Stantinko

Category: adware_botnet · Aliases: None known · Sample count (EMBER 2018): 168 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Stantinko is a massive, highly stealthy, and enduring botnet that primarily drives illicit revenue through forced adware injection, search hijacking, and background cryptomining, while possessing the capability for severe data theft.

Understanding Stantinko
To the victim, a Stantinko infection might only manifest as slightly sluggish performance or unexpected browser redirects. For threat intelligence analysts, Stantinko is a masterpiece of evasion. Operating for nearly a decade, this massive botnet (historically infecting millions of machines, primarily in Russia and Ukraine) utilizes extreme obfuscation, encrypted payloads hidden in the registry, and legitimate-looking browser extensions to remain entirely undetected by traditional AV.

Execution and Evasion Strategies
Stantinko is distributed via massive software bundling campaigns masquerading as pirated software or torrents. Upon execution, it employs a complex, multi-stage infection chain. It heavily relies on 'fileless' techniques—instead of dropping executables, it hides its malicious VBScript and PowerShell payloads deep within the Windows Registry (e.g., HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree) or inside hidden WMI (Windows Management Instrumentation) repositories. It forces the installation of malicious extensions (like 'Teddy Protection') into Chrome. It communicates with its C2 via heavily encrypted traffic, constantly rotating its domains.

Indicators of Compromise & Impact
The impact is a fully compromised endpoint functioning as a node in a massive botnet. EDR platforms are essential for detecting Stantinko, as they must monitor for 'Suspicious WMI Execution' or 'Anomalous PowerShell Activity' reading from the registry. Threat hunters should investigate unauthorized browser extensions installed via Group Policy and massive spikes in CPU usage (indicating the XMRig cryptomining module).

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1176Browser ExtensionsPersistence
T1546.003Event Triggered Execution: Windows Management Instrumentation Event SubscriptionPersistence
T1059.001Command and Scripting Interpreter: PowerShellExecution
T1112Modify RegistryDefense Evasion
T1496Resource HijackingImpact

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_STANTINKO {
    meta:
        description = "Detects Stantinko (adware_botnet)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "stantinko" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Stantinko Activity
id: 761416e412ffeca1b809214446c0bd73
status: experimental
description: Detects generic indicators of the stantinko malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*stantinko*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint immediately to sever Stantinko's C2 connection and halt the active cryptomining and ad-fraud operations.
  2. Utilize specialized EDR querying or tools like Autoruns to meticulously inspect WMI subscriptions and hidden scheduled tasks for embedded scripts.
  3. Forcefully remove the malicious browser extensions by deleting the associated Group Policies (<code>HKCU\Software\Policies\Google\Chrome</code>).
  4. Given the extreme persistence and stealth of the registry-based payloads, performing a clean OS rebuild is the most secure remediation strategy.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not rely solely on traditional file-based antivirus scans; Stantinko's core payloads are almost entirely 'fileless' and reside in the registry/WMI.
  2. Avoid ignoring the infection as mere adware; Stantinko operators have full remote code execution capabilities and can deploy ransomware at will.

References & External Analysis

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/stantinko.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.