Tag: botnet

73 Attack Reports | 0 Vulnerabilities

Attack reports

ShadowV2 Casts a Shadow Over IoT Devices

A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 …
vulnerability
ddos
iot
botnet
mirai
c2
aws
CVE-2024-10914
CVE-2024-10915
CVE-2024-53375
CVE-2023-52163
CVE-2024-3721
shadowv2
CVE-2020-25506
2025-11-27
CVE-2009-2765
CVE-2022-37055
Published: November 27, 2025
Linked vulnerabilities : CVE-2024-10914 (CVSS 8.1), CVE-2024-10915 (CVSS 8.1), CVE-2024-53375 (CVSS 8.0), CVE-2023-52163 (CVSS 5.9), CVE-2024-3721, CVE-2020-25506, CVE-2009-2765, CVE-2022-37055
Downloadable IOCs: 16

Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities

A new threat actor is distributing the RondoDox malware, a variant of Mirai, targeting IoT devices. The actor uses residential IP addresses for distribution and employs over a dozen exploits to target various IoT vulnerabilities. The malware's first stage is a shell script that attempts to disable …
command injection
iot
botnet
mirai
multi-platform
CVE-2024-10914
CVE-2023-1389
CVE-2025-4008
CVE-2024-3721
CVE-2025-34043
rondodox
CVE-2025-9528
CVE-2013-1599
CVE-2022-36553
CVE-2020-10987
2025-11-26
shell script
residential infrastructure
mirai variant
CVE-2020-9054
CVE-2023-23333
CVE-2014-3206
CVE-2023-41011
CVE-2022-40619
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2024-10914 (CVSS 8.1), CVE-2022-42475, CVE-2017-9841, CVE-2023-23333, CVE-2019-9082, CVE-2023-1389, CVE-2025-31324 (CVSS 10.0), CVE-2025-4008 (CVSS 9.4), CVE-2024-3721, CVE-2025-34043 (CVSS 10.0), CVE-2025-9528 (CVSS 5.1), CVE-2013-1599, CVE-2022-36553, CVE-2020-10987, CVE-2023-41011, CVE-2022-40619, CVE-2022-24847, CVE-2020-8958, CVE-2014-3206, CVE-2023-1381, CVE-2022-22947, CVE-2020-9054
Downloadable IOCs: 26

The Tsundere botnet uses the Ethereum blockchain to infect its targets

The Tsundere botnet, discovered in mid-2025, is an active threat targeting Windows users. It utilizes the Ethereum blockchain to retrieve C2 addresses and employs Node.js for its operations. The botnet spreads through MSI installers and PowerShell scripts, often disguised as popular games. It uses …
powershell
javascript
node.js
botnet
msi
ethereum
websocket
2025-11-20
123 stealer
aes-256
tsundere bot
koneko
tsundere
Published: November 20, 2025
Downloadable IOCs: 21

ShadowRay 2.0: Active Global Campaign Hijacks Ray AI Infrastructure Into Self-Propagating Botnet

A global hacking campaign dubbed ShadowRay 2.0 has been discovered, exploiting a vulnerability in the Ray AI framework to seize control of computing clusters and create a self-replicating botnet. The attackers use GitLab and GitHub for payload delivery, leveraging AI-generated code to adapt their m…
xmrig
ddos
botnet
cryptojacking
data exfiltration
self-propagation
devops
2025-11-19
CVE-2023-48022
ai infrastructure
sockstress
ray framework
Published: November 19, 2025
Downloadable IOCs: 0

RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits

The RondoDox botnet has undergone a significant evolution, expanding its capabilities and target range. This new variant, RondoDox v2, demonstrates a 650% increase in exploitation vectors, moving beyond niche DVR targeting to include enterprise applications. Key features include over 75 exploitatio…
obfuscation
exploit
persistence
ddos
iot
botnet
CVE-2015-2051
enterprise
CVE-2018-10561
CVE-2021-41773
CVE-2024-7029
CVE-2024-10914
CVE-2023-1389
CVE-2017-18368
CVE-2024-12856
CVE-2024-12847
CVE-2025-22905
CVE-2023-26801
CVE-2023-52163
CVE-2025-1829
CVE-2025-4008
CVE-2025-5504
CVE-2024-3721
CVE-2025-34037
rondodox
CVE-2022-44149
2025-11-10
CVE-2019-16920
CVE-2025-7414
CVE-2023-47565
CVE-2016-6277
CVE-2022-37129
CVE-2022-36553
CVE-2014-1635
CVE-2018-11714
CVE-2017-18369
CVE-2020-10987
multi-architecture
CVE-2021-42013
CVE-2023-25280
command-injection
CVE-2023-51833
CVE-2014-6271
CVE-2020-27867
CVE-2020-25506
Published: November 10, 2025
Linked vulnerabilities : CVE-2024-7029 (CVSS 8.8), CVE-2024-10914 (CVSS 8.1), CVE-2024-12856 (CVSS 7.2), CVE-2024-12847 (CVSS 9.8), CVE-2025-22905 (CVSS 9.8), CVE-2023-52163 (CVSS 5.9), CVE-2025-1829 (CVSS 6.3), CVE-2015-2051, CVE-2021-41773, CVE-2017-10271, CVE-2018-10561, CVE-2023-1389, CVE-2017-18368, CVE-2025-4008 (CVSS 9.4), CVE-2025-5504 (CVSS 5.3), CVE-2024-3721, CVE-2025-34037 (CVSS 10.0), CVE-2022-44149, CVE-2022-37129, CVE-2022-36553, CVE-2020-27867, CVE-2018-11714, CVE-2017-18369, CVE-2014-1635, CVE-2025-7414, CVE-2020-25506, CVE-2020-10987, CVE-2023-47565, CVE-2023-25280, CVE-2021-42013, CVE-2014-6271, CVE-2019-16920, CVE-2016-6277, CVE-2023-26801, CVE-2023-51833
Downloadable IOCs: 20

Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed

A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to…
evasion
iot
botnet
proxy
infrastructure
orb
command execution
polaredge
CVE-2023-20118
vps
2025-10-29
rpx_server
rpx_client
Published: October 29, 2025
Downloadable IOCs: 7

Mirai Botnet Propagation and Exploitation of CVE-2025-24016

The Mirai botnet continues to spread as operators repurpose old source code and exploit newly published vulnerabilities. The CVE program, while beneficial, sometimes inadvertently highlights overlooked vulnerabilities. Researchers' attempts to educate through PoCs often lead to negative outcomes, e…
botnet
mirai
CVE-2025-24016
2025-10-23
wazuh
Published: October 23, 2025
Linked vulnerabilities : CVE-2025-24016 (CVSS 9.9)
Downloadable IOCs: 40

Botnet Loader-as-a-Service Infrastructure Distributing RondoDoX and Mirai Payloads

A sophisticated botnet operation employing a Loader-as-a-Service model was uncovered through exposed command and control logs spanning six months. The campaign systematically targets SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces. …
command injection
iot
botnet
mirai
cryptomining
soho routers
rondodox
2025-09-25
morte
CVE-2012-1823
CVE-2019-17574
CVE-2019-16759
loader-as-a-service
Published: September 25, 2025
Linked vulnerabilities : CVE-2019-17574, CVE-2019-16759, CVE-2012-1823
Downloadable IOCs: 341

SystemBC – Bringing the Noise

The SystemBC botnet, composed of over 80 C2s and 1,500 daily victims, primarily targets VPS systems from commercial providers. It creates proxies enabling high volumes of malicious traffic for various criminal threat groups. The network is used by multiple proxy services, including REM Proxy, which…
ransomware
icedid
botnet
cybercrime
proxy
infrastructure
ngioweb
systembc
morpheus
trickbot
transferloader
vps
2025-09-25
avoslocker
rem proxy
malicious traffic
Published: September 25, 2025
Downloadable IOCs: 158

The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU

The AISURU botnet has emerged as a formidable threat, capable of launching massive DDoS attacks reaching 11.5 Tbps. First disclosed in 2024, it expanded significantly in 2025 by compromising a router firmware update server. The botnet, with approximately 300,000 nodes, is operated by a group of thr…
encryption
ddos
botnet
router
cybercrime
proxy
CVE-2022-35733
CVE-2023-50381
vulnerabilities
firmware
airashi
aisuru
CVE-2024-3721
2025-09-25
CVE-2017-5259
CVE-2013-5948
CVE-2013-1599
CVE-2023-28771
CVE-2022-44149
CVE-2013-3307
Published: September 25, 2025
Linked vulnerabilities : CVE-2023-50381 (CVSS 7.2), CVE-2023-28771, CVE-2024-3721, CVE-2022-35733, CVE-2013-1599, CVE-2022-44149, CVE-2013-5948, CVE-2013-3307, CVE-2017-5259
Downloadable IOCs: 11

