Cutwail
Cutwail is a major spam-focused botnet, also known as Pushdo and Pandex, founded around 2007 and primarily affecting Microsoft Windows systems. It was typically installed via the Pushdo Trojan and operated through direct bot-to-command-and-control server communications, with controllers assigning spam jobs and bots reporting delivery statistics and errors back to operators. Multiple sources in the content describe Cutwail as one of the world’s largest and most notorious spam botnets; estimates cited include roughly 1.5 to 2 million infected computers in June 2009, capacity to send about 74 billion spam messages per day, and responsibility for 46.5% of global spam volume at that time. Other reporting in the content states that versions of Cutwail accounted for about 22% of daily global spam volume after the Rustock takedown, and that SecureWorks estimated about 175,000 bots in early 2009.
Cutwail functioned as a rentable spam service in the underground economy and was marketed under the name "0bulk Psyche Evolution," including via the Russian forum spamdot.biz. Clients were provided web interfaces in Russian or English to manage campaigns, and the content states that at least eight different spam groups were using Cutwail by June 2010. The botnet is associated in the content with an operator using the alias "Google," and one source links Cutwail operations and rentals to the SpamIt rogue pharmacy ecosystem.
Its primary capability was large-scale spam distribution, but the content also attributes malware delivery activity to Cutwail. It was used to spread Gameover ZeuS via phishing emails spoofing trusted brands and lures such as invoices, order confirmations, and unpaid bill warnings; links redirected victims to compromised websites that checked for outdated browser plugins and installed malware. The content also states that Cutwail distributed Waledac malware, ZeuS and SpyEye variants, Dridex in 2020 via GOLD ESSEX infrastructure, and ransomware-themed campaigns using geographically tailored fake law-enforcement notices. Separate reporting in the content says poisoned pages from Asprox SQL injection campaigns also pushed Cutwail malware.
Although primarily a spam botnet, Cutwail briefly exhibited DDoS behavior in February 2010, when it reportedly attacked about 300 major websites including the CIA, FBI, Twitter, and PayPal; the cited sources say the attacks caused limited disruption and may have been accidental. The botnet was the subject of multiple disruption efforts. In August 2010, researchers from the University of California, Santa Barbara and Ruhr University Bochum reportedly took 20 of its 30 command-and-control servers offline. Other content describes major spam-volume declines after infrastructure shutdowns affecting providers such as 3FN, Pricewert, APS Telecom, and APX Telecom, with the newer "Cutwail2" variant particularly impacted.
High-confidence aliases directly supported by the content are Cutwail, Pushdo, and Pandex.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For many years, Cutwail has been among the top three most prolific spam botnets... versions of Cutwail are responsible for about 22 percent of the daily spam volumes worldwide. Security researchers have extensively dissected the technical machinery that powers Cutwail (a.k.a. “Pushdo” and “Pandex”)...
"...distribution via spam emails from GOLD ESSEX's Cutwail botnet..."
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
5 techniques
Resource Development
The Cutwail spam engine is known in spam forums by the name 0bulk Psyche Evolution, where it is rented to a community of spam affiliates... the clients are provided with access to a Web interface ... that simplifies the process of creating and managing spam campaigns.
At the peak, during one 24-hour period the XBL detected nearly 300,000 IP addresses that were infected with Festi, out of a total of 1-million that were infected with some sort of spam-sending bot.
The cause for the jump is due largely to the Grum and Rustock botnets, which could be an indication that they are gearing up to share the workloads once belonging to the Waledac botnet.
Initial Access
4 techniques
Initial Access
When infections are successful, the pages then redirect visitors to websites that silently install a malware cocktail that includes the Asprox malware.
Asprox zombies have recently been blessed with a tool that sniffs out potentially vulnerable sites running Microsoft's Active Server Pages and then tries to commandeer them using SQL injections.
Execution
1 technique
Execution
Command and Control
3 techniques
Command and Control
Google explains how to use the Cutwail botnet: 1) Access to the interface: http://208.72.173.10:3571/login.cgi 2) Stats and loader: http://208.66.194.231:3081/ldr/vn.cgi
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Spam-focused botnet historically used to distribute malicious software via large-scale spam campaigns.
Spam botnet used as a distribution mechanism for Dridex campaigns (briefly resumed in 2020).
Spam botnet used as a distribution mechanism for Dridex campaigns (briefly resumed in 2020).
A large spam botnet used to distribute Gameover through junk email campaigns carrying malicious lures and links.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.