Discovered in December 2010, Kelihos, also known as Hlux, exploited the Windows OS to form a peer-to-peer botnet of 45,000 computer systems capable of sending approximately 4 billion spam emails per day. In September 2011, Microsoft targeted and dismantled Kelihos. A few months later, in January 2012, a second version of the Kelihos botnet was discovered – this one dubbed Kelihos.b or Version 2 – and it was comprised of 110,000 infected systems. In addition to sending spam, this version added the capability to steal Bitcoin wallets and mine Bitcoin. This version was dismantled in March 2012 when a number of private companies sinkholed it. A third version appeared in April 2012 and was dubbed Kelihos.c and it primarily spread through malicious links shared on Facebook. Once a user clicked the link, the Fifesoc Trojan would download and install on the user’s system, adding it to the Kelihos botnet.

Most recently, in November 2016, Kelihos was discovered spreading the Troldesh/Shade ransomware variant through spam emails that contained a malicious link. When clicked, the link would download a zipped malicious JavaScript file or Word document that would then install the ransomware. Kelihos has also been used to distribute other ransomware variants such as Wildfire/Hades Locker, CryptFIle2, and MarsJoke, as well as banking Trojans Panda, Zeus, Nymaim, and Kronos. It has also been used to send money mule spam to American recipients and dating spam to Polish recipients.

Reporting and Technical Details

  • March 2012: FAQ: Disabling the new Hlux/Kelihos Botnet (Kaspersky Lab)
  • November 2013: Kelihos Botnet Thrives, Despite Takedowns (Dark Reading)
  • August 2016: Significant Increase in Kelihos Botnet Activity (MalwareTech)
  • December 2016: Kelihos Botnet Delivering Shade (Troldesh) Ransomware with No_More_Ransom Extension (Bleeping Computer)