Skip to content
July 5, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Data Leak
  • Trik Spam Botnet Leak 43M Email Address due to Misconfiguration C&C server
  • Data Leak

Trik Spam Botnet Leak 43M Email Address due to Misconfiguration C&C server

Do Son June 17, 2018 4 minutes read
Add as a preferred
source on Google

A threat intelligence analyst from Vertek Corporation told Bleeping Computer that he recently discovered that a spam botnet command and control (C&C) server had accidentally exposed at least 43 million e-mail addresses.

The analyst claimed that the finding came from the fact that he was tracking the spread of malware through spam emails. The purpose of the campaign was to spread the latest version of the Trik Trojan. Due to the misconfiguration of the C&C server, anyone can view all its stored content by directly accessing its IP address.

The analyst said that he found a total of 2201 text files from this server, the name is straightforward – from 1.txt has been to 2201.txt, each record contains about 20,000 e-mail address. Analysts believe that the use of these email recipient lists by Trik botnet operators is to allow criminals who subscribe to their services to spread their malware through spam email campaigns.

The analyst also told Bleeping Computer that he and his team verified the uniqueness of all these e-mail addresses. The results show that of the 44,020,000 addresses, 43,555,741 are unique.

From the domain name, these email addresses come from all over the world. There are 4.6 million unique email domain names, from .com, .net to .gov, and several companies’ private domain names. This includes Yahoo (yahoo.com), Tencent (qq.com) and NetEase (126.com, 163.com), etc. The top 100 e-mail domain names are as follows:

8907436 yahoo.com
8397080 aol.com
 788641 comcast.net
 433419 yahoo.co.in
 432129 sbcglobal.net
 414912 msn.com
 316128 rediffmail.com
 294427 yahoo.co.uk
 286835 yahoo.fr
 282279 verizon.net
 244341 bellsouth.net
 234718 cox.net
 227209 earthlink.net
 221737 yahoo.com.br
 191098 ymail.com
 174848 att.net
 156851 btinternet.com
 139885 libero.it
 120120 yahoo.es
 117175 charter.net
 112566 mac.com
 111248 mail.ru
 107810 juno.com
  92141 optonline.net
  86967 yahoo.ca
  78964 me.com
  73341 yahoo.com.ar
  71545 yahoo.in
  71200 rocketmail.com
  69757 wanadoo.fr
  68645 rogers.com
  65629 yahoo.it
  65017 shaw.ca
  64091 ig.com.br
  63045 163.com
  62375 uol.com.br
  57764 free.fr
  57617 yahoo.com.mx
  57066 web.de
  56507 orange.fr
  56309 sympatico.ca
  54767 aim.com
  51352 cs.com
  50256 bigpond.com
  48455 terra.com.br
  43135 yahoo.co.id
  41533 netscape.net
  40932 alice.it
  39737 sky.com
  39116 yahoo.com.au
  38573 bol.com.br
  38558 YAHOO.COM
  37882 excite.com
  37788 mail.com
  37572 tiscali.co.uk
  37361 mindspring.com
  37350 tiscali.it
  36636 HOTMAIL.COM
  36429 ntlworld.com
  34771 netzero.net
  33414 prodigy.net
  33208 126.com
  32821 yandex.ru
  32526 planet.nl
  32496 yahoo.com.cn
  31167 qq.com
  30831 embarqmail.com
  30751 adelphia.net
  30536 telus.net
  30005 hp.com
  29160 yahoo.de
  28290 roadrunner.com
  27558 skynet.be
  26732 telenet.be
  26299 wp.pl
  26135 talktalk.net
  26072 pacbell.net
  26051 t-online.de
  25929 netzero.com
  25917 optusnet.com.au
  25897 virgilio.it
  25525 home.nl
  25227 videotron.ca
  24881 blueyonder.co.uk
  24462 peoplepc.com
  24435 windstream.net
  24079 xtra.co.nz
  23465 bluewin.ch
  23375 us.army.mil
  22433 hetnet.nl
  22247 trainingelite.com
  22021 yahoo.com.sg
  21689 laposte.net
  21336 ge.com
  21130 frontiernet.net
  21055 q.com
  21034 mchsi.com
  20882 webtv.net
  20830 abv.bg
  19425 insightbb.com

Analysts pointed out that most of these e-mail addresses were previously exposed. For example, Yahoo (10.6 million) and AOL (8.3 million). This means that campaigns designed to spread malware through spam emails are highly likely to target specific users. Another possibility is that the list of email addresses found is incomplete.

Of course, we should also pay attention to the Trik Trojan that appeared in the incident. According to related data, it is a typical malware downloader that has been active for at least ten years. After the computer is infected, the infected computer is used to form a botnet.

As mentioned earlier, botnets are sold to other criminals. The Vertek analyst said that the Trik botnet is being used by the ransomware GandCrab operations team to disseminate the GandCrab V3 version.

GandCrab ransomware originally appeared in January of this year, mainly through spam e-mail, social engineering, exploit kits, and malvertising, and released multiple versions in just a few months, considered the most in 2018. One of the top ransomware.

The latest version of V3 not only retains all the features of the previous version but also adds an auto-run feature that allows the infected computer to boot on its own even if the infected computer is restarted, thereby establishing persistence on the infected computer.

As GandCrab’s operating team began to use the Trik botnet to spread its malware, we believe that this ransomware will undoubtedly bring greater turmoil to Internet users around the world in the coming period.

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Leak: NSA and US Army can capture Tor, I2P, VPNs to monitor Monero users
  • Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw
  • Unsecured Database Linked to Navy Federal Credit Union Exposed Online
  • 100,000 ChatGPT Chats Exposed: Why a New Feature Backfired on OpenAI
  • Nearly 45,000 records of US health care company, Blue Springs Family Care were leaked

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Trik Spam Botnet

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.