*NEW* Version Zyklon HTTP Botnet


Zyklon HTTP is a botnet that is currently being sold by us. This botnet supports Tor for anonymization and comes loaded with a number of additional features. It allows its users to execute various types of DDoS attacks, data theft, and fraud. It also features secure operation mechanisms to detect other malware and assure its availability. Zyklon HTTP Botnet targets PCs and spreads itself via a number of different methods including phishing attacks.


Zyklon is a strong and stable HTTP botnet it supports TOR browser and can handle unlimited tasks. It has serval credential stealers from the latest recoveries and has some other DDoS features.

Client Features

– Tor Support (You can now host it as a hidden service! Nothing is downloaded and tor is injected into already running process.)

– Botkiller

– Keylogger

– Anti Bot-Kill

– Process persistence

– Process protection

– Browser password recovery

– FTP password recovery

– Gaming software key recovery

– Email password recovery

– Licence key recovery

– Connection encrypted with RSA paired with AES-256 (Keys generated dynamically)

– Cloud-based malware inspection

– Social engineering tactics to acquire admin rights in 9 languages

– Privilege retention after reboot

– Prevention of going into standby mode

– Automatic port forwarding

– Change homepage

– Socks 5 proxy

– Anti-Debug

– Melt file

Encrypted communication
The connection between client and server is encrypted using RSA asymmetric encryption algorithm (Valid key sizes are 512-bit, 1024-bit, 2048-bit, 4096-bit) that is paired with AES-256. AES-256 keys are dynamically generated on the client and are encrypted before being stored in a session variable in the panel. After the initial key exchange, the whole communication is encrypted with AES-256.
Sock5 remote proxy
Zyklon features the ability to establish a reverse Socks 5 proxy server on infected host machines.
Hijack Clipboard Bitcoin Address
Zyklon has the ability to hijack the clipboard and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

Malware Contamination
Cloud-based malware inspection Zyklon HTTP botnet will enumerate all startup files and upload them to the Virus Total online malware scanner. This will lead to analyzing of samples of malicious software that resides on the system. If the file is found to be malicious, Zyklon HTTP botnet will terminate all processes associated with that file and remove the file along with the registry keys from the system. This is a great option for perpetrators to ensure that their enslaved client systems are running without disruption. The botnet user can specify files to exclude from VirusTotal, and by calculating the MD 5 hash of the file Zyklon HTTP botnet will skip it while scanning.
While the Cloud-based malware inspection relies on Virus Total, bot killer uses its own algorithm to determine if a file is malicious or not. This method tends to have more false-positive detections. When using this feature, Zyklon HTTP botnet will scan all processes and will check common locations that malware resides in. It will attempt to detect injected processes and it will try to identify malware by behavioral analysis. If a file is detected as malicious the program will follow the settings specified in the bot killer feature, leading to the process termination and deletion of all associated files and registry keys. Like the Cloud-based malware inspection, this feature keeps an enslaved client machine secure and available.
The keylogger is a great feature when it comes to client surveillance. It will record all keystrokes and log them into a database. The logs are sorted by dates and can be accessed from almost anywhere in the C&C panel. The control panel also lets one specify the window titles to record keystrokes for, as opposed to bloated logs with all kind of entries. The keylogger supports most if not all languages and keyboard layouts. The user can specify the maximum amount of characters that will client hold in a buffer before they are sent to the panel, or set an interval at which the logs are being uploaded to the panel.
Automatic updater
Zyklon HTTP botnet features automatic update function that ensures that all enslaved clients are running up to date software. When executed, it compares the update file hash and installed file hash and if found different – an updated file will be downloaded and installed. This comes very handily when controlling many clients.


Normal Version, Tor Version


There are no reviews yet.

Be the first to review “*NEW* Version Zyklon HTTP Botnet” Cancel reply

You must be logged in to post a review.

Browser Password Recovery
Zyklon HTTP can recover passwords from popular web browsers, including: Google Chrome
Mozilla Firefox
Internet Explorer
Opera Browser
Microsoft Edge
Chrome Canary/SXS
CoolNovo Browser
Apple Safari
Flock Browser
SeaMonkey Browser
SRWare Iron Browser
Comodo Dragon Browser

FTP Password Recovery
Zyklon currently supports FTP password recovery from the following FTP applications: FileZilla

Gaming Software Key Recovery
Zyklon can recover PC Gaming software keys from the following games: Battlefield
Call of Duty
Age of Empires
The Sims
Star Wars

Email Password Recovery
Zyklon may also collect email passwords from following applications: Microsoft Outlook Express
Microsoft Outlook 2018
Mozilla Thunderbird
Windows Live Mail 2012
IncrediMail, Foxmail latest
Windows Live Messenger
MSN Messenger
Google Talk
Gmail Notifier
PaltalkScene IM
Pidgin (Formerly Gaim) Messenger
Miranda Messenger
Windows Credential Manager

License Key Recovery
The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.
Distributed Denial of Service
HTTP Flood The Zyklon HTTP botnet consists of seemingly legitimate session-based sets of HTTP GET or POST requests that are designed to consume a significant amount of server’s resources and can result in a denial-of-service condition – without necessarily requiring a high rate of network traffic.
TCP flood Sending numerous SYN packets to the victim. In many cases, attackers will spoof the SRC IP so the reply (SYN+ACK packet) will not return, thus overwhelming the session/connection tables of the targeted server or firewall. Servers need to open a state for each SYN packet that arrives and store this state in tables that have limited size and are easily filled. Once this happens, the server drops new requests, including legitimate ones.
UDP Flood The Zyklon HTTP botnet attacker sends large UDP packets to a single destination or to random ports. Since the UDP protocol is “connectionless” and does not have any type of handshake mechanism, the main intention of a UDP flood is to saturate the Internet pipe. Usually, the attackers spoof the SRC IP.
SYN Flood Overwhelming a target machine by sending thousands of connection requests to it using spoofed IP addresses. The target machine attempts to open a connection for each malicious request and subsequently wait for an ACK packet that never arrives. Since an SYN-ACK packet never arrives, the massive number of half-open connections quickly fills up the server’s TCB table before it can time any connections out.
SlowLoris By sending HTTP headers in tiny chunks as slow as possible (just before the server would time out the request), the target server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is unable to handle legitimate requests


There are no reviews yet.

Be the first to review “*NEW* Version Zyklon HTTP Botnet”

Your email address will not be published. Required fields are marked *