Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Security experts shut down the dreaded Linux Mumblehard botnet

Researchers and law enforcement in a joint effort shut down the Mumblehard botnet composed of more than 4000 Linux machines. Security experts have shut down a spam botnet, known as Mumblehard, composed of more than 4,00o Linux machines. In May 2015, researchers from ESET revealed the sophisticated Mumblehard spamming malware infected thousands of Linux and FreeBSD servers going […]

Security experts shut down the dreaded Linux Mumblehard botnet

Researchers and law enforcement in a joint effort shut down the Mumblehard botnet composed of more than 4000 Linux machines.

Security experts have shut down a spam botnet, known as Mumblehard, composed of more than 4,00o Linux machines.

In May 2015, researchers from ESET revealed the sophisticated Mumblehard spamming malware infected thousands of Linux and FreeBSD servers going under the radar for at least five years.

The infected machines were part of a botnet used, in the preceding five years, to run spam campaign, a version of the Mumblehard malware was uploaded for the first time to the VirusTotal online malware checking service in 2009.

At that time, security experts at ESET have monitored the botnet during the previous 7 months by sinkholing one of its C&C servers and observing 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks.

Mumblehard botnet linux bsd

Today the botnet was dismantled, the experts speculate that operators behind the Mumblehard botnet are highly skilled developers that designed a custom “packer” to conceal the Perl-based source code that made it run, a backdoor, and a mail daemon that was able to send large volumes of spam messages.

The experts that accessed the C&C infrastructure used for the Mumblehard botnet, discovered an interesting automatic delisting mechanism from Spamhaus’ Composite Blocking List (CBL)

“Another interesting aspect of the Mumblehard operation revealed by our access to the C&C server was the automatic delisting from Spamhaus’ Composite Blocking List (CBL).” reported a blog post published by ESET. “There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots. If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn’t work) was used to break the protection.”

Researchers from ESET worked with Cyber Police of Ukraine and CyS Centrum LLC to shut down the Mumblehard botnet, a complex operation conducted by ”

Estonian law enforcement and an industry partner to shut down the Mumblehard botnet, a complex operation conducted by “sinkholing” the control infrastructure.

In February the experts took control of the Internet address belonging to the command server, by analyzing the incoming traffic they were able to estimate that the malicious infrastructure was composed at least of 4,000 machines.

Mumblehard botnet linux

Despite the researchers shut down the botnet, they are still investigating how the attackers composed a so large infrastructure. The researchers initially suspected that attackers compromised websites running WordPress CMS, but further analysis excluded this hypothesis.

“We knew some of the victims had been compromised through an unpatched CMS such as WordPress or Joomla, or one of their plugins. Forensic analysis of the C&C server suggests that computers running the Mumblehard bot agents were not initially compromised from that specific server.” states the report.

“The scripts we found were only to be run where PHP shells had already been installed. Perhaps Mumblehard’s operators were buying access to these compromised machines from another criminal gang?”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mumblehard botnet, malware)