Prometei v3 botnet is of medium size, with approximately 10,000 infected systems worldwide.
The geographical distribution of infected systems shows a uniform distribution proportional to the population of the countries, with traffic captured from 155 countries.
C&C servers constantly change with DGA methods


BazarBackdoor version 1

BazarBackdoor (also known as BazarLoader or Team9 Backdoor) is an alternate dev of the dreaded TrickBot Trojan.
NOTICE: DGA are changing each month.
Thanks to Johannes Bader for reversing and implementing the DGA


BazarBackdoor version 2

BazarBackdoor Version 2 is another DGA version
NOTICE: DGA are using special characters... it is normal !
Thanks to Johannes Bader for reversing and implementing the DGA


Zombie Necurs

Necurs botnet is an historical network previously used for the distribution of Locky ransomware and Dridex, but today distributes some other malwares
C&C servers are numerous and uses DGA.



Nymaim gained banking capabilities and information stealer
C&C servers infrastructures use fast-flux networks and DGA techniques are used.


Zombie CoreBot

CoreBot is a rather sophisticated banking malware and information stealer
C&C servers are numerous and CoreBot uses DGA.



Chinad activities are commonly downloading/uploading files, dropping other malware into the infected system.
Its C&C servers become unstable detected with DGA methods



Qakbot uses powerful information-stealing features to spy on users’ banking activity and defraud them of large sums of money.
C&C servers constantly change with DGA methods



Zloader is a part of Sphinx banking Trojan.
ZLoader has resurfaced to take advantage of government relief payments amid COVID-19 to use DGA techniques



PiZd is an important botnet. Its implant has over 1000 variants.
Variants use DGA to access to C&C servers



Some mutations of the original Gamover constently appeared dubbed newGOZ..
The new DGA technique is not related to the original GameOver Zeus but bears some resemblance.
DGA are used to keep updated implants through on C&C servers



Pitou is a spambot using anti sandbox features and Domain Generation Algorithm for C&C discovering (thanks to @viql for analysis & code)


Tempedreve part of Ursnif family

Tempedreve arrives on a system as a file dropped by other malware using daily Domain Generation Algorithm for its C&C



TeleRU is the first observed Android APK related DGA.
Thanks to Liang Jinjin for reversing and implementing the DGA



Qadars is a botnet targeting EU victims to execute spy action's of users' banks accounts.
Qadars may also infects an Android mobile device, it can monitor all user activity and hijack text messaging, Facebook users, online sports betting users, and e-commerce.
C&C servers constantly change with DGA methods



Matsnu botnet uses DGA that pulls nouns and verbs from a built-in list of more than 1,300 words to form domains that are 24-character phrases.
DGA method generates each 24 hours new domains



Padcrypt is a ransomware. Each day, new domains are used.
Attachments are applying one of DGA daily list



Proslikefan is a worm script. It sends exfiltration datas to daily new domains.
The newest domains are using DGA techniques.



Locky ransomware has incorporated a domain name generating algorithm to improve the resilience of the command-and-control (C&C) communications.
DGA techniques given how the malware is regularly updated with new functionality incorporating new attack techniques.



Pykspa is a worm that accesses the list of Skype contacts and sends a chat message to each contact.
It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).



Ranbyus bypasses payment transaction signing and authentication with smartcard devices.
It also extracts personal user information from banking/payment softwares and sends to remote servers by using a Domain Generation Algorithms (DGA).



Murofet aka.LICAT, has relatioships with the ZeuS.
It uses a Domain Generation Algorithm (DGA) to determine the current C2 domain names. Thanks to Johannes Bader for DGA reversing



Sisron is a financial fraud and identity theft botnet. Infrastructures has been sinkholed, but on some victim's activities continue to work.
Domain Generation Algorithms (DGA) are simple but should be good to continue to survey. Thanks to Johannes Bader for DGA reversing



Symmi is a botnet that has some functionalities to open a back door on the compromised computer. It lets to download malicious files.
Domain Generation Algorithms (DGA) lets Symmi to send and receive informations and malwares.


MyDoom Botnet

MyDoom has several methods of impacts, but main attacks are DDOS
MyDoom uses DGA for its P2P communications but also some Command and Control Server



Version A, B, C stay alive!
Most of hosts are sinkholed, but the infection stays


Open Source Real Time Malware Information Version 1.0
Sharing Is Caring !
Copyleft 2020 - No rights reserved
Keywords Bot Invaders , Botnet Tracker, Malware, Domain Name, IOC, Domain generation algorithms, DGA