< ciso
brief />
Tag Banner

All news with #botnet tag

126 articles · page 2 of 7

Mirai Campaign Exploits RCE in EoL D-Link DIR-823X Routers

🔒 A new Mirai-based campaign is actively exploiting CVE-2025-29635, a command-injection RCE that affects D-Link DIR-823X routers, to enlist devices into a botnet. Akamai's SIRT observed the activity in March 2026 and found attackers downloading and executing a shell script that installs a multi-architecture Mirai variant called tuxnokill. The affected DIR-823X line reached end of life in November 2024 and is unlikely to receive a vendor patch. Users are advised to replace EoL devices, disable remote administration, change default passwords, and monitor for configuration changes.
read more →

SystemBC C2 Server Reveals Over 1,570 Compromised Hosts

🔍Check Point researchers found a SystemBC C2 server linked to an affiliate of the The Gentlemen RaaS operation controlling a botnet of more than 1,570 compromised corporate hosts worldwide. SystemBC establishes SOCKS5 tunnels and communicates with its C2 using a custom RC4‑encrypted protocol, enabling payload download or in‑memory execution. The activity aligns with The Gentlemen’s multi‑platform double‑extortion campaigns that abuse GPOs, exposed services, and compromised credentials to escalate access and deploy ransomware.
read more →

Gentlemen Ransomware Uses SystemBC Botnet for Corporates

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.
read more →

Nexcorium Mirai Variant Exploits DVR Command Injection

⚠️Fortinet researchers observed a campaign exploiting a command injection flaw (CVE-2024-3721) in TBK DVR systems to deploy a Mirai-based, multi-architecture botnet called Nexcorium. Attackers deliver a downloader via crafted HTTP requests that retrieves ARM, MIPS and x86-64 payloads and executes them with elevated privileges. The malware leverages an XOR-encoded configuration, embedded credential lists for brute-force access and multiple persistence mechanisms, and network traffic includes a custom HTTP header referencing Nexus Team that may indicate the actor.
read more →

Mirai Variant 'Nexcorium' Exploits TBK DVR, TP‑Link Flaws

🔒 Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 report that threat actors are exploiting a command injection flaw, CVE-2024-3721, in TBK DVR devices to deliver a Mirai-family loader tracked as Nexcorium. The loader installs architecture-specific binaries, establishes persistence via crontab and systemd, and uses hard-coded credential lists plus an exploit for CVE-2017-17215 to spread to Huawei HG532 devices. Unit 42 also observed automated scans targeting EoL TP-Link routers via CVE-2023-33538, though initial attempts were flawed and did not achieve compromise. Researchers warn that unpatched, unsupported IoT devices and default credentials continue to enable large-scale DDoS botnets and recommend replacing EoL hardware and removing default passwords.
read more →

Nexcorium Mirai Variant Exploits TBK DVR Vulnerability

🛡️ FortiGuard Labs analyzed exploitation of CVE-2024-3721 against TBK DVR devices that delivered a Mirai-style, multi-architecture botnet named Nexcorium. The campaign used a downloader called "dvr" (nexuscorp-prefixed binaries) and a custom "X-Hacked-By" HTTP header linked to a suspected "Nexus Team" actor. Nexcorium includes scanning, brute-force credential lists, multiple persistence methods, integrity checks, and a broad DDoS toolkit controlled by a central C2.
read more →

Attempted Exploitation of CVE-2023-33538 in TP‑Link Routers

🔎 Unit 42 observed automated scans targeting CVE-2023-33538 in several end-of-life TP‑Link routers (TL‑WR940N, TL‑WR740N, TL‑WR841N). Payloads resembled Mirai-like botnet binaries and attempted to download and execute an arm7 ELF, but in-the-wild attempts were flawed and generally failed. Emulation and reverse engineering confirmed a real command-injection flaw in the ssid1 parameter that reaches a system shell, but successful exploitation requires web authentication (default credentials like admin:admin remain a practical risk). TP‑Link lists the devices as EOL with no patches; Unit 42 recommends replacing affected units and avoiding default credentials while using layered protections.
read more →

PowMix botnet targets Czech workers with randomized C2

🔒 Cisco Talos researchers disclosed a previously undocumented botnet named PowMix that has been active against workers in the Czech Republic since at least December 2025. The campaign uses malicious ZIP attachments containing a Windows LNK that launches a PowerShell loader to extract and run the malware in memory while opening decoy compliance-themed documents. PowMix establishes persistence via a scheduled task, verifies process trees to avoid duplicate instances, and uses randomized beaconing intervals and REST-like C2 URL paths that embed encrypted heartbeat data and unique victim identifiers to evade network detections. The bot supports remote code execution, dynamic C2 migration, and self-deletion commands.
read more →

PowMix PowerShell Botnet Targets Czech Workforce Campaign

🔍 Cisco Talos identified an active PowerShell-based botnet dubbed PowMix, operating since at least December 2025 and targeting organizations and job applicants in the Czech Republic. The campaign deploys phishing ZIP archives containing LNK shortcuts that launch an obfuscated PowerShell loader which bypasses AMSI and executes a decrypted payload in memory. Talos observed tactical overlap with ZipLine and published IOCs and detection guidance.
read more →

Mirax Android RAT Turns Devices into SOCKS5 Proxies

📱 Mirax is a newly observed Android Remote Access Trojan distributed via Meta advertisements that reached over 220,000 accounts, primarily in Spanish-speaking countries. According to Cleafy, Mirax pairs conventional RAT capabilities—keystroke capture, overlays, camera and SMS access—with an embedded SOCKS5 residential proxy implemented over Yamux to route attacker traffic through victim IPs. The threat uses GitHub-hosted droppers, selectable crypters (Virbox, Golden Crypt), and multi-stage installation flows that request accessibility permissions to persist and evade analysis. Researchers note the platform is offered as a selective MaaS to vetted affiliates, increasing its operational and monetization potential.
read more →

