Sinkhole HTTP Events Report.
Description
This report identifies hosts reported to have attempted to establish a connection with a Hypertext Transfer Protocol (HTTP) sinkhole.
Sinkholing is a technique for manipulating data flow in a network, where the network traffic is redirected from its intended destination to a controlled environment, such as a server which is referred to as a sinkhole.
The technique can be used maliciously to steer legitmate network traffic away from its intended recipient, or proactively, to defend a network from attack by steering illegitmate network traffic away from its intended target, and finally as a tool for research that allows cyber security experts to isolate and analyse illegitmate and malicious network traffic.
Illegitimate or malicious network traffic can be identified by various characteristics, such as the source IP address, packet anomalies, and traffic patterns.
A sinkhole is a tool used in network management, research, and threat analysis.
Utilization
Sinkholes are used by Law enforcement agencies during the takedown of large-scale enterprises operated by Organised Crime Groups (OCGs) engaged in cyber crime together with their infrastructure which may comprise of electronic and digitally based technology such as a botnet. Information from these sinkholes are provided to National CSIRTs in order to maximise the remediation efforts.
Problem
Shadowserver Foundation - Sinkhole HTTP Events Report - List of Malware Infections.
Note: The Shadowserver Foundation has included in the 'Infection' column of their report, a list of Malware infections, associated with the various hosts identified in the report.1. List of Malware Infections contained in the Report.
| Name | Type of Infection | Link |
|---|---|---|
| adload | Potentially Unwanted Application/Adware. | malpedia - adload |
| CryptoLocker | Encrytion of Files. | malpedia - CryptoLocker |
| likely-rat-adwind | Remote Administration Tool (RAT). | malpedia - AdWind |
| Dltminer | PowerShell Downloader. | ESET - DLTMiner |
| Expiro | Infiltrates executable files. | malpedia - Expiro |
| likely-rat-firebird | Remote Administration Tool (RAT). | malpedia - FireBird RAT |
| FluBot | Banking Malware. | malpedia - FluBot |
| Kovter | Police Ransomware. | malpedia - Kovter |
| MooBot | Mirai variant botnet. | malpedia - MooBot |
| m0yv | File Infector. | malpedia - m0yv |
| Necurs | Mirai variant botnet. | malpedia - MooBot |
| likely-rat-netwire | Remote Administration Tool (RAT). | malpedia - NetWire RC |
| likely-rat-orcus | Remote Administration Tool (RAT). | malpedia - Orcus RAT |
| Phorpiex | worm. | malpedia - Phorpiex |
| Prometei | Exfiltration of data. | malpedia - Pykspa |
| Pykspa | Exfiltration of data. | malpedia - Pykspa |
| QSnatch | Exfiltration of data. | malpedia - QSnatch |
| Sality | Rootkit/Backdoor. | malpedia - Sality |
| Shiz | TrojWare/Backdoor. | Kaspersky - Shiz |
| Smokeloader | Generic Backdoor. | malpedia - Smokeloader |
| Stantinko | Trojan Backdoor. | malpedia - Stantinko |
| Sunburst | Remote Administration Tool (RAT). | malpedia - Sunburst |
| TrickBot | Financial Trojan. | malpedia - TrickBot |
| Vipersoftx | Infomation Stealing. | malpedia - Vipersoftx |
| Nymaim | Trojan Downloader | malpedia - Nymaim |
| Ranbyus | Banking Trojan | malpedia - Ranbyus |
| Tinba (aka TinyBanker/Zusy) | Information Stealing | malpedia - Tinba |
2. List of Botnet Infections contained in the Report.
Botnet infrastructure are comprised of a network of devices, known as 'bots', which are infected with a type of malware that provides malicious actors with unauthorised remote access. A functioning botnet can be used for a variety of purposes, including malware delivery, distributed denial of service (DDoS) attacks, or routing nefarious Internet traffic.
