Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

KashmirBlack Botnet Attacked Popular CMSs Like WordPress & Joomla

KashmirBlack Botnet Mainly Infects Sites Running on CMSs Such As WordPress

In this digital age, several websites get attacked daily due to data breach, brute force, vulnerabilities, or any other reasons. A variety of attacks occur on different platforms of different types, scope, and volume. And one such is a highly advanced botnet called KashmirBlack that has mainly infected hundreds of thousands of websites by attacking popular CMS (Content Management System) platforms like WordPress, Joomla, and Drupal.

kashmir black botnet attacked

What’s KashmirBlack Botnet?

Botnet means collecting internet-connected devices infected by malware that lets hackers control them. And one such popular botnet is KashmirBlack that mostly targets popular CMS platforms such as WordPress, with the help of numerous vulnerabilities on the victim’s server while performing millions of attacks on a daily basis in more than 30 countries around the globe.

Further, the main reason behind infecting KashmirBlack botnet sites is to use their servers for cryptocurrency mining and redirect legit site traffic towards spam pages.

According to the Imperva researchers, this botnet had started small. Still, after a few months of continuous growth, it turned into a sophisticated behemoth that’s capable of attacking several sites within a single day. Further, some big changes also occurred this May 2020, and KashmirBlack botnet increased its infrastructure into command-and-control (C&C) while exploiting its arsenal.

But before getting into it, let’s first get a proper understanding of Kashmir Botnet.

High-Level Description of KashmirBlack Botnet

KashmirBlack is managed by one of the servers called C&C (Command and Control) and uses more than 60 surrogate servers as part of the infrastructure. It handles several bots. Each of them communicates with the C&C that receives new targets and performs different attacks like brute force attacks, installing backdoors, and expanding this botnet’s size.

Further, it expands by scanning the internet for websites that use outdated software and exploiting known vulnerabilities capable of infecting sites and its underlying server.

Further Analysis of KashmirBlack Botnet Entities

Let’s find out the details regarding KashmirBlack botnet entities, so you can figure out what makes this botnet infrastructure so different and complex compared to others.

The C&C

Put simply, it’s a centralized machine that sends commands and receives telemetries through machines that are part of a botnet. In other words, C&C Server (Command and Control Server) is one of the computers that issue directives for the digital devices that are infected with other types of malware or rootkits like ransomware.

cc login page
Further, this Indonesia based KashmirBlack C&C server has three different roles:

  • Supplies Pearl script that helps to infect victim’s server using malicious botnet script
  • Receives reports and attack results from bots
  • Supply bots that provide instructions to attack

Repository A

It stores the malicious scripts of the botnet that communicates with the C&C.

Repository B

It stores bundles of payloads and exploits.

Spreading Bot

As the name implies, the spreading bot continuously communicates with the C&C and receives instructions to spread the attack further. Lastly, once the attack gets successful, the bot will report it to the C&C regarding the new victim who got converted to a ‘pending bot.’

Pending Bot

It waits till the C&C approaches and then defines the purpose of the botnet.

Here’s When KashmirBlack Botnet Started

According to Imperva research, the KashmirBlack botnet operation started in November 2019, and since then, the botnet has abused 16 different vulnerabilities successfully.

Some of the popular CMSs affected by this KashmirBlack operator to attack are WordPress, PrestaShop, Magneto, Drupal, vBulletin, and osCommerce, Joomla! OpenCart and Yeager. Further, this KashmirBlack botnet exploits attacked CMS itself and some other attacked on libraries and inner components.

Later multiple clues found during Imperva research, which ensures that the KashmirBlack botnet is the work of a hacker called Exect1337, who’s a member of the Indonesian Hecker PhantomGhost.

Evolution Timeline of KashmirBlack Botnet

Here’s below is the evolution timeline of KashmirBlack Botnet according to the above image:

kashmirblack botnet evolution timeline
  • November 6, 2019 – One of the oldest exploits and payload bundle got uploaded to ‘repository B’
  • November 25, 2019 – The oldest indication of the KashmirBlack botnet activity
  • January 31, 2020 – Other payload and exploit bundles got uploaded to ‘repository B’
  • March 31, 2020 – Cryptominer payload got added into ‘repository B’
  • May 1, 2020 – Payload bundle added to ‘repository B’ and defacement exploit got found
  • May 5, 2020 – Attacker started visiting the honeypot
  • May 5, 2020 – Fake report to the C&C founded with the honeypot details
  • May 6, 2020 – Second fake report sent to the C&C with details of honeypot
  • May 8, 2020 – Internal change for the botnet’s reporting address
  • May 9, 2020 – Second-time attackers visited honeypot
  • May 11, 2020 – Payload bundles and exploit got updated
  • May 2020 – The hidden repository of KashmirBlack botnet found on Github
  • May 15 – 17, 2020 – New repositories were created for the future additions to ‘repository B’
  • May 21, 2020 – New repositories were created for the future additions to ‘repository A’
  • May 24, 2020 – Multiple usages of new ‘repository B’ started
  • May 26, 2020 – Malicious script of KashmirBlack got updated to address ‘repository A load balancer.’
  • May 31, 2020 – Research ended

KashmirBlack Used GitHub for Storing Files

The attacker has used GitHub as version control for storing their files. Among them, some were regarding crypto miners and multiple web shells that were used for controlling, uploading, or dumping the entire database of the server that’s attacked.

the attacker repository
The account was activated in July 2017, and it remained active from November 2018, the time this botnet operation started, with activities such as XMRig miner, which was uploaded in March 2020. Though it was found out, and account got deleted in the same month, March 2020.

Purpose of KashmirBlack Botnet

It’s witnessed that KashmirBlack botnet works on five different purposes, and they’re:

However, the major issue is that even after the patches are released, according to data, few have updated this new patch, and many still run that un-patched version that keeps them open to attack. If you’re using this File Manager WordPress plugin, it’s recommended to update it, or else if you’re aren’t, then completely remove this plugin.
  • Spamming
  • Defacement
  • Crypto Mining
  • Pending Bot
  • Spreading


Kashmirblack botnet is a complex and constantly evolving botnets that become successful due to a well-designed infrastructure. Further, the research has shown that it has evolved from a medium level botnet with basic abilities to a massive infrastructure during its entire duration. It consists of different entities, and each of that entity of the botnet has a different infection making it one of the complex botnet that shouldn’t be taken lightly.
Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More