ThreatsDay: Hybrid P2P Botnet and Old Flaws Resurface

🛡️ A concise roundup of the week's notable incidents: a resilient hybrid variant of Phorpiex combines HTTP C2 polling with a P2P protocol to survive takedowns, while a 13‑year‑old chainable flaw in Apache ActiveMQ (CVE-2026-34197) can yield stealthy RCE if left unpatched. Industry data show record cyber‑fraud losses and a spike in AI‑assisted DDoS tactics. Multiple supply‑chain and platform abuses—from trojanized developer tools to malicious PyPI packages and SaaS notification phishing—underscore the need to patch, audit, and harden AI integrations.
read more →

Chaos Malware Targets Misconfigured Cloud Deployments

🔍 Cybersecurity firm Darktrace has identified a new variant of the Chaos botnet that targets misconfigured cloud deployments, expanding the malware's focus beyond routers and edge devices. The 64-bit ELF binary was delivered to a deliberately misconfigured Hadoop honeypot via an HTTP request that created an application embedding shell commands to fetch and execute the payload from pan.tenire[.]com. The updated sample removes SSH- and router-based spread features and instead implements a SOCKS proxy, enabling compromised hosts to relay attacker traffic and broadening the botnet's monetization and evasion capabilities.
read more →

Botnet DDoS Escalation: AI, IoT, and Multiterabit Threats

📈 NETSCOUT’s ATLAS platform recorded more than 8 million DDoS attacks across 203 countries during the second half of 2025, revealing a decisive shift toward multiterabit capacity and AI-enabled operations. IoT-based botnets such as Aisuru and TurboMirai variants produced demonstration floods up to 30Tbps and 4Gpps, while dark-web LLMs and conversational interfaces lowered the barrier for complex, multivector campaigns. Persistent pressure on DNS root servers and NTP services highlighted the importance of globally distributed, intelligence-driven defenses.
read more →

Masjesu (XorBot) Botnet: Stealthy DDoS-for-Hire Service

🛡️Masjesu, also tracked as XorBot, is a stealthy DDoS-for-hire botnet that targets diverse IoT devices including routers, gateways, cameras, DVRs and NVRs. First observed in 2023 and updated through 2024, it uses XOR-based obfuscation, avoids blocklisted ranges (including DoD IPs), and emphasizes persistence and low visibility. After binding a hard-coded TCP port (55988) the malware establishes persistence, disables common tools like wget and curl, and connects to remote controllers to receive flood commands. Its traffic is concentrated in Vietnam, Ukraine, Iran, Brazil, Kenya and India, with Vietnam accounting for nearly half of observed activity.
read more →

Over 1,000 Exposed ComfyUI Instances Targeted — Miner Botnet

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.
read more →

Russian Operator Gets 2-Year Term for TA551 Botnet Role

⚖️ The U.S. Department of Justice sentenced Russian national Ilya Angelov to two years in prison and fined him $100,000 for operating a botnet that enabled ransomware attacks against American companies. Angelov, 40, of Tolyatti, used aliases "milan" and "okart" and co‑managed the Russia‑based cybercriminal group TA551, which distributed malware-laden spam and sold access to compromised machines. Prosecutors say TA551 sold bot access to groups behind BitPaymer and IcedID, contributing to millions in extortion payments.
read more →

Russian Man Sentenced for Running Ransomware Botnet

🔒 Ilya Angelov, a 40-year-old Russian national who used the handles milan and okart, was sentenced to two years in prison after admitting he managed the Mario Kart phishing botnet that helped deliver ransomware. The botnet distributed malware via massive spam campaigns—up to 700,000 emails per day—and at its peak infected about 3,000 machines daily. Authorities linked the botnet to BitPaymer attacks on 72 U.S. companies, resulting in over $14 million in extortion payments.
read more →

Dismantling Major Botnets Disrupts Global DDoS Rings

🛡️ Law enforcement in Germany, Canada and the United States have jointly disrupted two of the world’s largest DDoS botnets, taking critical infrastructure offline and seizing evidence. The operation targeted Aisuru, which infected poorly secured IoT devices, and the related Kimwolf, which focused on Android and consumer devices. Authorities recovered multiple data carriers and seized five-figure cryptocurrency holdings, though arrests were limited and the criminal network is not yet fully dismantled.
read more →

Musician Pleads Guilty in $10M AI-Powered Streaming Fraud

🎵 North Carolina musician Michael Smith pleaded guilty to running a multi-year streaming fraud that generated over $10 million in illicit royalties. Smith purchased hundreds of thousands of AI-generated songs and uploaded them to Spotify, Apple Music, Amazon Music, and YouTube Music, then used automated bots routed through VPNs to create billions of fake streams between 2017 and 2024. Prosecutors say he ran more than 1,000 bot accounts, agreed to $8,091,843.64 in forfeiture, and faces up to five years in prison after pleading to one count of conspiracy to commit wire fraud.
read more →

International Takedown Disrupts Four Major IoT Botnets

🚨 U.S., German, and Canadian authorities dismantled command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad IoT botnets, seizing virtual servers, domains, and related assets. The Justice Department says the four botnets had ensnared more than three million devices and issued hundreds of thousands of DDoS commands, including record-setting attacks by Aisuru. Private firms such as Akamai assisted, warning the campaigns disrupted ISP services and even targeted government IPs including DoDIN.
read more →