Two variants of the GameOver Zeus (GOZeuS) trojan have been spotted in the wild by security firm Bitdefender.
While one is mostly targeting the US, the other is based primarily in Ukraine and Belarus, based on the number of infected IP addresses contacting the company's sinkholes.
Bitdefender said: "Although there have been multiple domains registered for the botnet targeting US lately, we found none for the botnet targeting Ukraine and Belarus, meaning that no-one is using the bots at this moment.
"However, the botnet could find itself with a new master anytime."
5,000 machines infected by the first strain were found in the US, with around 3,000 infected by the second strain residing in Ukraine or Belarus.
Both versions use a domain generation algorithm (DGA) to create domains active only for a day, making it more difficult for cyber security teams to fight.
At the beginning of June international police took down a GOZeuS botnet run by a gang based between Ukraine and Russia for two weeks, but since then reports have emerged about the return of malware, which also distributes CryptoLocker ransomware.