VERY IMPORTANT

In the past BokBot was itself primarily distributed via the Emotet botnet. Since the takedown of Emotet earlier this year Team Cymru has been tracking BokBot to see how the actors might react and seek to exploit the situation for personal gain. Over recent months Team Cymru has been posting BokBot IOCs to the @teamcymru_S2 Twitter account as they have been identified. However, in this blog Team Cymru shares some of their broader techniques, as well as a brief insight into a recent view of the upward management of BokBot infrastructure. All ‘Tier 1’ BokBot domains and hosting IP addresses, which Team Cymru has identified over the past six months, are available through the Team Cymru public GitHub repo.