BitSight Security Research

Bolek – An evolving botnet targets Poland and Ukraine

Sofia Luis | October 6, 2016

Bolek is a recent malware from the Kbot/Carberp family. We first heard about this malware from the blog post in May 2016, and since then, a few others have published additional information about it (links below).


This is a very interesting piece of malware because it is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.

Anubisnetworks has recently sinkholed two botnets of this family, one that is targeting Ukraine and another one that is targeting Poland. The following images show the clearly targeted geographic dispersion of the infections. 

Bolek botnet targeting Ukraine:


Bolek botnet targeting Poland:


Looking at malware samples for each of the botnets, we found two different versions in use ( and, both have more recent version numbers than the ones analysed by back in May (, showing that this malware is being actively updated. On a quick look, a relevant difference we noticed is that the config is no longer stored in clear text on the binary and is now obfuscated. 

Through the use of a Debugger it is still possible to obtain the configurations without having to look at the actual obfuscation mechanism. The following are the configs for each of these botnets:


As these configs, show, the botnets come preconfigured with a large number of domains that can be used for C2, on the event that some of them get taken down.

For further reading on Bolek and its features, please see the following links:

We will keep monitoring this threat as it evolves, keep posted for new updates.

Samples analysed:



Suggested Posts

Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Third-Party Insight into Triada & Related Families

A few weeks ago Google confirmed that there was malware pre-installed on a number of Android devices due to a supply-chain attack. The latest installment was discovered by security researchers from Dr.Web who have been investigating this...


Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...


Subscribe to get security news and updates in your inbox.