Former Rootkit and Botnet Creator is Now an Official Microsoft Developer. His New Product: A Kernel Debugger.
The shadow of ZeroAccess has returned—but now with a Microsoft digital signature.
The story of one of the most famous cyber threats of the past decade has taken an unexpected turn. The developer behind the ZeroAccess botnet, which once infected millions of devices worldwide, has re-emerged years after being exposed. However, he is now in the spotlight not as a malware author, but as the creator of legitimate tools for system-level debugging and analysis. Furthermore, in 2025, he published his own Windows kernel debugger called YDbg on GitHub—an updated version of a previously unknown utility project named Z-Dbg.
ZeroAccess emerged around 2009 and became one of the most extensive and sophisticated P2P botnets of its time. It was based on a kernel-level rootkit that ensured the stealth and persistence of infected systems. The network was initially used for click fraud and later for Bitcoin mining. The rootkit module was eventually abandoned, but the infrastructure approach remained. As the project evolved, it became clear that its creator possessed deep knowledge of Windows internals and the ability to bypass its security mechanisms. This same individual, it turns out, later transitioned to legitimate work—creating system utilities and debugging tools, offering his services on freelance platforms.
In 2016, members of the kernelmode.info forum attempted to identify the ZeroAccess developer. Their investigation uncovered a number of harmless Windows applications written by the same author, including software for streaming TV, which contained metadata with contacts that led to a real person. He was identified as a 40-year-old resident of Odesa, Ukraine, named Maksym Samuistov, who used the Skype nickname 'maksimsamuistov'. This information was passed to CERT-UA, which confirmed the person's existence. According to the agency, local law enforcement declined to take action against him at the time. After the data was published on the forum and on X, the developer deleted his freelance profiles and disappeared from the internet for a while.
However, a year later, in 2017, new online profiles began appearing under the nicknames 'rbmm' and 'alex short'. These were linked to active GitHub, Stack Overflow, and OSR Online accounts, which the developer still uses today. Furthermore, in 2019, he was offering his services under the name 'Alex S.' on Upwork, listing his location as Lviv. Other profiles later appeared on X*, LinkedIn (deleted), YouTube, and a blog. His X profile description mentions involvement in the Protectimus and StartMenuX projects, confirming his shift towards legitimate programming.
The most interesting of the author's modern products is the Windows kernel debugger—a tool that previously existed under the name Z-Dbg and, as of 2025, was updated and published on GitHub as YDbg. From the author's early posts, it's evident he shared prototypes with other developers, which likely explains the appearance of old builds on VirusTotal. Judging by the file structure and functionality, Z-Dbg was designed for low-level diagnostics and kernel symbol work, supporting advanced features for analyzing drivers and system modules. A video demonstrating the tool's capabilities is available on the author's YouTube channel.
The signatures on the executable files are of particular interest. One installer package from 2018 contained components, including a 64-bit library tkn.dll, signed with a self-signed certificate 45cae3b9. Loading it required enabling test mode for driver signatures at Windows startup. In contrast, a 32-bit build from 2015 revealed a different picture: most files were signed by 'max black'—an alias linked to the author's earlier activities—but one library, tkn.dll, was signed with a valid certificate from Vertamedia, LLC.
Vertamedia (now Adtelligent) is a company specializing in ad monetization. This raises an obvious question: how did the ZeroAccess developer gain access to this firm's certificate? Possible explanations range from theft to personal involvement in the company's projects or connections with its employees. Coincidence is unlikely; the intersection between a botnet earning money through click schemes and an ad platform's certificate is too conspicuous.
A comparison of various builds shows the tool's evolution and the transformation of its author's practices. In the latest versions of the YDbg debugger hosted on GitHub, all files are signed with valid certificates from the company dennisbabkin.com, LLC. These include executable modules like DbgNew.exe, MemDump.exe, NtRegView.exe, and SearchEx.exe, compiled between 2021 and 2025. Notably, the core driver tkn.dll is signed by the Microsoft Windows Hardware Compatibility Publisher, confirming its certification under the Microsoft WHCP program. This means the component has been officially tested for Windows compatibility and can be loaded without enabling test mode.
Collectively, this evidence indicates that the former ZeroAccess creator has not only moved away from illegal activities but has also managed to legitimize his developments, earning the trust of digital certificate providers. Unlike the era of rootkits and backdoors, his modern tools comply with security requirements and can be used by specialists in system programming and driver debugging.
It is noteworthy that since the last mention of him in 2016, no malware bearing his characteristic code or structure has been discovered. It is highly probable that he ceased his involvement in underground projects and focused on legitimate software. However, the author himself still avoids publishing personal data and does not reveal his real name. According to available information, U.S. investigators attempted to pursue him in 2018, but the case did not lead to an arrest.
Thus, the fate of the ZeroAccess developer demonstrates a rare example of transformation from the author of one of the most famous botnets of the early 2010s into a creator of certified system tools. His path reflects the evolution of the industry: in an era where offensive security, APT simulation, and bug bounty programs have become legal alternatives to cybercrime, those who once wrote rootkits are now creating debuggers and drivers signed by Microsoft.
