Backdoor:Win32/Kasidet (widely known as Neutrino Bot) is an infamous, multi-functional botnet agent notorious for executing massive DDoS attacks and scraping memory for Point-of-Sale (PoS) credit card data.
Understanding Kasidet
To the victim organization, Kasidet operates silently until it is utilized in a massive DDoS attack or a credit card breach is discovered. For threat intelligence analysts, Kasidet (Neutrino Bot) represents a highly versatile cybercrime commodity. Sold on underground forums for a few hundred dollars, it allows amateur cybercriminals to deploy a highly effective backdoor with built-in keylogging, form-grabbing, and specialized PoS memory scraping modules.
Execution and Evasion Strategies
Kasidet is distributed via malspam campaigns, exploit kits (ironically, often the Neutrino Exploit Kit), and malicious USB drives. Upon execution, it injects its heavily obfuscated payload into explorer.exe or svchost.exe. It establishes persistence via the Registry Run keys. Kasidet's C2 communications are heavily encrypted, frequently utilizing base64 encoding and custom RC4 encryption over HTTP POST requests. The bot checks for virtualization and actively attempts to disable Windows Defender and other installed AV engines.
Indicators of Compromise & Impact
The impact of Kasidet is severe, particularly for retail organizations, as its memory-scraping module actively hunts for Track 1 and Track 2 credit card data in RAM. Incident responders should look for anomalous outbound HTTP POST traffic to known malicious IP addresses. EDR tools will frequently flag Kasidet for 'Suspicious Process Injection' and 'Memory Scraping/Dumping' behavior. Memory forensics is absolutely critical to extract the unencrypted payload and identify the specific C2 panel controlling the bot.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_KASIDET {
meta:
description = "Detects Kasidet (pos_malware)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "kasidet" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Kasidet Activity
id: 1b883ddda8cd4024cf06378152a5d404
status: experimental
description: Detects generic indicators of the kasidet malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*kasidet*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/kasidet.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.