{"id":32153,"date":"2019-12-04T21:05:00","date_gmt":"2019-12-04T21:05:00","guid":{"rendered":"https:\/\/www.darkreading.com\/whats-in-a-botnet-researchers-spy-on-geost-operators\/d\/d-id\/1336521"},"modified":"2019-12-04T21:05:00","modified_gmt":"2019-12-04T21:05:00","slug":"whats-in-a-botnet-researchers-spy-on-geost-operators","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/","title":{"rendered":"What&#8217;s in a Botnet? Researchers Spy on Geost Operators"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<header>\n<\/header>\n<p><span class=\"strong black\">The investigation of a major Android banking botnet yields insights about how cybercriminals structure and run an illicit business.<\/span> <\/p>\n<p class>Researchers who discovered one of the largest Android banking botnets to date also found its attackers&#8217; chat log, which they have been watching for nearly a year to learn the inner workings of this cybercrime operation, how its illicit business is structured, and how members interact.<\/p>\n<p>The botnet, dubbed &#8220;Geost,&#8221; was first detected in 2018. A team of security researchers representing Czech Technical University in Prague, UNCUYO University, and Avast Software noticed one of Geost&#8217;s botmasters logging into a C2 domain while using the insecure proxy network created by HtBot malware. Machines infected with HtBot create an illegal network of proxies later sold to customers; the researchers&#8217; lab had one HtBot instance capturing traffic.<\/p>\n<p>What they found was a massive botnet targeting Russian citizens. Geost has nearly 1 million victims, 15 C2 servers, thousands of domains, and thousands of malicious Android application packages (APKs), which are used to distribute and install applications on the Android OS. It has connections to victims&#8217; SMS data and direct links to the systems of five major European banks. Geost also sells and redirects traffic, harvests data, and accesses premium SMS services.<\/p>\n<p>The discovery of Geost was made possible, in part, due to several OpSec failures by the attackers, says Avast Software researcher Anna Shirokova. One of their first mistakes was relying on proxies: &#8220;They assumed by default that it was secure,&#8221; she explains. &#8220;They didn&#8217;t expect researchers like us were going to be watching.&#8221; This slip-up helped the research team uncover not only this banking botnet, but other criminal groups as well, she adds.<\/p>\n<p>Geost&#8217;s operators also failed to use encryption, Shirokova continues, and all of their chat communication was in cleartext and HTTP. This was hugely helpful given the content they shared, which included passwords, usernames, and geographical locations. They also reused the same nicknames across online platforms, making members easy to track.<\/p>\n<p>These may seem like basic mistakes to make, but Sebasti\u00e1n Garc\u00eda, researcher with the Czech Technical University in Prague, points out the attackers may have considered them unnecessary. &#8220;You can imagine that to apply some OpSec protections, you need to be aware you may be compromised and somebody may be watching you,&#8221; he says of the operators.<\/p>\n<p>To the attackers, it may seem unlikely an external party would discover their illicit operations.&nbsp;Who, other than a fellow cybercriminal, would go to the trouble of buying and tracking HtBot malware on the Dark Web? Even if a law enforcement officer or security researcher found them, chances are Geost&#8217;s operators wouldn&#8217;t lose any money. &#8220;Even if someone is watching, there is no impact,&#8221; he adds.<\/p>\n<p><strong>Inside a Botnet: How Criminals Operate<br \/><\/strong>During their analysis of the Geost botnet, the research team uncovered a chat log of a cybercriminal group related to the operation. The log exposed 6,200 lines of text between June 2017 and April 2018 and revealed conversations among 20 people, about 10 of whom were involved with Geost and the rest of whom were connected to other operations. Conversations were in Russian, which Garc\u00eda notes is &#8220;very unusual&#8221; considering the victims are also Russian.<\/p>\n<p>It&#8217;s important to note this chat log was not a public forum but a more private chat among members of the criminal group where they felt more secure in their communications, Garc\u00eda points out. The team is still conducting research and did not disclose how they found it online, though they did say it&#8217;s publicly available.<\/p>\n<p>This chat log gave researchers significant insight into how the Geost business operation worked, human relationships between the criminals, their daily tasks, motivational issues, money laundering, decisions made, and challenges faced. Their criminal projects included pay-per-install, phishing website hosting, C2 development, malicious APKs, and fake game development.<\/p>\n<p>&#8220;The ecosystem is super complex,&#8221; Garc\u00eda explains, and there were several similarities between the Geost botnet operation and traditional businesses: Members were worried about where the money was going, how much they were paying employees, and keeping their operation staffed. Hiring people is complicated, and because they don&#8217;t use contracts, workers often leave at will.<\/p>\n<p>Like any business, the Geost botnet employs developers, managers, people who handle illicit funds, and people in charge of buying and selling traffic. The owner and controller of the chat log, for example, knows money launderers and creates websites. Another member is tasked with subcontracting others, tracking payments, preparing APKs, and creating websites. These two both set up domains and pay developers to create websites. Most aren&#8217;t highly technical, Shirokova adds. While &#8220;they know some stuff,&#8221; they outsource technical tasks to developers.