Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • Trend Micro: Hackers Add New Features to Necurs botnet malware
  • Malware

Trend Micro: Hackers Add New Features to Necurs botnet malware

Do Son April 28, 2018 4 minutes read
Add Daily CyberSecurity as a preferred source on Google

Necurs is known as the Malware Trojan Transmission Infrastructure and there have been several cases of spreading of malicious family Trojans that have been proved or suspected to be related to the botnets built by Necurs Trojans, including the notorious rogue viruses Locky, Jaff, mainly bank vouchers. Target Trojan Dridex et al. Necurs is more than just a spam tool. It also has rootkit capabilities and the ability to fight against killing software. Once infected with a user’s machine, it is difficult to get rid of. In addition, Necurs has implemented a modular design that can load different malicious modules according to different tasks, allowing the victim’s computer to be manipulated arbitrarily.

Necurs is a botnet malware that emerged around 2012 and has never stopped optimizing updates since its appearance. Millions of infected computers are under its control and about one million devices are activated each day. Necurs has been engaged in spamming cybercrime activities for many years.

In 2017, the Necurs botnet added C&C server communication capabilities that can be used to launch DDoS attacks. The module spreads malicious traffic through infected hosts, mainly through the HTTP, SOCKSv4, and SOCKSv5 protocols.

McAfee released a report in March 2018 saying that in the fourth quarter of 2017, spam sent by botnet Necurs and Gamut accounted for 97% of all spam. During this time, Necurs used the adult website as a lure for its delivery and transfer program, providing POC for ransomware. The spam activity rate was slightly lower than the previous two months, but the botnet still accounted for 37% of all spam, Necurs accounted for 60%, and most of the e-mail domain names were linked to job-themed phishing and Related to money fraud.

In January 2018, a blog posted by e-mail and cybersecurity company AppRiver stated that AppRiver’s SecureTide filter blocks up to 47 million junk e-mails sent from Necurs botnets to App River customers every day. Distribution of ransomware Locky and GlobeImposter.

The spam e-mails usually issued by Necurs botnets are called pumping and dumping. They rely on sending a lot of spam to promote the user’s interest in specific low-priced stocks. The spammers purchase the stocks at a low price in advance. When the spam activity raises the price, the stock is sold at a higher price.

Trend Micro recently discovered that a new variant of Necurs, the world’s largest spam botnet, appeared and evaded detection via a network shortcut (.url) file.

Necurs previously used an archive file containing a .ZIP file to hide the script download program in order to avoid attachments being detected. The download program was then packaged in another .ZIP file to hide.

Unlike previous Necurs variants, the new variant uses a network shortcut file to send malicious spam to download program scripts.

The script then executes remotely through the Server Message Block (SMB) protocol to evade spam filter detection.

This script will generate a secondary downloader, QuantLoader (this is a common malware family), whose purpose is to obtain boot persistence, and finally download the final, more powerful Payload from this downloader. Botnet operators rarely use this simple spam technique and have always relied on complex infection chains.

Trend Micro researchers pointed out that using QuantLoader may achieve a multiplier effect. First, this download program adds another download phase before downloading the final Payload, which can confuse and evade behavior detection. The QuantLoader is persistent, releasing a copy of itself and creating an autorun registry for execution at startup.

Trend Micro reported in the report that the attacker behind this activity is also using the ability to modify the Internet shortcuts to click on the icon, in order to trick victims into thinking that they are receiving normal folders. In a spam sample, an attacker disguised a URL file as a ZIP file for voice mail.

If the user receives an e-mail attachment that contains the shortcut file shown below, this file is 100% malicious and should never be opened.

 

In January 2018, the Necurs botnet spawned millions of spam emails. For the first time, large-scale spam campaigns promoted a little-known cryptocurrency Swisscoin cryptocurrency, instead of pushing low-priced stocks, as usual, resulting in Swisscoin lost 40% of the initial transaction price.

Related coverage

  • Poisoned Code: Stealthy Malicious Go Module Backdoor Discovered in Long-Running Typosquat
  • Invisible Miners: Unveiling GHOSTENGINE’s Crypto Mining Operations
  • WebRoot: TrickBot ship a new module, “screenlocker”
  • Warlock Ransomware Evolves: New Tools and Kernel-Level Evasion Threaten Global Sectors
  • Babylon RAT Unleashed: Malaysian Politicians Under Cyber Siege
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Necurs botnet malware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.