Kasidet

Category: pos_malware · Aliases: None known · Sample count (EMBER 2018): 294 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Backdoor:Win32/Kasidet (widely known as Neutrino Bot) is an infamous, multi-functional botnet agent notorious for executing massive DDoS attacks and scraping memory for Point-of-Sale (PoS) credit card data.

Understanding Kasidet
To the victim organization, Kasidet operates silently until it is utilized in a massive DDoS attack or a credit card breach is discovered. For threat intelligence analysts, Kasidet (Neutrino Bot) represents a highly versatile cybercrime commodity. Sold on underground forums for a few hundred dollars, it allows amateur cybercriminals to deploy a highly effective backdoor with built-in keylogging, form-grabbing, and specialized PoS memory scraping modules.

Execution and Evasion Strategies
Kasidet is distributed via malspam campaigns, exploit kits (ironically, often the Neutrino Exploit Kit), and malicious USB drives. Upon execution, it injects its heavily obfuscated payload into explorer.exe or svchost.exe. It establishes persistence via the Registry Run keys. Kasidet's C2 communications are heavily encrypted, frequently utilizing base64 encoding and custom RC4 encryption over HTTP POST requests. The bot checks for virtualization and actively attempts to disable Windows Defender and other installed AV engines.

Indicators of Compromise & Impact
The impact of Kasidet is severe, particularly for retail organizations, as its memory-scraping module actively hunts for Track 1 and Track 2 credit card data in RAM. Incident responders should look for anomalous outbound HTTP POST traffic to known malicious IP addresses. EDR tools will frequently flag Kasidet for 'Suspicious Process Injection' and 'Memory Scraping/Dumping' behavior. Memory forensics is absolutely critical to extract the unencrypted payload and identify the specific C2 panel controlling the bot.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1005Data from Local SystemCollection
T1498Network Denial of ServiceImpact
T1055Process InjectionDefense Evasion
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion
T1056.001Input Capture: KeyloggingCollection

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_KASIDET {
    meta:
        description = "Detects Kasidet (pos_malware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "kasidet" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Kasidet Activity
id: 1b883ddda8cd4024cf06378152a5d404
status: experimental
description: Detects generic indicators of the kasidet malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*kasidet*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the endpoint from the network; if it is a PoS terminal, active credit card theft is likely occurring.
  2. Capture a full forensic memory image of the machine to extract the decrypted Kasidet payload, C2 configuration, and any scraped track data.
  3. Force a global password reset for all user accounts and audit the firewall for any unauthorized outbound traffic.
  4. Perform a clean OS rebuild and ensure all Point-of-Sale terminals are heavily segmented from general corporate internet access.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not leave the machine connected to the network during triage; the attacker has live access and will likely destroy evidence.
  2. Avoid rebooting a PoS terminal suspected of Kasidet infection before capturing memory, as the scraped credit card data exists only in RAM.

References & External Analysis

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/kasidet.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.