CyberSecurity news

FlagThis - #botnet

@cyberinsider.com //
Law enforcement agencies across North America and Europe have taken action against users of the Smokeloader botnet in a follow-up to Operation Endgame, a major takedown that occurred in May 2024. This new phase targets the demand side of the cybercrime economy, focusing on individuals who purchased access to compromised computers through Smokeloader’s pay-per-install service, which was operated by the cybercriminal known as "Superstar". Authorities have arrested at least five individuals, conducted house searches, and interrogated suspects linked to the use of the Smokeloader botnet. In addition to arrests, servers used by the Smokeloader botnet's customers have also been seized.

Evidence used to identify and apprehend the Smokeloader users came from backend databases obtained during the initial Operation Endgame takedown. These databases contained information about who had purchased access to the infected machines, allowing investigators to match usernames and payment information to real-world identities. The customers of the Smokeloader botnet were using the access to deploy various types of malware, including ransomware, spyware, and cryptominers for their own illicit activities. Some suspects were found to be reselling the Smokeloader access for profit, adding another layer to the investigation.

The investigation remains open, and authorities are continuing to work through leads, with more actions expected. Europol has launched a dedicated website, operation-endgame.com, to collect tips and provide updates on the operation. Law enforcement agencies are sending a clear message that they are committed to disrupting the cybercrime ecosystem by targeting not only the operators of malicious services but also the individuals who use and fund them. Officials said that the malware's customers faced various consequences ranging from "knock and talks," full house searches, all the way to arrests.

Recommended read:
References :
  • bsky.app: In follow-up activity for Operation Endgame, law enforcement tracked down Smokeloader botnet's customers and detained at least five individuals.
  • cyberinsider.com: Nearly a year after the landmark Operation Endgame dismantled the infrastructure behind several major malware droppers, law enforcement agencies have launched a follow-up offensive targeting of the demand side of the cybercrime economy. Authorities across Europe and North America arrested five individuals, conducted house searches, and interrogated suspects linked to the use of the SmokeLoader … The post appeared first on .
  • Metacurity: ICMYI, Operation Endgame bust a boatload of customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar' as outlined in the joint operation's season two premiere video episode.
  • BleepingComputer: Police detains Smokeloader malware customers, seizes servers
  • CyberInsider: ‘Operation Endgame’ Leads to Five Arrests in SmokeLoader Botnet Crackdown
  • DataBreaches.Net: Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns
  • hackread.com: Smokeloader Users Identified and Arrested in Operation Endgame
  • www.scworld.com: Operation Endgame follow-up cracks down on Smokeloader botnet
  • The Register - Security: Officials teased more details to come later this year Following the 2024 takedown of several major malware operations under Operation Endgame, law enforcement has continued its crackdown into 2025, detaining five individuals linked to the Smokeloader botnet.…
  • hackread.com: Smokeloader Users Identified and Arrested in Operation Endgame
  • www.itpro.com: Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting
  • The Hacker News: Europol Arrests Five SmokeLoader Clients Linked by Seized Database Evidence

Alex Delamotte@sentinelone.com //
AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.

AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks.

The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures.