| Name | Description |
|---|---|
| Avalanche Botnet | The Avalanche Botnet was successfully taken down on the 30th Nov 2016, by the Verden public prosecutor's office, with the Lüneburg Central Criminal Inspectorate (ZKI) in Germany, together with Law Enforcement Agencies in thirty (30) countries, thirty nine (39) servers were seized, together with more than 800,000 domains, which were sinkholed or blocked. It was one of the largest known botnet infrastructures in the world being comprised of twenty (20) botnets, which used its infrastructure to disseminate spam and phishing e-mails, as well as malicious software such as ransomware (extortion trojans) and banking trojans. The botnet was primarily made up of Windows systems and Android smartphones. However it has not being possible to rule out the possibility of infections also affecting smartphones that run on Apple iOS or Microsoft Windows Phone, or operating systems such as Apple's OS X or Linux. Internet of Things (IoT) devices such as webcams, printers or television receivers are not known to be part of the relevant botnets. The Avalanche Botnet has been used to distribute more than twenty (20) malware families. |
| android.badbox2 | The BADBOX Botnet was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase. BADBOX 2.0, in addition to compromising devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces. The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity. The German government seized and sinkholed the botnet's command-and-control servers in December 2024, and in March 2025, Human Security's Satori researchers disclosed details about the Badbox 2.0 operation. Since then, Shadowserver has sinkholed nearly 3 million Badboxes, rerouting the malicious traffic to its infrastructure instead of the criminal's servers. |
| Andromeda | Andromeda (aka Gamarue) was a widely distributed malware which created a network of infected computers called the Andromeda botnet . According to Microsoft, Andromeda’s main goal was to distribute other malware families. Andromeda was associated with 80 malware families and, it was detected on or blocked an average of over 1 million machines every month. Andromeda was also used in the infamous Avalanche network, which was dismantled in an international cyber operation in 2016. |
| Android.Vo1d2 | The Anroid.Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices into proxy servers to facilitate illegal operations. The malware has specific plugins that automate ad interactions and simulate human-like browsing behavior, as well as the Mzmess SDK, which distributes fraud tasks to different bots. Infected devices relay malicious traffic for the cyber criminal actors, hiding the origin of their activity and blending in with residential network traffic. This also helps the threat actors bypass regional restrictions, security filtering, and other protections. Vo1d is an ad fraud, faking user interactions by simulating clicks on ads or views on video platforms to generate revenue for fraudulent advertisers. Android.Vo1d2 appears to be a version of the Android.Vo1d1 that has evolved. |
| IPIDEA | IPIDEA is a massive residential proxy network that covertly uses millions of everyday devices, like phones and PCs, as proxy nodes, often without users’ knowledge by embedding its software into apps and services. It enables cybercriminals and other threat actors to route malicious traffic through real home internet connections, helping them hide their identity and bypass security systems at scale. As a result, IPIDEA became a key piece of infrastructure used by hundreds of hacking groups worldwide before being disrupted due to its role in widespread cybercrime and abuse. |
| Necurs Botnet | The Necurs botnet was first observed in 2012, it evolved to become one of the largest reported spam botnets in the world. In June 2017, Necurs was used to distribute the new Scarab ransomware. On the 10 March 2020, the Necurs Botnet was taken down by the Microsoft Corporation after eight years of tracking and planning and coordination with partnes in thirty five (35) countries. At it's height, the Necurs Botnet could harnessed more than nine (9) million computers under its control to send spam, distribute ransomware and attack financial institutions. |
| Ngioweb Botnet | The Ngioweb botnet first observed in 2018 by Check Point Software Research which revealed that it was spread by a Ramnit Trojan. At that time, Ngioweb targeted computers with Microsoft Windows. The malware was designed to turn an infected computer into a malicious proxy server. A proxy is a program that enables users to change their IP address by routing traffic through someone else’s infrastructure. Humans use proxies for anonymity and privacy purposes, while malicious bot operators use them to avoid being detected and blocked. These networks are often leveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identities. |
| Socks5Systemz Botnet | The Socks5Systemz is a proxy botnet designed to turn compromised systems into proxy exit nodes, the PrivateLoader and Amadey loaders are used to download the malware. The name Sock5Systemz comes from the text that the threat actor uses in the backend panel. The malware is designed to turn an infected computer into a malicious proxy server. A proxy is a program that enables users to change their IP address by routing traffic through someone else’s infrastructure. Humans use proxies for anonymity and privacy purposes, while malicious bot operators use them to avoid being detected and blocked. These networks are often leveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identities. |
| 911 S5 | SOCKS5 proxies are commonly used to reroute internet traffic through a third-party server, allowing for anonymity and the ability to bypass geo-restrictions. The 911-socks5-proxy was a large-scale botnet primarily offering proxy services using IP addresses from infected devices. Cyber criminal actors could purchase these proxy services to make their online activities appear as if they originated from infected devices, thus concealing their digital footprints. They used these services to reroute their traffic through infected devices, hiding their true originating IP addresses and locations, and committing various crimes anonymously. The botnet spread by distributing VPN applications with built-in malware targeting Windows systems. These VPN applications were often embedded in pirated games or software, enticing victims to download them. Once downloaded and installed, the VPN and malware would silently install on the victim's device, making it part of the 911 S5 botnet. VPN applications connected to the 911 S5 service included: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. |
| Socks-Escort | SocksEscort was a malicious, long-running residential proxy service, heavily powered by the AVrecon botnet malware, that compromised hundreds of thousands of home and small-office/home-office (SOHO) routers and hikvision IP cameras worldwide. An international law enforcement operation, announced in March 2026, disrupted this service, which had been used to facilitate large-scale financial fraud. |
Solution
Constituents are requested, on receipt of the Sinkhole HTTP Events Report, to conduct a thorough investigation of the hosts identified to establish and confirm the facts, In the event that the host identified did attempt to establish a connection to the IP address of the sinkhole. This activity should be viewed as malicious and a threat. Appropriate precautions should then be taken to protect the computer and its data.