An emerging DDoS for hire botnet

Darktrace uncovered a sophisticated cybercrime-as-a-service campaign utilizing Python and Go-based malware, Docker containerization, and a full operator UI. The attack combines DDoS techniques with targeted exploitation, featuring HTTP/2 rapid reset, Cloudflare UAM bypass, and large-scale HTTP floo…
python
botnet
docker
go
api
cloud-native
2025-09-25
shadowv2
cybercrime-as-a-service
containerization
ddos-as-a-service
http2
Published: September 25, 2025
Downloadable IOCs: 0

New Botnet Emerges from the Shadows: NightshadeC2

A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file …
botnet
lumma stealer
keylogging
sandbox evasion
c2 communication
uac bypass
trojanized software
2025-09-05
nightshadec2
Published: September 5, 2025
Downloadable IOCs: 0

Dissecting RapperBot Botnet: From Infection to DDoS & More

This report details the analysis of RapperBot, a sophisticated botnet targeting IoT devices, particularly Network Video Recorders (NVRs). The malware exploits vulnerabilities in these devices to create a large-scale DDoS infrastructure. The analysis covers the botnet's infection process, command an…
exploit
dns
encryption
ddos
iot
botnet
infrastructure
2025-09-03
nvr
rapperbot
Published: September 3, 2025
Downloadable IOCs: 84

The Resurgence of IoT Malware: Inside the Mirai-Based "Gayfemboy" Botnet Campaign

FortiGuard Labs has been tracking a stealthy malware strain called "Gayfemboy" that exploits vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco products. The malware, based on Mirai, has evolved in form and behavior, targeting multiple countries and sectors. Gayfemboy employs obfuscation tech…
obfuscation
evasion
ddos
iot
botnet
mirai
2025-08-25
Published: August 25, 2025
Downloadable IOCs: 0

PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT

A large-scale Malware-as-a-Service operation, orchestrated by Chinese-speaking threat actors, has infected over 11,000 Android devices globally with the PlayPraetor Remote Access Trojan. The campaign primarily targets Europe, with significant presence in Portugal, Spain, and France, but also affect…
rat
android
cryptocurrency
botnet
banking
maas
accessibility services
2025-08-07
playpraetor
Published: August 7, 2025
Downloadable IOCs: 0

RondoDox Unveiled: Breaking Down a New Botnet Threat

A new botnet called RondoDox has been discovered, exploiting two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. It targets Linux-based systems on various architectures, including ARM and MIPS. RondoDox uses sophisticated evasion techniques, such as XOR-encoded configuration data, cust…
linux
evasion
persistence
ddos
botnet
vulnerabilities
CVE-2024-12856
CVE-2024-3721
2025-07-16
traffic mimicry
rondodox
Published: July 16, 2025
Downloadable IOCs: 35

Resurgence of the Prometei Botnet

Unit 42 researchers identified a new wave of Prometei botnet attacks in March 2025. The malware, which includes Linux and Windows variants, allows remote control of compromised systems for cryptocurrency mining and credential theft. Prometei is actively developed, incorporating new modules and meth…
linux
backdoor
botnet
credential theft
cryptominer
dga
prometei
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 11

Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet

An active campaign is exploiting CVE-2025-3248, a critical vulnerability in Langflow versions before 1.3.0, to deliver the Flodrix botnet. Attackers use the flaw to execute downloader scripts on compromised servers, which then fetch and install the Flodrix malware. The vulnerability allows full sys…
exploit
ddos
botnet
rce
CVE-2025-3248
2025-06-18
flodrix
langflow
Published: June 18, 2025
Downloadable IOCs: 41

Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes

HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct var…
android
iot
botnet
ad fraud
badbox
vo1d
ctv
bb2door
residential proxy
2025-06-06
consumer devices
Published: June 6, 2025
Downloadable IOCs: 969

Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721

A new wave of Mirai botnet attacks is exploiting CVE-2024-3721 to target TBK DVR devices. The campaign uses a POST request to execute system commands without authorization, downloading and running an ARM32 binary. This Mirai variant includes features like RC4 string encryption, anti-VM checks, and …
ddos
iot
botnet
mirai
anti-vm
rc4 encryption
2025-06-06
anti-emulation
dvr
CVE-2024-3721
Published: June 6, 2025
Downloadable IOCs: 17

