Worm:Win32/Kelihos (also known as Hlux) is a massive, highly resilient peer-to-peer (P2P) botnet that emerged around 2010. It is infamous for its aggressive spam campaigns, credential theft, and its ability to rapidly recover from numerous high-profile takedown attempts by law enforcement and security researchers.
Understanding Kelihos (Hlux)
To the end-user, a Kelihos infection might be invisible, or it might result in performance issues as the machine blasts out thousands of spam emails. For threat intelligence analysts, Kelihos is a masterclass in botnet resilience. Unlike traditional botnets that rely on centralized Command and Control (C2) servers (a single point of failure), Kelihos utilizes a decentralized P2P architecture. Every infected machine acts as a node, capable of sharing instructions and updates with other infected machines, making it incredibly difficult to decapitate.
Execution and Evasion Strategies
Kelihos is primarily distributed via massive spam campaigns containing malicious links or attachments. Upon execution, the malware establishes persistence via the Registry Run keys. It communicates over custom UDP and TCP protocols to discover other peers in the botnet. The botnet is highly modular; the controllers can push updates to turn nodes into spam relays (advertising pharmaceuticals or pump-and-dump stocks), proxy servers (`T1090`), or credential harvesters. It actively intercepts network traffic (`T1056.004`) to steal FTP, email, and browser passwords. It also utilizes fast-flux DNS to hide its few centralized routing nodes.
Indicators of Compromise & Impact
The impact is a hijacked endpoint contributing to global cybercrime infrastructure. EDR platforms will flag the malware injecting into system processes (`svchost.exe`) to mask its network activity (`T1055`). Network logs will reveal massive spikes in outbound SMTP (TCP 25) traffic or constant, encrypted UDP communication with a rotating list of seemingly random IP addresses (P2P traffic).
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_KELIHOS {
meta:
description = "Detects Kelihos (spam_bot)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "kelihos" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Kelihos Activity
id: 4846a0e2969540f259be0beaa8c18f30
status: experimental
description: Detects generic indicators of the kelihos malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*kelihos*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/kelihos.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.