Blogs > Security Research

Zeus C&C (Avalanche)

Published on:

Authored by:





Zeus C&C (Avalanche)

Recent Zeus C&C activity has been observed from:
At the time of posting, the domain is not present in ZeusTracker.

The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):

Zeus Configuration URLs:

oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea

Zeus Drop Zones:

Domain Registration Information:
Registrant Contact:
The name server domain ( has been observed providing name services for other past Zeus domains:

Registration for the nameserver domain:

Dancho blogs related to carruawau registration information:

IRS/PhotoArchive Themed Zeus: -

Keeping Money Mule Recruiters on a Short Leash: -

Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, shows that resolving the domain which at present has had 547 bot IPs observed supporting this domain.

The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.

Suggested Blogs