Recommended read:
References :
  • cyberinsider.com: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms
  • www.sentinelone.com: AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale
  • The Hacker News: Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO.
  • Cyber Security News: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • securityaffairs.com: AkiraBot: AI-Powered spam bot evades CAPTCHA to target 80,000+ websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • cyberpress.org: AkiraBot’s CAPTCHA‑Cracking, Network‑Dodging Spam Barrage Hits 80,000 Websites
  • gbhackers.com: AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses
  • www.scworld.com: Sweeping SMB site targeting conducted by novel AkiraBot spamming tool
  • 404 Media: Scammers Used OpenAI to Flood the Web with SEO Spam
  • CyberInsider: AI-Powered AkiraBot Operation Bypasses CAPTCHAs on 80,000 Sites
  • hackread.com: New AkiraBot Abuses OpenAI API to Spam Website Contact Forms, 400,000 Impacted
  • bsky.app: Scammers used OpenAI as part of a bot that flooded the web with SEO spam. Also bypassed CAPTCHA https://www.404media.co/scammers-used-openai-to-flood-the-web-with-seo-spam/
  • Security Risk Advisors: SentinelOne's analysis of AkiraBot's capabilities and techniques.
  • www.sentinelone.com: SentinelOne blog post about AkiraBot spamming chats and forms with AI pitches.
  • arstechnica.com: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Ars OpenForum: OpenAI’s GPT helps spammers send blast of 80,000 messages that bypassed filters
  • Digital Information World: New AkiraBot Targets Hundreds of Thousands of Websites with OpenAI-Based Spam
  • TechSpot: Sophisticated bot uses OpenAI to bypass filters, flooding over 80,000 websites with spam
  • futurism.com: OpenAI Is Taking Spammers' Money to Pollute the Internet at Unprecedented Scale
  • PCMag Middle East ai: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
  • securityonline.info: AkiraBot: AI-Powered Spam Bot Floods Websites with Personalized Messages
  • PCMag UK security: Scammers Use OpenAI API to Flood 80,000 Websites With Spam
  • www.pcmag.com: PCMag article about the use of GPT-4o-mini in the AkiraBot spam campaign.
  • Virus Bulletin: SentinelLABS researchers look into AkiraBot, a framework used to spam website chats and contact forms en masse to promote a low-quality SEO service. The bot uses OpenAI to generate custom outreach messages & employs multiple CAPTCHA bypass mechanisms.
  • Daily CyberSecurity: Spammers are constantly adapting their tactics to exploit new digital communication channels.

@securityonline.info //
GreyNoise has observed a significant surge, approximately three times the typical level, in exploitation attempts targeting TVT NVMS9000 DVRs. The peak of this activity occurred on April 3, 2025, with over 2,500 unique IP addresses involved in scanning for vulnerable devices. This vulnerability is an information disclosure flaw that allows attackers to gain administrative control over affected systems, essentially bypassing authentication and executing commands without restriction. Countless prior reports have identified the TVT NVMS9000 DVR as a target for botnet recruitment, including a GreyNoise update in early March 2025.

The exploitation activity is strongly suspected to be associated with the Mirai botnet, a notorious threat known for targeting vulnerabilities in IoT devices. GreyNoise has identified sufficient overlap with Mirai to support this attribution. Manufactured by TVT Digital Technology Co., Ltd., based in Shenzhen, the NVMS9000 DVRs are used in security and surveillance systems for recording, storing, and managing video footage from security cameras. The company reports serving customers in over 120 countries.

The majority of the malicious IP addresses involved in the exploitation attempts originate from the Asia-Pacific (APAC) region, specifically Taiwan, Japan, and South Korea. However, the top target countries are the United States, United Kingdom, and Germany. Organizations using the NVMS9000 DVR or similar systems are advised to take immediate action to secure their devices. Recommended mitigations include blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and closely monitoring network traffic for signs of unusual scanning or exploitation attempts.

Recommended read:
References :
  • The GreyNoise Blog: GreyNoise Observes 3X Surge in Exploitation Attempts Against TVT DVRs — Likely Mirai
  • bsky.app: New Mirai botnet behind surge in TVT DVR exploitation
  • BleepingComputer: New Mirai botnet behind surge in TVT DVR exploitation
  • securityonline.info: TVT DVRs Under Siege: Massive Exploitation Attempts Expose Critical Flaw
  • The DefendOps Diaries: Explore the resurgence of the Mirai botnet, its global impact, and advanced exploitation techniques targeting IoT devices.
  • Cyber Security News: GreyNoise has detected a significant rise in exploitation attempts targeting TVT NVMS9000 DVRs, a line of digital video recorders primarily used in security and surveillance systems.
  • www.scworld.com: Deluge of TVT DVR exploitation attempts likely due to Mirai-based botnet
  • bsky.app: A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices.
  • cyberpress.org: Mirai Botnet Variant Targets TVT DVRs to Seize Administrative Control

info@thehackernews.com (The@The Hacker News //
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.

