What has the Necurs botnet been up to?

The Necurs botnet has been slowly growing since late 2012 and still tops the list of largest spam botnets in the world.

Since then, the botnet has occasionally stopped or temporarily minimized the sending out of spam but has returned in full force.

Necurs botnet

How big is the Necurs botnet?

It’s difficult to say precisely, but the latest information provided by the Cisco Talos team can give a general idea.

The researchers analyzed 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017, and found that the emails were sent from almost 1.2 million distinct IP addresses in over 200 countries and territories.

Interestingly enough, over half of the sending IP addresses are concentrated in three countries: India, Vietnam, and Iran. In contrast, other large industrialized nations were only responsible for a tiny fraction of the spam.

Another interesting finding is that the botnet apparently is not big on reusing IP addresses for different spam campaigns.

“The vast, vast majority of sending IP addresses, 937,761 (78.6% of the total), were only ever seen in a single Necurs spam campaign,” the researchers pointed out. “This means that Necurs botnet is large enough to conduct attacks over several months without substantial reuse of most sending nodes – an impressive feat.”

Spam campaigns

Necurs delivers mostly ransomware (especially Locky) and penny stock pump-n-dump spam, but t’s also been known to send out dating and job spam.

Also, since the advent and increasing popularity of cryptocurrencies, some of the campaigns began concentrating on cryptocurrency credential phishing and spam campaigns pumping less-known cryptocurrencies:


The spam emails it sends out are not very sophisticated, i.e., will not fool anybody but the most inexperienced users: they usually contain perfunctory text, a link or an attachment, and are often not even customised to address the recipients by name.

“These are among the worst, most unreliable sources for obtaining email addresses, and any legitimate email marketer wouldn’t last a day mailing to addresses such as these. Of course, an illegitimate botnet such as Necurs has no such concerns,” the researchers noted.

Another interesting thing they discovered is that the list of target email addresses hasn’t been changed in 2017, and possibly not even the year before that. This fact should limit the amount of damage it can do, as there are only so many times the same recipients will fall for Necurs’ same, repetitive tricks.

Still, the list can be altered any time and tried formulas easily changed, so users should do well to remember not to follow links or open attachments delivered via unsolicited emails.


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss