The author of the now-defunct ZeroAccess botnet appears to have reformed and is a legitimate software developer now

The ZeroAccess Developer and His Windows Kernel-Mode Debugger

You might remember ZeroAccess, one of the largest and most advanced P2P botnets that ever existed. It first appeared around 2009 in form of a kernel-mode rootkit focused on click fraud and was later used for bitcoin mining. Later versions appeared without the kernel-mode rootkit. As we found out, the developer of ZeroAccess also created legitimate tools as a freelancer. He also mentioned a self-made Windows kernel-mode debugger in one of his service offerings, but we were unable to find it at that time. I discovered it on Virustotal in 2018, and as of this year, the ZeroAccess developer itself has posted an upgraded version on GitHub. You read correctly: the ZeroAccess developer is still active today, however he most likely does no longer create malware. At least since his last public exposure in 2016, I haven’t come across any new malware samples that use his trademark.