URLhaus identified and shut down 100,000 malware sites in 10 Months

Pierluigi Paganini January 23, 2019

Security experts participating in the abuse.ch project called URLhaus have identified and shut down roughly 100,000 malware distribution sites

The abuse.ch project called URLhaus was launched in March 2018 to track websites used to spread malware, it involved 265 researchers worldwide.

In a 10-month period, 265 security researchers around the world have identified in average 300 malware sites each day.

“End of March 2018, abuse.ch launched it’s most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware.” read the post published by Abuse.ch.

“The project is a huge success: with the help of the community, URLhaus was able to takedown almost 100,000 malware distribution sites within just 10 months!

The experts currently identify between 4,000 and 5,000 active malware distribution sites daily. The URLhaus is very important especially for hosting providers because helps them to identify and take over websites hosted in their network

In average, a malware distribution site remains active for more than a week (8 days, 10 hours, 24 minutes) that is considered a sufficient time to infect thousands of device every day.

The analysis of the top malware hosting networks revealed that 2 out of three of the malware URL are hosted in the US or China.

One of the most disconcerting data emerged from the project is related to the takedown time of malware sites hosted in China, Chinese malware hosting networks are very slow in taking action against the abuses, they have an average abuse reaction time of more than a month.
A large number of malware distribution websites tracked by URLhaus are related to Emotet (aka Heodo) that is propagated through spam, followed by the ones related to the Gozi malware and GandCrab ransomware.

“The weight that Emotet has in the current threat landspace also becomes more clear when having a look at the identified malware families associated with the payloads URLhaus received from the tracked malware distribution sites.” continues the analysis published by Abuse.ch. “Across the 380,000 malware samples (payloads) that URLhaus has collected over the past 10 months, Emotet/Heodo is the top malware as the following chart documents.”

The experts pointed out that for the success of the URLhaus project it is crucial an active participation of the entire community.

“URLhaus wouldn’t be successful without the help of the community. But we are not where we should be yet.” concludes the post published by
abuse.ch.

“There is still a long way to go with regards to response time of abuse desks. An average reaction time of more than a week is just too much and proves a bad internet hygiene.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Malware, Abuse.ch)

[adrotate banner=”5″] [adrotate banner=”13″]

EMOTET Security Affairs

Pierluigi Paganini July 11, 2025

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 10, 2025