Removal of Malware Infections from a Computer.
Constituents are advised to take a holistic approach to the removal of malware from computers and devices, this involves a multi-layered strategy that addresses prevention, detection, and response, encompassing both technical and human elements. This approach aims to create a strong defense against malware by integrating various security measures and best practices across an organisation or system.
Guidlines, actions and recommendations for the removal of Malware Infections from a computer.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Disconnect host from network. | It is recommended that the host identified in the report be disconnected from the network immediately, either by disconnecting the network cable or by turning off the Wi-Fi. This will prevent an attacker from accessing the device. |
| 2. | Reboot host in safe mode. | In Safe Mode, only essential system services are started. This will restrict the operation of any malware on the computer. During the Windows startup process, the F8 key is the designated short cut to access the Advanced Boot Options menu, which will allow users to boot into Safe Mode. |
| 3. | Investigate reported host. | It is recommended that the host identified in the report be investigated to establish and confirm the facts, access the computer logs to establish if the host attempted to establish a connection with the IP address of the sinkhole reported. |
| 4. | Security Event Logs. | For Windows operating systems, Investigate the DNS server logs and Windows Defender Firewall logs for DNS requests that resolve to the IP address of the sinkhole reported or to blocked malicious domains. For Linux operating systems, log files stored in /var/log should be investigated for similar activity. |
| 5. | Perform a full anti-virus scan. | It is recommended that a full anti-virus scan of the reported host, is performed to ensure the successful removal of any malware, and in particular of any Remote Administration Tool (RAT) malware that may have been inserted by malicious actors. The Windows Defender which is the built-in security feature in Windows operating systems is designed to protect against malware and other threats. Windows Defender, which is pre-installed, is automatically enabled on Windows 10 and 11. Microsoft continually updates the security intelligence in their Windows Defender Antivirus to cover the latest threats and to constantly tweak detection logic, enhancing its ability to accurately identify threats. |
| 6. | Reset all passwords. | It is recommended that after the completion of the Anti Virus Scan, that all passwords are reset, including passwords for e-mail accounts and in particular accounts in relation to financial services. It is recommended that two-factor authentication be enabled for added security. |
| 7. | Reinstall the operating system. | In the event that problems or doubts persist. Backup important data with a secure method. Ensure the backup does not contain infected files. Reinstall the operating system. |
| 8. | Security against future threats. | Ensure that the operating system and all software, included patches and updates released by the vendor are updated on a regularly basis. Use automatic updates from trusted providers when availabled. Pirated software should be avoided. Ensure that Anti-virus scans are also performed on a regularly basis and that the Anti-virus application used is kept uptodate with the newest virus definitions and security patches to detect and neutralise emerging malware. This is essential for maintaining robust protection against the latest cyber threats. |
| 9. | Monitor Reported Host. | It is recommended that the host identified in the report received is monitored, and continues to to be monitored to ensure the prevention of any future infection or recurrence. |
| 10. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Guidelines, actions and recommendations for the removal of Bot malware from computers or IoT devices.
Constituents are encouraged to update and secure their devices – particularly older devices – from being compromised and joining a botnet.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Software Updates. | Apply software patches and updates regularly, Use automatic updates from trusted providers when available. |
| 2. | Disable Unused Ports. | Disable unused services and ports, such as automatic configuration, remote access, or file sharing protocols, which may be abused by malicious actors to gain initial access or to spread malware to other networked devices. |
| 3. | Replace Default Password. | Replace default passwords with strong passwords. |
| 4. | Implement Network Segmentation. | To minimize the risks associated with IoT devices in a larger network, implement network segmentation and apply the principle of least privilege. This involves creating isolated network segments or separate zones for IoT devices, sensitive data, and critical infrastructure restricting their access to only the resources necessary for their functions. |
| 5. | Monitor Network Traffic. | Monitor for high network traffic or unusual activity to detect and mitigate DDoS incidents. |
| 6. | Reboot Devices. | Plan for device reboots to remove non-persistent malware. |
| 7. | Replace End-of-Life Devices. | Replace end-of-life equipment with supported devices. |
| 8. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Additional Information
Shadowserver Foundation - Sinkhole HTTP Events Report.Shadowserver Foundation - Sinkhole Events & Sinkhole HTTP Reports.
Stantinko - ESET Research
Vo1d rising: inside the botnet controlling 1.68 M+ Android TVs worldwide
Microsoft - adload.
Malwaretech - The Kelihos Botnet.
Microsoft - I had an RAT on my PC but I'm not sure I got rid of it.