The Resurgence of IoT Malware: Inside the Mirai-Based "Gayfemboy" Botnet Campaign

Aug. 25, 2025, 8:04 p.m.

Description

FortiGuard Labs has been tracking a stealthy malware strain called "Gayfemboy" that exploits vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco products. The malware, based on Mirai, has evolved in form and behavior, targeting multiple countries and sectors. Gayfemboy employs obfuscation techniques, anti-analysis measures, and multiple functions including Monitor, Watchdog, Attacker, and Killer. It uses public DNS servers to bypass filtering and establishes communication with C2 servers through predefined domains. The malware can execute various commands, launch DDoS attacks, and maintain persistence. This evolution highlights the increasing sophistication of modern malware and the need for proactive defense strategies.

External References

https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign
https://otx.alienvault.com/pulse/68ac55a0870e18ee1e15bda5
Tags
obfuscation
evasion
ddos
iot
botnet
mirai
2025-08-25

Date

  • Created: Aug. 25, 2025, 12:22 p.m.
  • Published: Aug. 25, 2025, 12:22 p.m.
  • Modified: Aug. 25, 2025, 8:04 p.m.

Attack Patterns

  • Gayfemboy
  • Mirai

Additional Informations

  • Construction
  • Technology
  • Media
  • Manufacturing
  • Switzerland
  • France
  • Germany
  • Mexico
  • Israel
  • Brazil
  • United States of America