Home > List all groups > Zombie Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Zombie Spider

NamesZombie Spider (CrowdStrike)
CountryRussia Russia
MotivationFinancial gain
First seen2010
Description(CrowdStrike) The primary threat actor, who was tracked by CrowdStrike as Zombie Spider, rose to prominence in the criminal underground under the moniker Peter Severa. The individual behind this handle is Peter Yuryevich LEVASHOV who was arrested in Spain when the final version of Kelihos was taken over in April 2017, and who recently pleaded guilty to operating the botnet for criminal purposes.

For several years, pump-and-dump stock scams, dating ruses, credential phishing, money mule recruitment and rogue online pharmacy advertisements were the most common spam themes. In 2017, however, Kelihos was frequently used to spread other malware such as LuminosityLink, Zyklon HTTP, Neutrino, Nymaim, Gozi/ISFB, Panda Zeus, Kronos, and TrickBot. It was also observed spreading ransomware families including Shade, Cerber, and FileCrypt2.

Kelihos has been observed to distribute TrickBot (Wizard Spider, Gold Blackburn) and Zeus Panda (Bamboo Spider, TA544).
ObservedCountries: Worldwide.
Tools usedKelihos.
Operations performedFeb 2017Kelihos Spreads via USB Drives
Counter operationsMar 2012On Wednesday, March 21, 2012, security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project initiated efforts to detect and disrupt the operations of a botnet known as Waledac/Kelihos (also known as Hlux).
Apr 2017Justice Department Announces Actions to Dismantle Kelihos Botnet

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: Yingmob
Next: -

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key