Kelihos

Category: spam_bot · Aliases: None known · Sample count (EMBER 2018): 47 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Worm:Win32/Kelihos (also known as Hlux) is a massive, highly resilient peer-to-peer (P2P) botnet that emerged around 2010. It is infamous for its aggressive spam campaigns, credential theft, and its ability to rapidly recover from numerous high-profile takedown attempts by law enforcement and security researchers.

Understanding Kelihos (Hlux)
To the end-user, a Kelihos infection might be invisible, or it might result in performance issues as the machine blasts out thousands of spam emails. For threat intelligence analysts, Kelihos is a masterclass in botnet resilience. Unlike traditional botnets that rely on centralized Command and Control (C2) servers (a single point of failure), Kelihos utilizes a decentralized P2P architecture. Every infected machine acts as a node, capable of sharing instructions and updates with other infected machines, making it incredibly difficult to decapitate.

Execution and Evasion Strategies
Kelihos is primarily distributed via massive spam campaigns containing malicious links or attachments. Upon execution, the malware establishes persistence via the Registry Run keys. It communicates over custom UDP and TCP protocols to discover other peers in the botnet. The botnet is highly modular; the controllers can push updates to turn nodes into spam relays (advertising pharmaceuticals or pump-and-dump stocks), proxy servers (`T1090`), or credential harvesters. It actively intercepts network traffic (`T1056.004`) to steal FTP, email, and browser passwords. It also utilizes fast-flux DNS to hide its few centralized routing nodes.

Indicators of Compromise & Impact
The impact is a hijacked endpoint contributing to global cybercrime infrastructure. EDR platforms will flag the malware injecting into system processes (`svchost.exe`) to mask its network activity (`T1055`). Network logs will reveal massive spikes in outbound SMTP (TCP 25) traffic or constant, encrypted UDP communication with a rotating list of seemingly random IP addresses (P2P traffic).

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1090.003Proxy: Multi-hop ProxyCommand and Control
T1055Process InjectionDefense Evasion
T1114.001Email Collection: Local Email CollectionCollection
T1056.004Input Capture: Credential API HookingCollection
T1568.001Dynamic Resolution: Fast Flux DNSCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_KELIHOS {
    meta:
        description = "Detects Kelihos (spam_bot)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "kelihos" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Kelihos Activity
id: 4846a0e2969540f259be0beaa8c18f30
status: experimental
description: Detects generic indicators of the kelihos malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*kelihos*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Quarantine the endpoint immediately to halt its participation in massive outbound spam campaigns or its use as a malicious proxy.
  2. Enforce strict egress firewall rules, particularly focusing on blocking the unauthorized UDP ports utilized by the P2P communication protocol.
  3. Capture a forensic memory image to analyze the active Kelihos payload and identify the IP addresses of the peer nodes it is communicating with.
  4. Assume all locally saved credentials have been harvested; initiate mandatory password resets for the compromised user.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not ignore the infection as a 'minor spam issue'; the botnet controllers have full remote code execution capabilities on the endpoint.
  2. Avoid relying solely on static IP blacklists for defense; Kelihos's P2P architecture and fast-flux DNS render them largely ineffective.

References & External Analysis

Related Families (Category: spam_bot)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/kelihos.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.