 2021 is FickerStealer, with 25 new related botnet C&Cs.

QNodeService:We first noticed this malware in 2020. However, it seems that QNodeService’s exercise utterly dropped away initially of this yr. To date, we’ve got not noticed a single C&C related to it.

Malware households related to botnet C&Cs

Most abused top-level domains, Q1 2021

For Q1 2021, the gTLD .com stays on the prime of our rankings. A big majority of botnet C&C domains that Spamhaus Malware Labs recognized have been hosted on this TLD. However, we’ve got seen many different listed TLDs enhance their status with reductions throughout the board.

.de: The ccTLD of Germany has as soon as once more entered the Top 20 at #19. Not good! Is this on account of a weak anti-abuse coverage at DENIC?

.prime & .xyz: These two gTLDs have an extended historical past of abuse, and it’s not stunning that they proceed to be within the Top 5, notably when .prime had a 90% improve within the variety of botnet C&Cs it hosted in Q1 2021.

Most abused TLDs – variety of domains

Most abused area registrars, Q1 2021

Namecheap (once more!) After years of being #1 on this Top 20, Namecheap (US) continues to be the popular area registrar for miscreants registering botnet C&C domains.

When will this modification? We don’t know. But given the lengthy historical past of abuse at Namecheap, we don’t count on it to be any time quickly!

Eranet International & RegRU With an enormous 249% improve, Eranet International (China) knocked NameSilo (United States) off its
#2 spot. However, probably the most important improve within the variety of botnet C&C area registrations belongs to RegRU (Russia), with a whopping 341% improve.

Most abused area registrars – variety of domains

Networks internet hosting probably the most newly noticed botnet C&Cs, Q1 2021

For this quarter, we’ve got seen an East/West break up, with a discount within the variety of botnet C&Cs hosted at suppliers from the East, solely to be swiftly changed by cloud service suppliers within the West.

Russian Virtual Private Server (VPS) suppliers Various corporations like and dropped out of the Top 20 this quarter. This may be very constructive information, notably relating to, who’ve been current within the Top 20 checklist for a very long time.

Western VPS suppliers Various suppliers situated within the West have entered the Top 20 chart in Q1 2021 together with,,,, and combahton.web.

The worst and probably the most improved The most abused community is, a VPN supplier working out of Germany. Conversely, has diminished the variety of newly noticed botnet C&Cs on its community by 44% over the previous quarter. A constructive step ahead!

Newly noticed botnet C&Cs per community

Networks internet hosting probably the most lively botnet C&Cs, Q1 2021

Last however not least, let’s take a look on the networks that constantly hosted numerous lively botnet C&Cs. Sadly, Microsoft heads up this Top 20, with 48 lively botnet C&Cs, adopted by Google with 43 lively botnet C&Cs.

Networks showing on this itemizing are inclined to have poor community hygiene and fail to behave on abuse complaints – the absence of change between the previous quarters signifies this reality. The botnets stay lively for months!

Total variety of lively botnet C&Cs per community

Given the occasions relating to Emotet in Q1 2021, will probably be very fascinating to see what the following quarter will convey.

See you subsequent quarter. In the meantime, keep secure.

Download the Spamhaus Botnet Report 2021 Q1 as PDF

Related Posts