Browse Botnet C&Cs
Here you can browse the list of botnet Command&Control servers (C&Cs) tracked by Feodo Tracker, associated with Dridex, TrickBot, QakBot (aka QuakBot/Qbot), BazarLoader (aka BazarBackdoor) and Emotet (aka Heodo). When Feodo Tracker was launched in 2010, it was meant to track Feodo botnet C&Cs. However, Feodo evolved further and different piece of malware of Feodo appeared:
- Emotet: is a successor of the Geodo It first appeared in March 2017 and is also known as Heodo). While it was initially used to commit ebanking fraud, it later turned over to a Pay-Per-Install (PPI)-like botnet which is propagating itself through compromised email credentials. More information about Emotet is available on Malpedia
- TrickBot: has no code base with Emotet. However, TrickBot usually gets dropped by Emotet for lateral movement and to drop additional malware (such as Ryuk ransomware). More information about TrickBot is available on Malpedia
- Dridex: is a successor of the Cridex ebanking Trojan. It first appeared in 2011 and is still very active as of today. There are speculations that the botnet masters behind the ebanking Trojan Dyre moved their operation over to Dridex. More information about Dridex is available on Malpedia
- QakBot: first appeared in 2007 and is still very active as of today. More information about QakBot is available on Malpedia
- BazarLoader: first appeared in 2021, BazarLoader (aka BazarBackdoor) is probably a "spin-off" from TrickBot. It is mainly used by infamous Conti group to deploy Ransomware on enterprise networks. Further information about BazarLoader is avialable on Malpedia
- BumbleBee: first appeared in 2022, BumbleBee is used to drop Cobalt Strike to conduct lateral movement in corporate networks that eventually lead to an encryption with Ransomware. Further information about BumbleBee is avialable on Malpedia
- Pikabot: first appeared in early 2023, Pikabot is used to drop Cobalt Strike to conduct lateral movement in corporate networks that eventually lead to an encryption with Ransomware. Further information about Pikabot is avialable on Malpedia
Filter for: Emotet (aka Heodo) TrickBot Dridex QakBot BazarLoader BumbleBee Pikabot
| Firstseen (UTC) | Host | Malware | Status | Network (ASN) | Country |
|---|---|---|---|---|---|
| 2023-05-28 19:51:21 | 154.80.229.76 | AS134175 SH2206-AP UNIT A17,9F SILVERCORP INTL TOWER 707-713 NATHAN RD |  HK | ||
| 2023-05-27 18:21:16 | 154.80.229.105 | AS134175 SH2206-AP UNIT A17,9F SILVERCORP INTL TOWER 707-713 NATHAN RD | HK | ||
| 2023-05-26 21:21:22 | 103.151.20.137 | AS141124 IDNIC-MAKASSARKOTA-AS-ID Dinas Komunikasi dan Informatika Kota Makassar |  ID | ||
| 2023-05-26 21:21:18 | 154.80.229.112 | AS134175 SH2206-AP UNIT A17,9F SILVERCORP INTL TOWER 707-713 NATHAN RD | HK | ||
| 2023-05-26 21:21:14 | 85.215.162.167 | AS6724 STRATO STRATO AG |  DE | ||
| 2023-05-26 21:21:13 | 91.134.126.43 | AS16276 OVH |  FR | ||
| 2023-05-26 09:01:12 | 67.21.33.208 | AS397373 H4Y-TECHNOLOGIES |  US | ||
| 2023-05-23 17:53:49 | 89.116.131.40 | AS23470 RELIABLESITE | US | ||
| 2023-05-23 17:53:46 | 132.148.73.117 | AS398101 GO-DADDY-COM-LLC | US | ||
| 2023-05-23 17:51:44 | 192.9.135.73 | AS31898 ORACLE-BMC-31898 | US | ||
| 2023-05-23 17:51:40 | 193.122.200.171 | AS31898 ORACLE-BMC-31898 | US | ||
| 2023-05-23 17:51:39 | 185.87.148.132 | AS9009 M247 |  CZ | ||
| 2023-05-23 17:51:37 | 144.172.126.136 | AS396881 DRSERVER1 | US | ||
| 2023-05-23 17:51:33 | 129.80.164.200 | AS31898 ORACLE-BMC-31898 | US | ||
| 2023-05-23 17:51:31 | 129.213.54.49 | AS31898 ORACLE-BMC-31898 | US | ||
| 2023-05-23 17:51:29 | 129.153.22.231 | AS31898 ORACLE-BMC-31898 | US | ||
| 2023-05-23 17:51:05 | 45.85.235.39 | AS201172 SUNET-IP-RUNKO |  FI | ||
| 2023-05-23 17:51:05 | 45.154.24.57 | AS56309 SIAMDATA-TH 408 Fl4 CATTOWER |  TH | ||
| 2023-05-23 17:51:00 | 132.148.79.222 | AS398101 GO-DADDY-COM-LLC | US | ||
| 2023-05-23 17:50:58 | 129.153.135.83 | AS31898 ORACLE-BMC-31898 | US |