PumaBot: Novel Botnet Targeting IoT Surveillance Devices

A new Go-based Linux botnet named PumaBot has been identified targeting IoT devices, particularly surveillance systems. It brute-forces SSH credentials using lists from a C2 server, then deploys itself and establishes persistence. The malware disguises itself as legitimate system files, creates sys…
linux
surveillance
persistence
iot
botnet
credential theft
2025-06-04
pumabot
ssh brute-force
Published: June 4, 2025
Downloadable IOCs: 1

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and insert…
backdoor
apt
persistence
botnet
ssh
stealth
authentication bypass
asus routers
CVE-2023-39780
2025-06-04
nvram
Published: June 4, 2025
Downloadable IOCs: 3

Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign

A sophisticated hacking campaign has compromised approximately 9000 ASUS routers, creating persistent backdoors that survive firmware updates and reboots. The attackers utilize the routers' legitimate features to maintain long-term access without dropping malware or leaving traces. This operation a…
backdoor
botnet
2025-05-29
ssh access
operational relay box
asus routers
CVE-2023-39780
Published: May 29, 2025
Downloadable IOCs: 0

TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the Asia-Pacific region since 2012, targeting Windows servers and MS-SQL servers. They operate an IRC server with over 2,000 affected IPs in 72 countries. The group uses various malware and tools, including Upm, SqlShell…
malware
apt
china
botnet
sqlshell
irc
windows servers
miner
ms-sql
2025-05-27
credentialstealer
maggiescan
detofin
upm
pemodifier
sqldoor
maggie
wgdrop
shaduser
asia-pacific
Published: May 27, 2025
Downloadable IOCs: 13

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

The Good, the Bad and the Ugly in Cybersecurity – Week 20

This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unico…
ransomware
zero-day
botnet
npm
dns hijacking
dark web
CVE-2025-27920
omserverservice.exe
omclientservice.exe
output messenger
2025-05-16
kurdish military
doppelpaymer
Published: May 16, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8)
Downloadable IOCs: 1

Outlaw cybergang attacking targets worldwide

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet include…
linux
backdoor
evasion
xmrig
persistence
botnet
irc
ssh
crypto mining
outlaw
2025-04-29
dota
Published: April 29, 2025
Downloadable IOCs: 0

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified …
linux
xmrig
worm
persistence
botnet
irc
ssh
cryptocurrency mining
brute-force
2025-04-03
outlaw
stealth shellbot
blitz
Published: April 3, 2025
Downloadable IOCs: 87

GorillaBot: Technical Analysis and Code Similarities with Mirai

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malwa…
evasion
encryption
botnet
mirai
c2 communication
anti-debugging
2025-03-25
xtea
sha-256
gorillabot
Published: March 25, 2025
Downloadable IOCs: 3

Negative Exposure: Edimax Network Cameras Used to Spread Mirai

The Akamai Security Intelligence and Response Team (SIRT) has identified a critical command injection vulnerability, CVE-2025-1316, in Edimax IC-7100 IP cameras. This flaw allows attackers to execute arbitrary commands remotely, leading to the integration of these devices into Mirai-based botnets. …
malware
exploit
botnet
mirai
sha256
2025-03-17
sha256 hash
Published: March 17, 2025
Downloadable IOCs: 28

Mirai Bot now incorporating (malformed?) DrayTek Vigor Router Exploits

A report details the incorporation of exploits targeting DrayTek Vigor routers into the Mirai botnet. Previously disclosed vulnerabilities affecting approximately 700,000 devices are being exploited, with attacks focusing on the 'keyPath' and 'cvmcfgupload' parameters. A curious spike in malformed …
exploit
vulnerability
iot
botnet
router
mirai
firmware
2025-03-17
vigor
draytek
Published: March 17, 2025
Downloadable IOCs: 3

BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes

HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called B…
backdoor
iot
botnet
ad fraud
badbox
vo1d
2025-03-06
ctv
bb2door
residential proxy
click fraud
badbox 2.0
Published: March 6, 2025
Downloadable IOCs: 59

New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran

A new botnet that infects tens of thousands of internet-connected devices has been identified as being linked to Iran, according to research by GreyNoise and Nokia Deepfield. and Censys.
ddos
botnet
2025-03-05
team
telnet
greynoise
eleven11bot
deepfield
nvrs
Published: March 5, 2025
Downloadable IOCs: 1428

Long Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally

The Vo1d botnet has infected 1.6 million Android TV devices across 200+ countries, posing a significant cybersecurity threat. This new variant demonstrates enhanced stealth and resilience, utilizing RSA encryption, DGA-based infrastructure, and a modified XXTEA algorithm. The botnet's scale and cap…
botnet
2025-02-28
vo1d
proxy network
android tv
set-top box
Published: February 28, 2025
Downloadable IOCs: 48

