Lethic

Category: spam_bot · Aliases: SpamBot.Lethic, Trojan.Lethic, Win32/Lethic · Sample count (EMBER 2018): 4,879 · Enrichment: curated_sourced · Updated: 2026-07-02T07:47:42Z

Overview

Executive Summary

Lethic is a notorious, massive spambot Trojan that has been active for over a decade. It is designed to covertly hijack Windows systems and enslave them into a global botnet infrastructure. The sole purpose of the Lethic botnet is to generate and transmit staggering volumes of unsolicited spam emails, typically promoting fraudulent pharmaceuticals, "pump-and-dump" stock scams, or distributing other malware via malicious attachments.

Infection Vector and Technical Capabilities

Lethic primarily spreads through drive-by downloads via compromised websites (exploit kits) or as a secondary payload dropped by other widespread downloader Trojans. Its technical architecture is optimized for high-volume email distribution:

Threat Assessment

While Lethic is not typically a data-destroying threat like ransomware, it causes severe operational disruption. A Lethic infection consumes massive amounts of corporate network bandwidth. More critically, it will quickly cause the company's external IP addresses to be blacklisted globally (e.g., by Spamhaus), completely paralyzing the organization's ability to send legitimate email.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1071.001 T1498 T1547.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_LETHIC {
    meta:
        description = "Detects Lethic (spam_bot)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "lethic" ascii wide nocase
        $s2 = "spambot.lethic" ascii wide nocase
        $s3 = "trojan.lethic" ascii wide nocase
        $s4 = "win32/lethic" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Lethic Activity
id: 861f9dbf079dfff7b11c7b36c4b1d86d
status: experimental
description: Detects generic indicators of the lethic malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*lethic*"
            - "*spambot.lethic*"
            - "*trojan.lethic*"
            - "*win32/lethic*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Lethic?

Lethic is a spambot — a spam-sending botnet — that dates back to 2008. According to Malpedia, it is known for distributing low-level pharmaceutical spam from infected computers.

What does Lethic do to an infected computer?

An infected computer becomes part of the Lethic botnet and is used to relay spam email on behalf of the operators. As Malpedia notes, the spam has historically been low-level pharmaceutical advertising, sent without the owner's knowledge.

How long has Lethic been around?

Malpedia documents Lethic as dating back to 2008, making it one of the older spam botnets. It has resurfaced at various points over the years while keeping its core role as a spam relay.

Related Families (Category: spam_bot)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/lethic.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.