Security specialists revealed a dangerous adware botnet counting practically half a million victims, after attempts to remain in the background.

As ESET informed, Stantinko botnet targets mainly Russia and Ukraine. Its developers put it in circulation by installing hostile browser extensions that contain malicious ad and click fraud.

ESET also added that they were used for a fully featured backdoor sending, a bot for searches on Google, and a tool for performance of brute-force attacks on Joomla and WordPress administrator panels when trying to resell them.

The attacks on these administrative accounts place theirs stake on a brute-force technique using a list of credentials.

The researchers explained that credentials are needed for the password breaking. Once compromised, these accounts can be delivered on the black market. Then, one could use them for visitors’ redirection to host malicious content.

The operators’ development is a plugin, which interacts with Facebook and is able to bypass Facebook’s CAPTCHA, using an online anti-CAPTCHA service.

To take roots into system, the operators hoax users looking for pirated software into downloading executable files sometimes veiled as torrents. FileTour, Stantinko’s original installation vector, installs then a lot of software to disorient the user during installation of Stantinko’s first service in the background.

The researchers of ESET said that this operation always involves two elements: a loader and an encoded element.

In spite of Stantinko developers’ usage of methods that are peculiar to APT campaigns, their main goal is to make money.

Even more, the availability of a fully featured backdoor allows the operators to keep an eye on all the machines of victims.