ALERTS BOTNET
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME |
CATEGORY |
SUBCATE |
INFO |
| 24.4.25 | Weaponized Alpine Quest App used to spy on Russian military via Telegram Bot | BOTNET | A modified version of the popular Android navigation app Alpine Quest, has been found carrying spyware targeting Russian military personnel. The spyware, bundled within the app collects sensitive information like phone numbers, account details, contacts and geolocation. | |
| 24.4.25 | RustoBot botnet activity | BOTNET | RustoBot is a new Rust-based botnet variant distributed via exploitation of vulnerabilities in unpatched TOTOLINK devices. | |
| 13.3.25 | Ballista botnet targets TP-Link Archer routers via vulnerability exploitation | BOTNET | A new botnet dubbed Ballista has targeted organizations in Australia, China, Mexico, and the US focusing on healthcare, manufacturing, services, and technology sectors. | |
| 29.1.25 | Aquabot v3 - a new Mirai variant in the field | ALERTS | BOTNET | A new Mirai malware variant dubbed Aquabot v3 has been observed in the wild. The malware has been reported to exploit CVE-2024-41710 which is a command injection vulnerability affecting various Mitel devices. The malware is also able to exploit some older vulnerabilities affecting Hadoop YARN or various Linksys devices. Aquabot v3 supports a wide range of architectures including x86 and ARM. Functionality-wise the malware is predominately used for initiating DDoS attacks from the compromised devices. |
| 23.1.25 | Murdoc botnet, a Mirai variant | ALERTS | BOTNET | A new Mirai variant dubbed Murdoc botnet has been discovered in a recently observed campaign. The campaign leverages ELF binaries and shell scripts to target various *nix based systems, such as IoT devices and IP cameras, among others. The shell scripts are deployed to the devices to download and execute the Murdoc botnet payloads from the C2 servers. |
|
20.1.25 | AIRASHI - a large scale DDoS botnet | ALERTS | BOTNET | Airashi is a variant of the Aisiru botnet observed in the wild last year. The botnet is known to be spread via exposed vulnerabilities as well as through exploitation of weak Telnet credentials. Airashi can be used by attackers to conduct a wide variety of DDoS attacks. Several strains of the botnet binaries also support additional functionalities such as command execution or proxy services. |
|
30.12.24 | Ficora and Capsaicin botnets leverage old vulnerabilities for distribution | ALERTS | BOTNET | According to the researchers from Fortinet, two Linux botnet variants Ficora and Capsaicin have been distributed in recently observed campaigns. The botnets leverage several old D-Link vulnerabilities affecting the HNAP (Home Network Administration Protocol) interface including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. |
|
27.10.24 | Prometei botnet activity | ALERTS | BOTNET | New Prometei botnet activity has been reported in the wild. The botnet has been historically used mostly for Monero cryptomining operations but with time the attackers behind it updated the botnet capabilities to conduct even more complex attacks, allowing for a full control over the infected machines a well as additional arbitrary payload deployments. Prometei distribution campaigns often leverage exploitation of previously disclosed RCP or SMB vulnerabilities, usage of domain generation algorithm (DGA) mechanisms for C2 communication as well as webshell deployments within the attack chain. |
|
27.10.24 | Gorilla Botnet: A new global threat based on Mirai code | ALERTS | BOTNET | Reports indicate a surge in activity from a new botnet family called Gorilla Botnet, which is targeting telecommunications, universities, and the gaming industry worldwide. This botnet is a modified version of the Mirai source code and is compatible with various CPU architectures, including ARM, MIPS, x86_64, and x86. It boasts advanced DDoS attack methods and employs multiple techniques for persistence. |
31.8.24 | Corona Mirai variant distributed via vulnerability exploitation | BOTNET | Mirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek. The botnet once deployed will attempt to connect additional hosts via open Telnet ports. The dropped payload might be used by the attackers for a wide variety of DDoS attacks or command execution on the affected devices. | |
20.8.24 | New Gafgyt botnet variant observed in the wild | BOTNET | A new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency. | |
8.7.24 | Zergeca: A new Golang botnet with advanced capabilities | ALERTS | BOTNET | A new botnet, dubbed Zergeca and written in Golang, has been observed in the wild. In addition to conducting distributed denial-of-service (DDoS) attacks, the botnet includes several other features such as proxy-based obfuscation. |
| 8.6.24 | Apache RocketMQ targeted in Muhstik botnet campaign | ALERTS | BOTNET | A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. |
30.5.24 | CatDDoS: A rising threat across multiple sectors | ALERTS | BOTNET | A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. Multiple threat actors are employing various CatDDoS variants to target organizations across multiple sectors, including cloud vendors, communication providers, scientific and research entities, and educational institutions. The vulnerabilities exploited under CatDDoS affect numerous products and technologies, such as Jenkins servers, Apache ActiveMQ servers, Apache Log4j, Cisco Linksys, and NetGear routers, among others. |
15.5.24 | Phorpiex botnet distributes LockBit Black Ransomware via email campaign | ALERTS | BOTNET | A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. Phorpiex functions as a Malware-as-a-Service platform and has amassed a significant customer base among threat actors over more than a decade of operation. Since 2018, Phorpiex has been involved in activities such as data exfiltration and ransomware distribution. Despite attempts to disrupt its operations over the years, the botnet continues to persist. |
3.5.24 | Goldoon botnet | ALERTS | BOTNET | According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. This malware targets the exploitation of an old D-Link vulnerability from 2015 - CVE-2015-2051 for its propagation. Goldoon can establish persistence on the affected device and execute commands received from C2 servers. The attackers might use this malware variant to gain control over the infected devices, collect system information as well as perform various forms of distributed denial-of-service (DDoS) attacks. |
| 26.3.24 | Emergence of Mirai Nomi in the Threat Landscape | ALERTS | BOTNET | A new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats. |