On November 30th, 2016, a worldwide cooperative takedown of the Avalanche botnet took place after more than four years of investigation.  “Avalanche” refers to a worldwide crimeware-as-a-service (CaaS) network infrastructure operated by cyber criminals conducting malicious activity. This includes: DDoS, malware distribution, phishing and money-mule operations causing hundreds of millions of damages in Euros worldwide.

The takedown was an international cooperation between law enforcement, cyber-security researchers and organizations allowed to sinkhole, seize and or/block over 800K domains, including those related to the following malwares:

  • Bolek
  • Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
  • Citadel
  • Corebot
  • Fake Trusteer App
  • GetTiny
  • Gozi2
  • Marcher
  • newGOZ (aka GameOverZeuS)
  • Nymaim/GozNym
  • Pandabanker
  • QakBot (aka Qbot, PinkSlip Bot)
  • Ranbyus
  • Rovnix
  • Smart App
  • Smoke Loader (aka Dofoil)
  • TeslaCrypt
  • Tinba (aka TinyBanker)
  • URLzone (aka Bebloh)
  • Vawtrak (aka Neverquest)
  • VM-ZeuS (aka KINS)
  • Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
  • Xswkit

You can read more about the takedown here:

Some cool numbers (from Shadowserver):

  • Jurisdictions:30
  • Arrests: 5
  • Premises searched: 37
  • Servers seized: 39
  • Servers taken offline through abuse reports: 221
  • Countries with victim IP’s: Over 180
  • Domains blocked or delegated to Shadowserver’s sinkholes: Over 800,000 in over 60 Top-Level-Domain‘s (TLD’s)


To monitor if you are infected, we highly encourage anyone responsibility for internet facing networks to sign up for the free feeds provided by Shadowserver.

To protect our customers, ThreatSTOP has added information for the sinkholes into our TS-Critical Targets. If you have those in your policy, communication from these malwares are automatically blocked and logged.

The newly added Avalanche Targets, available both in Standard and Expert mode (“Avalanche IPs” in IP Firewall product and “Avalanche NSs” in RPZ Firewall product), allows you to see which machines are infected using ThreatSTOP reporting. Note: These targets are of low severity (the malware cannot harm you) but you should still clean them from your network.