Discovered in December 2010, Kelihos, also known as Hlux, exploited the Windows OS to form a peer-to-peer botnet of 45,000 computer systems capable of sending approximately 4 billion spam emails per day. In September 2011, Microsoft targeted and dismantled Kelihos. A few months later, in January 2012, a second version of the Kelihos botnet was discovered – this one dubbed Kelihos.b or Version 2 – and it was comprised of 110,000 infected systems. In addition to sending spam, this version added the capability to steal Bitcoin wallets and mine Bitcoin. This version was dismantled in March 2012 when a number of private companies sinkholed it. A third version appeared in April 2012 and was dubbed Kelihos.c and it primarily spread through malicious links shared on Facebook. Once a user clicked the link, the Fifesoc Trojan would download and install on the user’s system, adding it to the Kelihos botnet.
Reporting and Technical Details
- March 2012: FAQ: Disabling the new Hlux/Kelihos Botnet (Kaspersky Lab)
- November 2013: Kelihos Botnet Thrives, Despite Takedowns (Dark Reading)
- August 2016: Significant Increase in Kelihos Botnet Activity (MalwareTech)
- December 2016: Kelihos Botnet Delivering Shade (Troldesh) Ransomware with No_More_Ransom Extension (Bleeping Computer)