PolarEdge: Unveiling an uncovered ORB network

An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge …
botnet
vulnerability exploitation
asus
infrastructure analysis
edge devices
2025-02-25
qnap
cisco
polaredge
CVE-2023-20118
tls backdoor
synology
cipher_log
Published: February 25, 2025
Linked vulnerabilities : CVE-2023-20118
Downloadable IOCs: 31

Unpacking the BADBOX Botnet

The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certific…
android
supply chain
iot
botnet
badbox
firmware
2025-02-05
censys
ssh host key
ssl/tls certificate
Published: February 5, 2025
Downloadable IOCs: 19

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…
phishing
ransomware
lockbit
botnet
phorpiex
downloader
gandcrab
2025-01-29
twizt
Published: January 29, 2025
Downloadable IOCs: 14

New Aquabot Variant Targeting Mitel SIP Phones

A new variant of the Mirai-based malware, Aquabot, dubbed Aquabotv3, is actively exploiting Mitel SIP phones through CVE-2024-41710. This variant introduces a novel feature for Mirai-based botnets: reporting back to the command and control server when kill signals are caught on infected devices. Th…
ddos
iot
botnet
mirai
CVE-2018-10562
CVE-2018-10561
CVE-2024-41710
2025-01-29
aquabotv3
CVE-2022-31137
aquabot
CVE-2018-17532
CVE-2023-26801
Published: January 29, 2025
Downloadable IOCs: 45

Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai

The Qualys Threat Research Unit has uncovered a large-scale operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities in AVTECH Cameras and Huawei HG532 routers, demonstrating enhanced capabilities to compromise devices and establish expansive botnet networks.…
iot
botnet
mirai
2025-01-22
murdoc botnet
Published: January 22, 2025
Downloadable IOCs: 0

IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024

An IoT botnet has been orchestrating large-scale DDoS attacks globally since late 2024, targeting companies in Japan and other countries. The botnet, comprising Mirai and Bashlite variants, infects IoT devices by exploiting vulnerabilities and weak credentials. It uses various DDoS attack methods, …
ddos
iot
botnet
mirai
bashlite
2025-01-17
ip cameras
Published: January 17, 2025
Downloadable IOCs: 0

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botne…
vulnerability
rc4
encryption
ddos
botnet
proxy
chacha20
hellokitty
2025-01-16
hmac-sha256
airashi
CVE-2022-3573
cnpilot
aisuru
Published: January 16, 2025
Linked vulnerabilities : CVE-2021-36260, CVE-2022-3573
Downloadable IOCs: 9

Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit.

The Gayfemboy botnet, discovered in February 2024, has evolved from a simple Mirai derivative into a sophisticated large-scale botnet. It exploits a 0-day vulnerability in Four-Faith industrial routers and unknown vulnerabilities in other devices to spread. With over 15,000 daily active nodes acros…
ddos
botnet
CVE-2024-12856
four-faith
2025-01-08
0-day
gayfemboy
industrial-router
Published: January 8, 2025
Linked vulnerabilities : CVE-2024-8956 (CVSS 9.1), CVE-2024-8957 (CVSS 9.8), CVE-2024-12856 (CVSS 7.2), CVE-2013-7471
Downloadable IOCs: 56

Botnets Continue to Target Aging D-Link Vulnerabilities

Two botnets, FICORA and CAPSAICIN, have been exploiting long-standing vulnerabilities in D-Link routers to spread globally. FICORA, a Mirai variant, uses a shell script to download and execute malware on various Linux architectures, incorporating DDoS attack functions. CAPSAICIN, likely based on th…
ddos
botnet
mirai
d-link
ficora
capsaicin
2024-12-31
hnap
Published: December 31, 2024
Linked vulnerabilities : CVE-2024-33112, CVE-2015-2051, CVE-2022-37056, CVE-2019-10891
Downloadable IOCs: 51

Warning of a surge in activity associated with FICORA and Kaiten botnets

FortiGuard Labs researchers observed increased activity from two botnets in late 2024: the Mirai variant 'FICORA' and the Kaiten variant 'CAPSAICIN'. Both target vulnerabilities in D-Link devices, particularly through the HNAP interface, allowing remote command execution. The FICORA botnet download…
linux
botnet
CVE-2015-2051
CVE-2024-33112
mirai
2024-12-27
kaiten
d-link
ficora
capsaicin
CVE-2019-10891
CVE-2022-37056
Published: December 27, 2024
Linked vulnerabilities : CVE-2024-33112, CVE-2015-2051, CVE-2022-37056, CVE-2019-10891
Downloadable IOCs: 2

cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3)

