Lethic is a notorious, massive spambot Trojan that has been active for over a decade. It is designed to covertly hijack Windows systems and enslave them into a global botnet infrastructure. The sole purpose of the Lethic botnet is to generate and transmit staggering volumes of unsolicited spam emails, typically promoting fraudulent pharmaceuticals, "pump-and-dump" stock scams, or distributing other malware via malicious attachments.
Infection Vector and Technical Capabilities
Lethic primarily spreads through drive-by downloads via compromised websites (exploit kits) or as a secondary payload dropped by other widespread downloader Trojans.
Its technical architecture is optimized for high-volume email distribution:
Botnet Command and Control: Upon execution, Lethic connects to a centralized Command and Control (C2) server to download "spam templates" (the content of the email) and a vast list of target email addresses.
Covert SMTP Engine: Lethic does not use the victim's email client (like Outlook). It contains its own built-in, lightweight SMTP engine. It silently connects directly to external mail servers on port 25 or 587 to blast out spam in the background, completely invisible to the end-user.
Persistence and Updates: It establishes persistence (typically via Registry `Run` keys) and regularly beacons back to the C2 server to download fresh spam templates, new target lists, or updated versions of its own binary to evade AV detection.
Threat Assessment
While Lethic is not typically a data-destroying threat like ransomware, it causes severe operational disruption. A Lethic infection consumes massive amounts of corporate network bandwidth. More critically, it will quickly cause the company's external IP addresses to be blacklisted globally (e.g., by Spamhaus), completely paralyzing the organization's ability to send legitimate email.
Incident Response and Remediation
Egress Filtering (Port 25): The most immediate mitigation is to enforce strict egress filtering on the corporate firewall. Block all outbound SMTP traffic (Port 25) originating from workstations. Only designated corporate mail servers should be permitted to send outbound email.
Identify the Infected Host: Review firewall logs to identify the internal IP address generating massive amounts of outbound SMTP connections to random external IPs. Isolate this host immediately.
Malware Eradication: Utilize enterprise EDR or a full anti-malware scan to identify and remove the Lethic executable and its associated persistence mechanisms.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1071.001T1498T1547.001
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
Lethic is a spambot — a spam-sending botnet — that dates back to 2008. According to Malpedia, it is known for distributing low-level pharmaceutical spam from infected computers.
What does Lethic do to an infected computer?
An infected computer becomes part of the Lethic botnet and is used to relay spam email on behalf of the operators. As Malpedia notes, the spam has historically been low-level pharmaceutical advertising, sent without the owner's knowledge.
How long has Lethic been around?
Malpedia documents Lethic as dating back to 2008, making it one of the older spam botnets. It has resurfaced at various points over the years while keeping its core role as a spam relay.
Related Families (Category: spam_bot)
Explore other malware families in the same category: