Risk:	high
Damage:	high
Platform(s):	Microsoft® Windows OS
Advisory ID:	ngCERT-2025-080005
Version:	nil
CVE:	nil
Published:	September 12, 2025

Summary

---

ngCERT has identified a malware tagged Necurs, a family of malware containing rootkit capabilities that was used to form one of the world’s largest criminal botnets. Necurs has both a user and kernel mode component used to access systems at the root level and dynamically load additional modules. It is distributed via exploit kits as well as through other malware such as the Zeus Trojan and has been used to deliver Dridex trojan and Locky malware through spam campaigns. Enforcing a strong password policy and implementing regular password changes as well as enabling a personal firewall on workstation could mitigate Necurs malware effects.

Description & Consequence

---

NECURS is an email spam botnet responsible for delivering numerous other popular malwares. It spread through malicious email attachments containing infected Microsoft Word or Excel macros, exploit kits, or malicious links. Once a system is compromised, NECURS installed its kernel-mode rootkit, enabling it to disable security tools, resist removal, and ensure persistence. The infected endpoint then becomes part of the NECURS botnet, which could be controlled remotely to send spam, deliver secondary payloads, or participate in DDoS campaigns. Beyond spam distribution, NECURS was used to facilitate pump-and-dump stock scams, cryptocurrency mining, and even targeted ransomware campaigns. Its adaptability and criminal business model made it a cornerstone of the cybercrime ecosystem for nearly a decade.

Successful exploitation of this botnet could lead to:

1. Data Theft and Financial Loss.
2. Ransomware Deployment.
3. System Compromise and Resource Hijacking.
4. Spread of Additional Malware.
5. Operational Disruption.
6. Reputational Damage.

Solution

---

SOLUTIONS/MITIGATIONS

1. Maintain updated antivirus and anti-malware solutions.
2. Educate users on phishing and suspicious email attachments.
3. Implement network-level protections and monitor for unusual traffic.
4. Conduct regular system scans and patch vulnerabilities promptly.
5. Isolate and remediate infected systems immediately to prevent spread.

Reference

---

• https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/
• https://www.bitdefender.com/en-us/blog/hotforsecurity/new-massive-spam-wave-spreads-locky-is-necurs-botnet-back
• https://www.checkpoint.com/press-releases/novembers-wanted-malware-return-necurs-botnet-brings-new-ransomware-threat/
• https://www.cyber.nj.gov/threat-landscape/malware/botnets/necurs
• https://digital.nhs.uk/cyber-alerts/2018/cc-1894#summary

Revision

---