A new DDoS malware strain named cShell is targeting poorly managed Linux servers through SSH services. The threat actor uses brute force attacks to gain initial access, then installs the cShell bot developed in Go language. cShell exploits Linux tools 'screen' and 'hping3' to perform various DDoS a…
linux
ddos
botnet
ssh
brute-force
2024-12-20
carm
hping3
go-language
cshell
screen
Published: December 20, 2024
Downloadable IOCs: 1

BADBOX Botnet Is Back

The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices…
malware
android
supply chain
botnet
proxy
ad fraud
triada
2024-12-17
badbox
firmware
smart tv
Published: December 17, 2024
Downloadable IOCs: 22

Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices

A malicious botnet called Socks5Systemz is operating a proxy service named PROXY.AM, utilizing over 85,000 compromised devices. The botnet, active since 2013, aims to turn infected systems into proxy exit nodes for cybercriminals seeking to obscure their attack sources. Initially boasting around 25…
botnet
amadey
cybercrime
smokeloader
proxy service
socks5systemz
2024-12-09
privateloader
exit nodes
hacked devices
proxy.am
Published: December 9, 2024
Downloadable IOCs: 2

CURLing for Crypto on Honeypots

An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The a…
cryptocurrency
ddos
botnet
mining
telegram
siem
2024-12-09
curl
honeypot
cowrie
Published: December 9, 2024
Downloadable IOCs: 37

PROXY.AM Powered by Socks5Systemz Botnet

The Socks5Systemz botnet, active since 2013, has been operating under the radar by integrating with other malware as a SOCK5 proxy module. Recently, it has grown to 250,000 compromised systems globally. The botnet powers PROXY.AM, a service providing proxy exit nodes for criminal activities. Origin…
botnet
proxy
2024-12-04
socks5
socks5systemz
Published: December 4, 2024
Downloadable IOCs: 43

Gafgyt Malware Broadens Its Scope in Recent Attacks

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The …
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite
Published: December 3, 2024
Downloadable IOCs: 25

Matrix Unleashes A New Widespread DDoS Campaign

A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabili…
cryptocurrency
ddos
iot
botnet
mirai
discord
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
CVE-2017-17215
telegram
2024-11-27
CVE-2014-8361
brute-force
CVE-2017-18368
script kiddie
CVE-2018-9995
pybot
CVE-2024-27348
CVE-2017-17106
discordgo
CVE-2022-30525
CVE-2022-30075
Published: November 27, 2024
Linked vulnerabilities : CVE-2024-27348, CVE-2021-20090, CVE-2022-30525, CVE-2018-10562, CVE-2018-10561, CVE-2022-30075, CVE-2018-9995, CVE-2017-17106, CVE-2017-18368, CVE-2014-8361, CVE-2017-17215
Downloadable IOCs: 12

One Sock Fits All: The use and abuse of the NSOCKS botnet

The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obsc…
ddos
botnet
cybercrime
ngioweb
2024-11-19
nsocks
proxy service
soho routers
shopsocks5
iot devices
vn5socks
Published: November 19, 2024
Downloadable IOCs: 59

Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices

Water Barghest, a cybercriminal group, has developed a highly automated system for exploiting and monetizing IoT devices. Their botnet, comprising over 20,000 devices as of October 2024, uses automated scripts to identify and compromise vulnerable IoT devices from public internet scan databases. On…
iot
botnet
proxy
vulnerability exploitation
ngioweb
2024-11-18
residential proxy marketplace
Published: November 18, 2024
Downloadable IOCs: 66

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-41773, CVE-2018-15133, CVE-2017-9841, CVE-2022-1040, CVE-2021-41277, CVE-2018-10562, CVE-2014-2120, CVE-2021-26086, CVE-2024-36401, CVE-2022-21587, CVE-2018-10561, CVE-2023-1389
Downloadable IOCs: 10

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The AndroxGh0st malware has expanded its capabilities by incorporating the Mozi botnet to target IoT devices and cloud services. This Python-based tool, known for attacking Laravel applications, now exploits a wider range of vulnerabilities in internet-facing applications. The malware uses remote c…
iot
botnet
wordpress
CVE-2024-4577
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
cloud services
credential stealing
CVE-2022-1040
2024-11-08
mozi
laravel
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
Published: November 8, 2024
Downloadable IOCs: 1

