Zyklon, also known as Zyklon HTTP,  is a sophisticated botnet that is capable of performing various types of DDoS attacks such as HTTP flood, TCP flood, UDP flood, SYN flood, and Slowloris. Once a system is infected, Zyklon inspects all startup files and uploads them to VirusTotal, to be scanned for malware. If malware is detected, Zyklon terminates the associated processes and removes the malicious file, as well as its registry keys, from the system. It also performs behavioral analysis to determine if a file is malicious.

In addition to DDoS attacks, Zyklon is capable of stealing data. It contains a keylogger module and can recover passwords stored in web browsers, FTP applications, and email clients. It also locates and steals license keys from hundreds of types of software including popular games and productivity applications. Zyklon transmits this data to its C2 server through an encrypted connection using RSA and AES-256. It propagates itself by bundling a malicious executable with a legitimate software installer and delivering the payload via phishing emails.

Reporting and Technical Details:

  • February 2017: Zyklon HTTP Botnet (Radware)
  • April 2017: Off-the-Shelf Zyklon Botnet Malware Used to Deliver Cerber Ransomware (PhishMe)
  • May 2017: Modified Zyklon and Plugins from India (Cisco Talos)
  • January 2018: Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign (FireEye)