Botnet / Loader
Andromeda
aka Gamarue · Wauchos
A modular botnet and loader sold on underground forums for years, used to distribute dozens of other malware families until its 2017 takedown.
Andromeda (Gamarue/Wauchos) was a modular botnet and pay-per-install loader sold on criminal forums from around 2011. Buyers used it to build their own botnets and to distribute a huge range of other malware — making Andromeda a backbone of the malware distribution economy for years.
Modular and widespread
Plugins added keylogging, SOCKS proxying, form grabbing and more. It spread via malspam, exploit kits, social media and USB, and at its peak was associated with millions of infections across over a thousand distinct malware families it helped deliver.
Takedown
In late 2017, a coordinated Europol/FBI operation dismantled Andromeda's infrastructure and arrested a key suspect. The takedown is profiled on Cyber Breaches; a plugin analysis lives on the Reverse Engineering Hub.
Defense
Disable Autorun, filter malspam, sinkhole known C2, and segment legacy hosts.