In brief

  • A malware, known as Glupteba, has been spreading at an accelerated pace since the start of 2020.
  • To avoid detection, it uses Bitcoin's blockchain to help control its network of bots.
  • Certain facets of its design imply that the malware could be run as a paid service to other bad actors.

Since the beginning of 2020, “Glupteba,” a malware that uses Bitcoin’s blockchain to control an army of bots, has been spreading at an accelerated pace. 

The malware was first discovered in 2011 but researchers noted in late 2019 that it had started using the Bitcoin blockchain to help coordinate its botnet. Now, further research suggests the botnet may be sold to any buyer who wants to make use of it.


Monetizing the botnet

The person behind this malware wants to make full use of it.

In some of the settings, the addresses of the command servers that help to control it are labeled “CDN.” SophosLabs said the acronym frequently refers to “Content Delivery Networks.” These are services that support delivering information more quickly to a large number of computers.

“We can infer from the bot’s propensity to self-protection and stealth, and this CDN label, that Glupteba’s creators intend this malware to be part of a service offering to other malware publishers, giving them a pay-per-install business model for malware delivery,” SophosLabs said.

This would enable the bot master—who’s really behind it—to monetize the botnet, offering it up for various services, at a price.

"I'd say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy quick endgame of, for instance, a ransomware payload,” Andrew Brandt, principal researcher at Sophos, told ZDNet.


CSIS Security Group security research claims that the pay-per-install model has largely been associated with the adware market, but that it applies to large malware distributors too.

The malware works hard to hide

Unlike most other malware, Glupteba dedicates a surprising amount of attention to stop it from being detected, according to cybersecurity firm SophosLabs’ latest report. After infecting a host computer with an insurgent backdoor worm, the malware creates an elaborate infrastructure of various components in the system, to conceal itself from prying eyes of users and antivirus software.

Malware that uses Bitcoin’s blockchain could be a paid service
Glupteba primarily spreads via installers and cracks for pirated software. Image: SophosLabs

"The most unscrupulous threat actors design their malware to be stealthy. This means that they strive to stay under the radar and remain in the wild for a long time, performing reconnaissance and collecting information to determine their next move and to hone their malicious techniques,” Luca Nagy, security researcher at Sophos and lead author of the Glupteba report, told Decrypt.

She added that the hackers behind the bot “are investing immense effort in self-defense,” purposefully designing their malware “to be generic, capable of implementing a wide range of different malicious activities through its different components and extensive backdoor functions.”

How does it use Bitcoin?

The malware uses the Bitcoin blockchain to let the bot master to communicate and control it, without sending messages directly to the infected computer. Instead, the malware regularly scans the Bitcoin blockchain looking for specific messages. These messages are hidden inside a part of Bitcoin transactions that supports text.

When it finds a message from the bot master, it decodes the message to uncover one or more domain names. It then accesses these domains, all in secret, to find out which command servers to connect to—letting the bot master stay in control.

The malware also installs a hidden Monero miner, XMRig, alongside its other components, but that could be just an extra bonus, according to the researchers.

“After all, the bot’s payload is already communicating with bitcoin wallets and the blockchain, so perhaps the bot’s creators thought they would be able to sneak one additional connection past that nobody would notice,” SophosLabs noted.


To further expand its network, Glupteba uses the initial infected computer as a foothold from which it scans for other systems that are vulnerable to a Windows backdoor exploit called EternalBlue, which was used by the infamous crypto-ransomware WannaCry.

The researchers added that Glupteba infects its victims primarily through illicit installers and cracks for pirated commercial software. One of the big risks of using The Pirate Bay.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.