Virus Type: Spyware, Advanced Persistent Threat

What is Wild Neutron?

Wild Neutron (also known as “Jripbot” and “Morpho”) is a powerful threat actor with a wide range of interests — from big IT enterprises and spyware developers to [online?] terrorist forums and bitcoin-related companies. Kaspersky Lab’s experts believe that it is a significant entity engaged in espionage, possibly for economic reasons. Wild Neutron uses a number of methods, including hacked forums as watering holes, zero-day exploits for propagation and stolen legitimate certificates to sign malware. It appears that it has been active since 2011.

Who are the victims of its attacks?

Kaspersky Lab has been able to identify several victims, in the following countries:

  • France
  • Russia
  • Switzerland
  • Germany
  • Austria
  • Palestine
  • Slovenia
  • Kazakhstan
  • UAE
  • Algeria
  • United States

Targets of Wild Neutron attacks include:

  • Law firms
  • Bitcoin-related companies
  • Investment companies
  • A group of large companies often involved in M&A deals
  • IT companies
  • Healthcare companies
  • Real estate companies
  • Individual users

Am I at risk?

You might be a target for Wild Neutron if the following risk factors are familiar to you:

Risk factors:

  • If you work for/with an industry targeted by the attackers
  • Regularly visit online forums
  • Tend to browse web pages via links in advertisements
  • Use an unpatched Adobe Flash Player

How do I know if I’m infected?

Indicators of compromise for Wild Neutron are available at

Kaspersky Lab products detect the malware used by the Wild Neutron attacker as: Trojan.Win32.WildNeutron.gen, Trojan.Win32.WildNeutron.*, Trojan.Win32.JripBot.*

How can I protect myself?

To protect against Wild Neutron attacks, make sure you follow basic security best practices:

  • Regularly scan your PC with an advanced antimalware solution
  • Update all third party applications, especially Adobe Flash Player
  • Do not visit forums that are known to be hacked