DDoS-for-Hire Platform dstat[.]cc Disrupted; Suspects Arrested

German law enforcement authorities have successfully disrupted dstat[.]cc, a criminal service facilitating distributed denial-of-service (DDoS) attacks. The platform provided recommendations and evaluations of stresser services, making DDoS attacks accessible to users without advanced technical ski…
ddos
botnet
cybercrime
2024-11-04
law enforcement
stresser services
drug trafficking
Published: November 4, 2024
Downloadable IOCs: 1

Unmasking Prometei: A Deep Dive Into MXDR Findings

This analysis examines the Prometei botnet's infiltration of a customer's system through a targeted brute force attack. Leveraging Trend Vision One, the investigation traced the botnet's detailed installation routine and stealthy tactics. Prometei, a modular malware family used for cryptocurrency m…
botnet
credential theft
lateral movement
dga
web shell
tor
cryptocurrency mining
2024-10-23
prometei
CVE-2021-27065
CVE-2021-26858
CVE-2019-0708
Published: October 23, 2024
Downloadable IOCs: 0

Bulbature, beneath the waves of GobRAT

This report examines an infrastructure used to control compromised edge devices transformed into Operational Relay Boxes for launching cyber attacks. The infrastructure, consisting of 63 identified servers, uses GobRAT and Bulbature malware to compromise devices and create a botnet. Features includ…
china
ddos
botnet
proxy
2024-10-04
gobrat
orb
edge devices
bulbature
Published: October 4, 2024
Linked vulnerabilities : CVE-2019-13956, CVE-2019-9082, CVE-2017-5638
Downloadable IOCs: 120

People's Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations

PRC-linked cyber actors have compromised thousands of Internet-connected devices to create a botnet for malicious activities. Integrity Technology Group, a PRC-based company with government links, has controlled a botnet of over 260,000 devices since mid-2021. The botnet uses Mirai-based malware to…
china
ddos
iot
botnet
cyber espionage
mirai
CVE-2024-29973
CVE-2024-4577
CVE-2024-5217
routers
CVE-2023-3519
CVE-2023-46604
CVE-2023-46747
2024-10-02
CVE-2023-43478
CVE-2023-3852
CVE-2023-36844
network compromise
CVE-2024-29269
CVE-2023-36542
CVE-2023-35885
CVE-2024-21762
CVE-2023-38035
CVE-2023-35843
CVE-2023-37582
CVE-2023-38646
CVE-2023-50386
CVE-2023-47218
Published: October 2, 2024
Linked vulnerabilities : CVE-2024-29973 (CVSS 9.8), CVE-2024-4577 (CVSS 9.8), CVE-2024-5217, CVE-2021-44228, CVE-2023-46604, CVE-2023-22515, CVE-2022-26134, CVE-2022-42475, CVE-2022-1388, CVE-2023-22527, CVE-2023-3519, CVE-2023-27997, CVE-2023-46747, CVE-2023-43478, CVE-2023-37582, CVE-2023-36542, CVE-2023-35885, CVE-2023-35843, CVE-2023-35081, CVE-2023-34960, CVE-2023-34598, CVE-2023-3368, CVE-2023-33510, CVE-2023-30799, CVE-2023-28365, CVE-2023-26469, CVE-2023-23333, CVE-2022-3590, CVE-2022-40881, CVE-2022-20707, CVE-2021-46422, CVE-2021-45511, CVE-2021-36260, CVE-2021-28799, CVE-2021-1473, CVE-2021-1472, CVE-2020-4450, CVE-2020-35391, CVE-2020-3451, CVE-2019-12168, CVE-2019-11829, CVE-2018-18852, CVE-2017-7876, CVE-2019-19824, CVE-2024-29269, CVE-2021-20090, CVE-2015-7450, CVE-2022-31814, CVE-2023-38035, CVE-2019-17621, CVE-2023-36844, CVE-2022-30525, CVE-2023-28771, CVE-2023-47218, CVE-2023-50386, CVE-2024-21762, CVE-2023-4166, CVE-2023-3852, CVE-2023-38646, CVE-2023-27524, CVE-2023-24229, CVE-2023-25690, CVE-2020-3452, CVE-2019-7256, CVE-2020-8515, CVE-2020-15415
Downloadable IOCs: 169

Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection …
china
botnet
cryptomining
brazil
pwnrig
tsunami
k4spreader
weblogic
hadooken
2024-10-01
CVE-2017-10271
CVE-2020-14883
Published: October 1, 2024
Linked vulnerabilities : CVE-2023-46604, CVE-2020-14883, CVE-2017-10271
Downloadable IOCs: 62

Derailing the Raptor Train

A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated …
ddos
iot
botnet
2024-09-20
raptor train
Published: September 20, 2024
Linked vulnerabilities : CVE-2024-21887
Downloadable IOCs: 198

Botnet 7777: Are You Betting on a Compromised Router?

