TA551 campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The TA551 / Mario Kart operation ran a massive spam-email malware campaign that spread infections worldwide and enabled later access sales to ransomware crews. At peak, it could send 700,000 emails a day and infect about 3,000 computers per day. The scale of the botnet made it a durable delivery channel for follow-on criminal activity.
Related Happenings
FBI seizes NetNut and Popa botnet domains
Law Enforcement
H score34
First: 02.07.2026 22:27
Last: 02.07.2026 22:27
Sources 1
About this happening:
The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
FBI seizes NetNut and Popa botnet domains
Law EnforcementAbout this happening: The **FBI** seized **hundreds of domains** tied to **NetNut** and the **Popa botnet**, disrupting infrastructure used for **abusive traffic** and **account-takeover activity**. Th...
OYSTERBLUES information-stealer delivery via spear-phishing
Malware Activity
H score27
First: 27.06.2026 20:27
Last: 27.06.2026 20:27
Sources 1
About this happening:
The **OYSTERBLUES** malware activity used **compromised accounts** and **spear-phishing** to reach **government organizations**, increasing the risk of credential theft and follow...
OYSTERBLUES information-stealer delivery via spear-phishing
Malware ActivityAbout this happening: The **OYSTERBLUES** malware activity used **compromised accounts** and **spear-phishing** to reach **government organizations**, increasing the risk of credential theft and follow...
Foreign-run botnets relaying traffic through infected Canadian devices
Malware Activity
H score22
First: 22.06.2026 12:11
Last: 22.06.2026 12:11
Sources 1
About this happening:
The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...
Foreign-run botnets relaying traffic through infected Canadian devices
Malware ActivityAbout this happening: The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Timeline
-
25.03.2026 10:47 2 articles · 3mo ago
TA551/Mario Kart sentencing disclosure
Initial DisclosureRussian national Ilya Angelov was sentenced to two years in prison after admitting he co-managed the Mario Kart/TA551 spam botnet, which prosecutors said ran from 2017 to 2021, sent up to 700,000 phishing emails a day, and helped deliver BitPaymer ransomware against over 70 U.S. companies, generating over $14 million in extortion payments.
Show sources
- Manager of botnet used in ransomware attacks gets 2 years in prison — www.bleepingcomputer.com — 25.03.2026 10:47
- Russian Cybercriminal Gets 2-Year Prison Sentence in US — www.securityweek.com — 25.03.2026 16:30