A platform for silent delivery campaign detection
We detect coordinated malware/PUP delivery.

Learn more about Beewolf


System overview


Star Detection

Collect all the stars within the stream of download events.

Galaxy Graph

Galaxy Graph is a bipartite graph of set of stars. The graph is updated incrementally.

FP tree

Frequent pattern tree algorithm is applied on the Galaxy Graph. We address couple of limitations in the original algorithm i.e., detecting near-bicliques, recovering the missing bicliques.

Lockstep Detection

Traverse the FP tree from the root and collect all the existing locksteps. These locksteps reveal the ongoing silent delivery campaigns.

Check our most recent publication

Check the details


Our most recent pulication.

Catching Worms, Trojan Horses and PUPs: Unsupervised Detection of Silent Delivery Campaigns

The growing commoditization of the underground economy has given rise to malware delivery networks, which charge fees for quickly delivering malware or unwanted software to a large number of hosts. To provide this service, a key method is the orchestration of silent delivery campaigns, which involve a group of downloaders that receive remote commands and that deliver their payloads without any user interaction. These campaigns have not been characterized systematically, unlike other aspects of malware delivery networks. Moreover, silent delivery campaigns can evade detection by relying on inconspicuous downloaders on the client side and on disposable domain names on the server side. We describe Beewolf, a system for detecting silent delivery campaigns from Internet-wide records of download events. The key observation behind our system is that the downloaders involved in these campaigns frequently retrieve payloads in lockstep. Beewolf identifies such locksteps in an unsupervised and deterministic manner. By exploiting novel techniques and empirical observations, Beewolf can operate on streaming data. We utilize Beewolf to study silent delivery campaigns at scale, on a data set of 33.3 million download events. This investigation yields novel findings, e.g. malware distributed through compromised software update channels, a substantial overlap between the delivery ecosystems for malware and unwanted software, and several types of business relationships within these ecosystems. Beewolf achieves over 92% true positives and fewer than 5% false positives. Moreover, Beewolf can detect suspicious downloaders a median of 165 days ahead of existing anti-virus products and payload-hosting domains a median of 196 days ahead of existing blacklists.



Lets get in touch:

Email: bkwon at