<\/p>\n<p>The interactions among members ranged from polite, formal conversations to casual chats among&nbsp;friends. Some members used slang, which Shirokova says indicates they may be younger. It&#8217;s unclear whether the members know one another outside the operation, as they were often discussing each other&#8217;s geographical locations. Researchers hypothesize the group met while seeking devices and services on an underground forum and formed the operation.<\/p>\n<p>What stood out most to the researchers was how Geost&#8217;s operators treated the botnet not as an attack, but as a business. Most people have the perception that adversaries are fighting us, says Garc\u00eda, but their mindset is completely different. &#8220;They are not fighting,&#8221; he explains. &#8220;For them, it&#8217;s a job.&#8221;<\/p>\n<p>There were only a handful of times they mentioned what they are doing is illegal. The people behind the botnet never said things like &#8220;I attacked&#8221; or &#8220;let&#8217;s attack,&#8221; says Shirokova.<\/p>\n<p>&#8220;We are expecting them to say, &#8216;We are infecting&#8217; or &#8216;We are getting money,'&#8221; Garc\u00eda adds. Whether it&#8217;s because they&#8217;re young or because this activity is not illegal in many countries, Geost&#8217;s operators appeared more concerned with how their money was flowing than whether they&#8217;d face any consequences.<\/p>\n<p>Researchers broke down the operators&#8217; activity into three categories: those that are definitely illegal (malware development, phone infection, attacking others, potentially avoiding taxes), those that are probably not illegal (creating fake websites, mirroring third-party websites, premium SMS, and traffic redirection), and those that are legal (website creation and backend development).<\/p>\n<p>Garc\u00eda, Shirokova, and their fellow researcher Mar\u00eda Jos\u00e9 Erquiaga, also of the Czech Technical University in Prague, presented their findings today at <a href=\"https:\/\/www.blackhat.com\/eu-19\/briefings\/schedule\/index.html#money-doesnt-stink---cybercriminal-business-insight-of-a-new-android-botnet-17709\" target=\"_blank\" rel=\"noopener noreferrer\">Black Hat Europe<\/a>.<\/p>\n<p><strong>Related Content:<\/strong><\/p>\n<p> <span class=\"italic\">Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance &amp; Technology, where she covered financial &#8230; <a href=\"https:\/\/www.darkreading.com\/author-bio.asp?author_id=837\">View Full Bio<\/a><\/span> <\/p>\n<p><span class=\"smaller strong red allcaps\">More Insights<\/span><\/p>\n<p> Read More <a href=\"https:\/\/www.darkreading.com\/whats-in-a-botnet-researchers-spy-on-geost-operators\/d\/d-id\/1336521?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The investigation of a major Android banking botnet yields insights about how cybercriminals structure and run an illicit business. Read More <a href=\"https:\/\/www.darkreading.com\/whats-in-a-botnet-researchers-spy-on-geost-operators\/d\/d-id\/1336521?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-32153","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What&#039;s in a Botnet? Researchers Spy on Geost Operators 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What&#039;s in a Botnet? Researchers Spy on Geost Operators 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-12-04T21:05:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"What&#8217;s in a Botnet? Researchers Spy on Geost Operators\",\"datePublished\":\"2019-12-04T21:05:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/\"},\"wordCount\":1123,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/\",\"name\":\"What's in a Botnet? Researchers Spy on Geost Operators 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\",\"datePublished\":\"2019-12-04T21:05:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#primaryimage\",\"url\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/whats-in-a-botnet-researchers-spy-on-geost-operators\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What&#8217;s in a Botnet? Researchers Spy on Geost Operators\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What's in a Botnet? Researchers Spy on Geost Operators 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/","og_locale":"en_US","og_type":"article","og_title":"What's in a Botnet? Researchers Spy on Geost Operators 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-12-04T21:05:00+00:00","og_image":[{"url":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"What&#8217;s in a Botnet? Researchers Spy on Geost Operators","datePublished":"2019-12-04T21:05:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/"},"wordCount":1123,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#primaryimage"},"thumbnailUrl":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/","url":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/","name":"What's in a Botnet? Researchers Spy on Geost Operators 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#primaryimage"},"thumbnailUrl":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","datePublished":"2019-12-04T21:05:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#primaryimage","url":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","contentUrl":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/whats-in-a-botnet-researchers-spy-on-geost-operators\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"What&#8217;s in a Botnet? Researchers Spy on Geost Operators"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/32153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=32153"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/32153\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=32153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=32153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=32153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}