Security Insights

Zeus C&C (Avalanche)

Zeus C&C (Avalanche)

Recent Zeus C&C activity has been observed from:
At the time of posting, the domain is not present in ZeusTracker.

The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):

Zeus Configuration URLs:

oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea

Zeus Drop Zones:

Domain Registration Information:
Registrant Contact:
The name server domain ( has been observed providing name services for other past Zeus domains:

Registration for the nameserver domain:

Dancho blogs related to carruawau registration information:

IRS/PhotoArchive Themed Zeus: -

Keeping Money Mule Recruiters on a Short Leash: -

Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, shows that resolving the domain which at present has had 547 bot IPs observed supporting this domain.

The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.

Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.