According to Trend Micro, the aggressive botnet, Citadel, is back and stealing banking credentials from Japanese users. At least 9 IP addresses have been found, mostly located in Europe and the US, functioning as the botnet’s command and control servers.

Trend Micro added the following in a blog post:

During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.

The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.


The botnet has been targeting popular webmail services such as Gmail, Hotmail and Yahoo Mail, Trend Micro also said.

If you remember, Microsoft had a campaign back in June that took down some 1,400 botnets associated with the Trojan. However, UK security vendor Sophos claimed at the time that the takedown wasn’t nearly as successful as was initially made out.

Threat researcher James Wyke said in a blog post that only half of the 72 Citadel C&C servers Sophos was tracking appeared on Microsoft’s list. He went on to say: "rebuilding those that were taken down will not take long.”