This analysis uncovers the expansion of a significant botnet operation, dubbed Quad7 or 7777 botnet, characterized by its unique use of TCP port 7777 on compromised routers, primarily TP-Link and Hikvision devices. The research reveals a potential second tranche of bots, the 63256 botnet, comprised…
botnet
routers
2024-08-08
compromised devices
asus
tp-link
Published: August 8, 2024
Downloadable IOCs: 7

Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
espionage
botnet
cybercrime
proxy
2024-08-07
routers
ngioweb
sshdoor
Published: August 7, 2024
Downloadable IOCs: 64

Solving the 7777 Botnet enigma: A cybersecurity quest

Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
iot
botnet
cybercrime
2024-07-23
microsoft 365
password spraying
xlogin
microsocks
Published: July 23, 2024
Downloadable IOCs: 4

Who You Gonna Call? AndroxGh0st Busters!

This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
python
botnet
credential theft
2024-07-17
androxgh0st
CVE-2021-41773
rce exploitation
CVE-2017-9841
web exploitation
CVE-2018-15133
Published: July 17, 2024
Linked vulnerabilities : CVE-2021-41773, CVE-2018-15133, CVE-2017-9841
Downloadable IOCs: 7

New Threat: A Deep Dive Into the Zergeca Botnet

An analysis of a newly discovered botnet named Zergeca, implemented in Go language, with capabilities for DDoS attacks, proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. The report delves into the botnet's unique features, in…
persistence
ddos
botnet
2024-07-05
go
zergeca
CVE-2018-10562
CVE-2018-10561
CVE-2016-20016
CVE-2022-35733
CVE-2017-17215
Published: July 5, 2024
Downloadable IOCs: 13

Mining Gang's New Tool: k4spreader

QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is s…
botnet
2024-07-02
pwnrig
mining
tsunami
spreader
k4spreader
Published: July 2, 2024
Downloadable IOCs: 35

The Digital Legacy of Botnet 911 S5

The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
botnet
cybercrime
2024-06-14
dewvpn
paladinvpn
shield vpn
maskvpn
shinevpn
proxygate
Published: June 14, 2024
Downloadable IOCs: 35

Malware botnet installing NiceRAT

This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
malware
botnet
2024-06-06
nitol
nanocore
nicerat
Published: June 6, 2024
Downloadable IOCs: 24

Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
ransomware
coinminer
botnet
2024-06-06
rdp
phobos
havex
backdoor.oldrea
proxy
Published: June 6, 2024
Downloadable IOCs: 34

Security Brief: Millions of Messages Distribute LockBit Black Ransomware

In late April 2024, Proofpoint observed high-volume email campaigns facilitated by the Phorpiex botnet, distributing millions of messages with attachments leading to LockBit Black ransomware infections. The messages appeared to originate from 'Jenny Green' and contained ZIP attachments with executa…
ransomware
lockbit
botnet
2024-05-08
malspam
phorpiex
lockbit black
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 16

Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation

Juniper Threat Labs has observed attempts to exploit Ivanti Pulse Secure authentication bypass and remote code execution vulnerabilities (CVE-2023-46805 and CVE-2024-21887), leading to the delivery of Mirai botnet payloads. This analysis explores the vulnerabilities, exploitation methods, observed …
botnet
2024-05-05
2024-05-06
2024-05-07
2024-05-08
mirai
ivanti
CVE-2024-21887
CVE-2023-46805
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805
Downloadable IOCs: 23

New Goldoon Botnet Targeting D-Link Devices

In April 2024, FortiGuard Labs observed a new botnet exploiting a nearly decade-old D-Link vulnerability to take control of devices and incorporate them into a botnet used to launch attacks. The malware, named Goldoon, establishes persistence and connects to a C2 server to receive commands, includi…
linux
ddos
2024-05-03
iot
botnet
router
CVE-2015-2051
goldoon
Published: May 3, 2024
Linked vulnerabilities : CVE-2015-2051
Downloadable IOCs: 24
Click here to see more Attack Reports