Botnet, Security, Uncategorised

New Threat: The WIN-NPPN1JPV75J Botnet

Over the past month I have been monitoring a sophisticated botnet which I have now called the WIN-NPPN1JPV75J botnet (as I am unable to find any info about it anywhere else).

I will be dumping all my research and findings here.

How does it work?

The botnet itself appears to be mainly about spam and traffic, using hacked servers to send spoofed emails that link to a bad actor. The initial hack must had been sent in a email attachment which users unknowingly opened thus infecting their system. Once opened, it grabs your contact lists and your email address and begins sending out spam to everyone on your contacts. Now it appears that even if you get rid of the virus and change your password it still sends emails out. This is because the emails are not being sent from your system. They are being sent elsewhere via spoofing your email address to make it seem legit. This is unstoppable without setting up third party software or SPF records on your DNS.

Unfortunately I do not know much about how this attack took place to start with, so I will dive straight in to the second stage of the attack (spoofed emails).

What do the emails look like?

The emails are mostly the same, alternating between different linked websites. The main body text goes as follows: New message, please read, or Important message, please visit


You will notice if you view the email header source that every time it has a similar header:

Received: from [] (port=57932 helo=WIN-NPPN1JPV75J)
by with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)

Notice the WIN-NPPN1JPV75J? The HELO command is used by the sending SMTP client to identify itself. This HELO command is the same for every single spam mail. Hence why I have called it the WIN-NPPN1JPV75J botnet.

What the hell is going on?!

The botnet utilizes your contact lists which it stole from your email client (most likely most recent CC attachments) and sends an email to everyone on that list, with a different link each time, each directing you to a hacked website.

The links are interesting, they normally contain the website itself ( and then a randomly generated PHP script which is just a Javascript redirect.

From what I have analysed, the hacked websites are mostly using WordPress, a free content management system. They mostly have out-of-date plugins and themes, which have multiple vulnerabilities, which is why im guessing they were easy targets.

The randomly generated PHP script contains a Javascript redirect to some dodgy news looking website:

So who’s the bad actor?



The website they all redirect too as of now, is which is currently down as of right now.

Some details from the server are below:

IP Location Russian Federation Russian Federation Novosibirsk Llc Company Interlan Communications
ASN Russian Federation AS57494 ADMAN-AS Krek Ltd. (registered Nov 14, 2011)
Whois Server
IP Address
Reverse IP 2 websites use this address.

% Abuse contact for ‘ –’ is ‘

I also found this website that is hosted on the same server, but I haven’t looked into it yet:

Vladimir E Gnat

So we got Vlad’s name from the WHOIS of domain, that’s pretty bad right? Forget to whois guard yourself? Anyway his name has popped up elsewhere, he has also been involved in the Smoke Loader Malware using the domain name:

Read more about that here:

He also owns these domains:

He uses these email addresses:

He used these phone numbers:

Address details?

He is associated with hundreds of servers, some of which are:


Is your server infected?

Below is a very small fraction of infected servers I have found which have been involved in the spreading of this email virus. Do not click on these links unless you know what you are doing!


There isnt really much we can do about this unfortunately, we can only report malicous domains and hope for the best. In the meantime I am going to be researching this a lot more, trying to discover the root of the botnet.

More to come.

Check out Wardline’s blog post about the very same issue:


PWN3d, Security

That one guy…

Whats going on?

This post wont be too long, I just wanted to publicly shame people who attempted to do anything “phishy” to my blog. So here goes.

I receive notifications when something is going on, and I noticed I had a few of these:


So why are you trying to log into my blog as “admin” Let me dump some of your info and see if that will stop you 🙂

Looks as though this IP address is involved in a lot of shit: 

IP address
Host name
IP range – CIDR
ISP PE Tetyana Mysyk
Organization PE Tetyana Mysyk
Country Ukraine (UA)
Time zone
Local time
Postal Code