Upatre update: infection chain and affected countries

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families.

Upatre's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families.  For example:

  1. The malware reaches out to a command-and-control (C&C) server.
  2. It obtains instructions on how to spread malware to other machines. For example, it might install Hedsen or Cutwail and utilize the parameters specified by the C&C server. It might download information-stealing malware, such as Dyzap, Kegotip and Gophe families. Evotob might also be installed by Upatre. Evotob is a tampering malware which attempts to disable certain processes on the user's machine.
  3. Kegotip and Gophe mine information from the user's machine.
  4. The stolen information is then sent back to the C&C server.


The infection chain

Essentially, a system is infected with Upatre through either the Hedsen or Cutwail threat family.  Upatre then spreads to other machines using Hedsen and Cutwail (a typical cyclical/symbiotic relationship we often see in spammers and information stealers), in an attempt to steal information about a user and their machine with Dyzap, Kegotip and Gophe families. It also tries to prevent detection by using Evotob.


Figure 1: Upatre infection chain since January 2015


Where is Upatre most prevalent?

The following chart shows the percentage of Upatre infections in the mostly affected countries.


Figure 2: A breakdown of the countries mostly affected by the Upatre infections since January 2015


Detection rates for these countries is as follows:


Figure 3: The data shows the United States having the most Upatre infection since January 2015


Figure 4: A breakdown by top countries reporting malware in the Upatre infection chain since January 2015 

How can you help protect your enterprise software security infrastructure from Upatre?

Upatre manages to sneak in to security infrastructures by employing age-old social engineering tricks. It tricks people by enticing them to click on malicious links through spam emails.

A combination of the following will help protect against Upatre:

  1. Use the following free Microsoft software to detect and remove this threat:



Patrick Estavillo


Comments (3)

  1. florin says:

    very useful information

  2. PatRick says:

    Over 5 million people have seen an email with broken English, from some random sketchy domain, and with an .exe attached, and decided to open it. I think I'll go cry now.

  3. Mickael says:

    Yes Patrick. In the 5 millions people, some have received several times a different mail with that fu**** malware.
    On 10 mails received, 1 will be received from a known sender, and users will open the document as they think it is a file sharing automatic notification mail (often in english).
    And as our national language is not english, users does not reconize a good english mail (sent from a real filesharing platform) and a bad english (sent by an automatic bot)

    and those mother f***** hackers make us work a lot.

Skip to main content