Botnet, Security, Uncategorised

New Threat: The WIN-NPPN1JPV75J Botnet

Over the past month I have been monitoring a sophisticated botnet which I have now called the WIN-NPPN1JPV75J botnet (as I am unable to find any info about it anywhere else).

I will be dumping all my research and findings here.

How does it work?

The botnet itself appears to be mainly about spam and traffic, using hacked servers to send spoofed emails that link to a bad actor. The initial hack must had been sent in a email attachment which users unknowingly opened thus infecting their system. Once opened, it grabs your contact lists and your email address and begins sending out spam to everyone on your contacts. Now it appears that even if you get rid of the virus and change your password it still sends emails out. This is because the emails are not being sent from your system. They are being sent elsewhere via spoofing your email address to make it seem legit. This is unstoppable without setting up third party software or SPF records on your DNS.

Unfortunately I do not know much about how this attack took place to start with, so I will dive straight in to the second stage of the attack (spoofed emails).

What do the emails look like?

The emails are mostly the same, alternating between different linked websites. The main body text goes as follows: New message, please read, or Important message, please visit


You will notice if you view the email header source that every time it has a similar header:

Received: from [] (port=57932 helo=WIN-NPPN1JPV75J)
by with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)

Notice the WIN-NPPN1JPV75J? The HELO command is used by the sending SMTP client to identify itself. This HELO command is the same for every single spam mail. Hence why I have called it the WIN-NPPN1JPV75J botnet.

What the hell is going on?!

The botnet utilizes your contact lists which it stole from your email client (most likely most recent CC attachments) and sends an email to everyone on that list, with a different link each time, each directing you to a hacked website.

The links are interesting, they normally contain the website itself ( and then a randomly generated PHP script which is just a Javascript redirect.

From what I have analysed, the hacked websites are mostly using WordPress, a free content management system. They mostly have out-of-date plugins and themes, which have multiple vulnerabilities, which is why im guessing they were easy targets.

The randomly generated PHP script contains a Javascript redirect to some dodgy news looking website:

So who’s the bad actor?



The website they all redirect too as of now, is which is currently down as of right now.

Some details from the server are below:

IP Location Russian Federation Russian Federation Novosibirsk Llc Company Interlan Communications
ASN Russian Federation AS57494 ADMAN-AS Krek Ltd. (registered Nov 14, 2011)
Whois Server
IP Address
Reverse IP 2 websites use this address.

% Abuse contact for ‘ –’ is ‘

I also found this website that is hosted on the same server, but I haven’t looked into it yet:

Vladimir E Gnat

So we got Vlad’s name from the WHOIS of domain, that’s pretty bad right? Forget to whois guard yourself? Anyway his name has popped up elsewhere, he has also been involved in the Smoke Loader Malware using the domain name:

Read more about that here:

He also owns these domains:

He uses these email addresses:

He used these phone numbers:

Address details?

He is associated with hundreds of servers, some of which are:


Is your server infected?

Below is a very small fraction of infected servers I have found which have been involved in the spreading of this email virus. Do not click on these links unless you know what you are doing!


There isnt really much we can do about this unfortunately, we can only report malicous domains and hope for the best. In the meantime I am going to be researching this a lot more, trying to discover the root of the botnet.

More to come.

Check out Wardline’s blog post about the very same issue:


  • Wrock

    Thank you for your article. I’ve made a link to it from mine. Spam with WORLDST-UQ3K9Q0 in the header predated WIN-NPPN1JPV75J which I first saw on September 29th. The problem has been circulating since at least August 13th as WORLDST-UQ3K9Q0 and matches the characteristics of problems at AOL in April 2014 and GMX in 2012.

    • Anonymous

      Thank you for your reply and also for the link. That’s very interesting, the fact it’s been allowed to go on for so long stuns me. There is definitely a bigger picture to all of this. BTW I stumbled across your blog the other day, love your posts, honored to be linked 🙂

  • Liz Erk

    Thank you, both Wrock and Evil Security. This has been bordering on total nightmare for me since August. I’m at least able to explain to people why I’m seemingly “spam bombing” the world when it happens. This one also posts to forums and subscribed Facebook groups of affected email address owners, but in my case, only if my machine is on. (I have only experienced this going on with Facebook. I noticed forums and user groups by Googling “Fw: New Message” “Spam”.)