Discovered in December 2010, Kelihos, also known as Hlux, exploited the Windows OS to form a peer-to-peer botnet of 45,000 computer systems capable of sending approximately 4 billion spam emails per day. In September 2011, Microsoft targeted and dismantled Kelihos. A few months later, in January 2012, a second version of the Kelihos botnet was discovered – this one dubbed Kelihos.b or Version 2 – and it was comprised of 110,000 infected systems. In addition to sending spam, this version added the capability to steal Bitcoin wallets and mine Bitcoin. This version was dismantled in March 2012 when a number of private companies sinkholed it. A third version appeared in April 2012 and was dubbed Kelihos.c and it primarily spread through malicious links shared on Facebook. Once a user clicked the link, the Fifesoc Trojan would download and install on the user’s system, adding it to the Kelihos botnet.

In November 2016, Kelihos was discovered spreading the Troldesh/Shade ransomware variant through spam emails that contained a malicious link. When clicked, the link would download a zipped malicious JavaScript file or Word document that would then install the ransomware. Kelihos has also been used to distribute other ransomware variants such as Wildfire/Hades Locker, CryptFIle2, and MarsJoke, as well as banking Trojans Panda, Zeus, Nymaim, and Kronos. It has also been used to send money mule spam to American recipients and dating spam to Polish recipients.

In April 2017, the 36-year-old Russian computer programmer behind the Kelihos botnet, Pyotr Levashov, was arrested by Spanish police after Levashov and his family decided to travel to Barcelona for vacation. The Spanish police arrested Levashov in his hotel room as the FBI and several private companies worked to take down his online network of infected computers, or bots. On Monday, April 10, The US Department of Justice unsealed court papers accusing Levashov of wire fraud and unauthorized interception of electronic communications. Levashov is expected to be extradited to the US to face charges.

Reporting and Technical Details

  • March 2012: FAQ: Disabling the new Hlux/Kelihos Botnet (Kaspersky Lab)
  • November 2013: Kelihos Botnet Thrives, Despite Takedowns (Dark Reading)
  • August 2016: Significant Increase in Kelihos Botnet Activity (MalwareTech)
  • December 2016: Kelihos Botnet Delivering Shade (Troldesh) Ransomware with No_More_Ransom Extension (Bleeping Computer)
  • April 2017: Justice Department Announces Actions to Dismantle Kelihos Botnet (US Department of Justice)
  • April 2017: US Accuses Russian Email Spammer of Vast Network of Fraud (New York Times)