{
  "family": "necurs",
  "sample_count": 2,
  "category": "spam_bot",
  "description": "Necurs was one of the largest spam-distribution botnets ever observed, at peak controlling around 9 million infected machines and serving as the primary delivery vector for Locky ransomware, Dridex banking trojan, and Trickbot. Microsoft and partners disrupted Necurs in March 2020 through coordinated legal action seizing control of its domain-generation algorithm. The takedown significantly reduced global malspam volume.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Necurs?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Necurs was one of the largest spam-distribution botnets ever observed, at peak controlling around 9 million infected machines and serving as the primary delivery vector for Locky ransomware, Dridex banking trojan, and Trickbot. Microsoft and partners disrupted Necurs in March 2020 through coordinated legal action seizing control of its domain-generation algorithm. The takedown significantly reduced global malspam volume."
      }
    },
    {
      "@type": "Question",
      "name": "How does Necurs spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Necurs operated as one of the largest spam botnets in history, spreading through phishing, exploit kits, and pay-per-install affiliate models before a coordinated takedown led by Microsoft and partners in March 2020."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Necurs infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Outbound spam traffic in large volumes, distribution of Locky or Dridex secondary payloads, peer-to-peer botnet traffic, and AV detections for Necurs indicate participation in the botnet."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Necurs on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1071.001",
    "T1059.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}