This summer we wrote about the Ramnit malware and its underlying “Black” botnet campaign which was used for distributing proxy malware. Much to our surprise, the C&C servers of the “Black” botnet were shut down shortly after our publication. However, in less than a month a new Ramnit campaign emerged in the wild, this time distributing malware used mainly for stealing sensitive data via web-injects. Additionally, we now witness the Ramnit actors cooperate with other cyber criminals by using their services to empower the malware’s capabilities on the one hand, and providing them with distribution capabilities on the other.