Kraken: New Golang Botnet Targets Windows Machines

By Riley ThompsonTechnology News

Kraken: A New Golang Botnet Threatening Windows Systems

Researchers at ZeroFox have issued a warning about a new and growing threat: the Windows-based Kraken botnet, which is currently being used to steal information, including data from cryptocurrency wallets. This malware, which functions as a backdoor, is written in Go and is actively being developed and improved.

Discovery and Distribution

Kraken (not to be confused with the similarly named botnet that flooded inboxes with spam in 2008-2009) was first discovered last fall. Analysis of malware samples revealed that it was created using source code published on GitHub on October 10, though it’s unclear whether the botnet operators or a third-party developer posted it.

The botnet is distributed via the SmokeLoader downloader, and it spreads rapidly. Each time the command-and-control server is moved (IP addresses change frequently due to ongoing code updates), hundreds of new bots appear.

Infection Process and Persistence

During installation, Kraken attempts to embed itself in the %AppData% folder—ideally as a hidden file with an innocuous name like taskhost.exe, Registry.exe, or Windows Defender GEO.exe. It also adds itself to the Microsoft Defender exclusion list, registers as a network service, and creates a registry entry for automatic startup.

Features and Capabilities

While Kraken’s functionality is fairly standard, it has been frequently updated and modified. The malware authors have made changes to existing components and experimented with new ones. The latest versions of Kraken offer the following capabilities:

  • Collecting information about the infected system
  • Maintaining persistence on the device
  • Executing shell commands
  • Taking screenshots
  • Stealing data from cryptocurrency wallet applications (including Armory, Atomic Wallet, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash)
  • Downloading and running executable files

Some builds also included SSH brute-force functionality, but this feature was quickly removed and not used in attacks.

Command and Control Panel

The Kraken control panel is also under constant development. The current version, called Anubis Panel, allows operators to monitor bot statistics, issue commands to individual bots or groups, change payloads, view task history, and access victim information.

Additional Malware and Monetization

Kraken often deploys additional malware, with a clear preference for RedLine Stealer. Occasionally, other infostealers or cryptocurrency miners are loaded onto the botnet. These activities provide a steady income for the botnet operators—ZeroFox estimates earnings of around $3,000 per month. The ultimate purpose of the stolen data remains unclear.

Leave a Reply