Threat Research

Meet Kraken: A New Golang Botnet in Development

Securonix

Kraken is a developing Windows botnet written in Go that can download payloads, run commands, steal cryptocurrency wallets, and take screenshots, spreading via SmokeLoader. It uses UPX packing and Themida protection, persists via Run keys, and has evolved dashboards (Kraken Panel and Anubis Panel) for operator control. #Kraken #SmokeLoader #RedLineStealer #Themida #UPX #AnubisPanel #ZeroFox

Keypoints

  • Kraken emerged in Oct 2021 as a Windows botnet under active development, tracked by ZeroFox Intelligence.
  • The botnet can maintain persistence, collect host information, download/execute files, run shell commands, steal crypto wallets, and take screenshots.
  • Initial infection used self-extracting RAR SFX files delivered by SmokeLoader; current infections are downloaded by SmokeLoader directly.
  • Install/persistence includes moving to AppData, hardcoded Run keys, and misleading file/registry names to evade detection.
  • Features evolved from basic payloads to information theft and wallet-stealing modules, with a dashboard-driven C2 system (Kraken Panel → Anubis Panel).
  • Kraken appears to generate modest revenue (around USD 3,000/month) and has demonstrated rapid changes to C2 infrastructure (new ports/IPs).

MITRE Techniques

  • [T1027.002] Obfuscated Files or Information: Software Packing – Kraken binaries are UPX-packed and Themida-protected. “Kraken binaries are still UPX-packed but are now further protected by the Themida packer as well.”
  • [T1033] System Owner/User Discovery – The botnet collects host information for registration. “collect information about the host for registration (varies per version)”
  • [T1047] Windows Management Instrumentation – The article lists WMI as a mapped technique. “Windows Management Instrumentation”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – A PowerShell command is used to bypass Defender. “The PowerShell command tells Microsoft Defender not to scan Kraken’s installation directory…”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Operators use commands to execute shell actions. “SHELL – run a Windows shell command with cmd”
  • [T1082] System Information Discovery – Kraken collects host details such as hostname, user, CPU/GPU details, OS/version. “Hostname; Username; Build ID…; CPU details; GPU details; Operating system and version”
  • [T1113] Screen Capture – Kraken takes screenshots on infection and on demand. “Upon execution, Kraken immediately takes a screenshot to send to the C2.”
  • [T1132.001] Data Encoding: Standard Encoding – The framework references standard data encoding. “Data Encoding: Standard Encoding”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Uses the Run registry key to start on login. “Windows Run registry key to ensure it starts every time the victim logs in.”
  • [T1571] Non-Standard Port – C2 infrastructure shifts/control changes via port changes. “using either a new port or a completely new IP.”

Indicators of Compromise

  • [IP Address] – C2/infection-related endpoints – 65.21.105.85, 91.206.14.151, and 13 more
  • [File Hash] – Kraken/related payloads – 1d772f707ce74473996c377477ad718bba495fe7cd022d5b802aaf32c853f115, d742a33692a77f5caef5ea175957c98b56c2dc255144784ad3bade0a0d50d088
  • [File Name] – Installation/loader filenames observed – taskhost.exe, Registry.exe

Read more: https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/#iocs