Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
78
Global rank
89 infographic chevron month
Month rank
86 infographic chevron week
Week rank
0
IOCs

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Loader
Type
Unknown
Origin
1 January, 2011
First seen
15 May, 2025
Last seen

How to analyze Glupteba with ANY.RUN

Type
Unknown
Origin
1 January, 2011
First seen
15 May, 2025
Last seen

IOCs

IP addresses
187.134.87.130
185.82.216.64
104.18.22.210
92.204.137.153
178.162.193.193
80.93.90.78
80.93.90.32
46.165.250.25
5.101.6.132
178.162.193.86
78.31.67.205
213.5.70.9
85.114.135.113
46.165.244.129
46.165.249.201
80.93.90.72
80.93.90.27
213.202.254.161
91.216.93.126
193.111.141.213
Domains
nevernews.club
donaldcity.club
server7.statsexplorer.org
server9.statsexplorer.org
server3.statsexplorer.org
server10.statsexplorer.org
server1.statsexplorer.org
server0.statsexplorer.org
server2.statsexplorer.org
server8.sndvoices.com
server7.sndvoices.com
server6.sndvoices.com
server4.sndvoices.com
humisnee.com
2makestorage.com
server1.sndvoices.com
server10.2makestorage.com
server9.sndvoices.com
server3.sndvoices.com
server5.sndvoices.com
URLs
https://venoxcontrol.com/api/parent-processes
https://server15.thestatsfiles.ru/api/poll
https://server15.thestatsfiles.ru/api/restriction-us
https://server15.thestatsfiles.ru/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server15.thestatsfiles.ru/api/cdn
https://server2.dumperstats.org/api/poll
https://server2.dumperstats.org/api/restriction-us
https://server2.dumperstats.org/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server2.dumperstats.org/api/cdn
https://server9.thestatsfiles.ru/api/poll
https://server9.thestatsfiles.ru/api/restriction-us
https://server9.thestatsfiles.ru/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server9.thestatsfiles.ru/api/cdn
https://server2.filesdumpplace.org/api/poll
https://server2.filesdumpplace.org/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server2.filesdumpplace.org/api/restriction-us
https://server2.filesdumpplace.org/api/cdn
https://server14.filesdumpplace.org/api/poll
https://server7.filesdumpplace.org/api/poll
https://server14.filesdumpplace.org/api/signature/8e67f58837092385dcf01e8a2b4f5783
Last Seen at

Recent blog posts

post image
ANY.RUN Becomes a Gold Winner in Threat Intel...
watchers 145
comments 0
post image
How Malware Analysis Training Powers Up SOC a...
watchers 311
comments 0
post image
Evolution of Tycoon 2FA Defense Evasion Mecha...
watchers 2973
comments 0

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it is independent malware.

Although Glupteba trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active despite various malware removal programs. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba malware was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time thanks to the malware removal tools until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba trojan anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba malware comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba. You can also analyze other malicious objects like Ave Maria and Smoke Loader.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba trojan execution process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba malware distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs the trojan itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba and it's time to get the malware removal program ready.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

HAVE A LOOK AT

MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More