Recommended read:
References :
  • securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
  • www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
  • Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
  • The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.

Pierluigi Paganini@Security Affairs //
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.

Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware.

Recommended read:
References :
  • gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
  • MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
  • www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
  • cyble.com: One of the most concerning vulnerabilities in the new CISA catalog is , which affects the Edimax IC-7100 IP Camera. This vulnerability, identified on March 4, 2025, is an OS Command Injection Vulnerability that allows attackers to execute arbitrary commands on the device remotely.
  • chemical-facility-security-news.blogspot.com: CISA Adds Edimax Vulnerability to KEV Catalog
  • securityaffairs.com: U.S. CISA adds Edimax IC-7100 IP Camera, NAKIVO, and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog

Matan Mittelman@Cato Networks //
References: bsky.app , Secure Bulletin , Cato Networks ...
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.

This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.

Recommended read:
References :
  • bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
  • Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Cato Networks: Cato CTRLâ„¢ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
  • The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
  • CyberInsider: TP-Link Archer Routers Under Attack by New IoT Botnet ‘Ballista’
  • Blog: New Ballista botnet targets vulnerabilities in popular TP-Link routers
  • www.cybersecuritydive.com: Emerging botnet exploits TP-Link router flaw posing risk to US organizations
  • www.cybersecurity-insiders.com: Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers. The CVE-2023-1389 flaw is an unauthenticated command injection […]
  • community.emergingthreats.net: The Ballista Botnet: a new IoT threat with italian roots
  • www.techradar.com: This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Schneier on Security: TP-Link Router Botnet

Pierluigi Paganini@Security Affairs //
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.

Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.

Recommended read:
References :
  • securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
  • www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
  • The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
  • www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
  • www.scworld.com: Edimax IP camera zero-day
  • gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
  • MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
  • www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
  • bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months.

Bill Mann@CyberInsider //
A newly discovered botnet, Eleven11bot, has infected over 30,000 internet-connected devices. These compromised devices, primarily security cameras and Network Video Recorders (NVRs), are being actively used to launch Distributed Denial of Service (DDoS) attacks. The botnet's malicious activity has been directed towards critical telecom infrastructure and gaming websites, causing significant disruptions.

The activity of Eleven11bot has been traced back to Iran, with the infected devices distributed globally. Security researchers have discovered the botnet is being used to carry out brute force attacks on login pages. Weak or reused passwords are being exploited to take control of vulnerable devices. Regular updates to device firmware, frequent password changes, and disabling remote access can significantly reduce the risk of these breaches.

Recommended read:
References :
  • CyberInsider: Massive DDoS Botnet Eleven11bot Infects 30,000+ IoT Devices
  • www.cybersecurity-insiders.com: DDoS attacks by 30k botnets and IBM n Vodafone safe internet from quantum computing attacks
  • securityaffairs.com: New Eleven11bot botnet infected +86K IoT devices
  • www.scworld.com: Over 86K devices impacted by novel global Eleven11bot botnet
  • www.techradar.com: Another huge new botnet is infecting thousands of webcams and video recorders for DDoS attacks
  • aboutdfir.com: Massive botnet that appeared overnight is delivering record-size DDoSes A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.
  • The GreyNoise Blog: A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.
  • WIRED: Eleven11bot infects webcams and video recorders, with a large concentration in the US.

@Talkback Resources //
A new variant of the Vo1d botnet has resurfaced, infecting 1.6 million Android TV devices worldwide. Security researchers at XLab have identified the malware, noting enhanced capabilities that sustain its rapid growth. The infected devices are recruited into a botnet controlled by a command-and-control server, enabling cybercriminals to perform malicious activities.

The recruited Android TV bots are then recruited by the command-and-control server for illegal activities, including DDoS attacks and ad click fraud. Protection against Vo1d begins at the purchase of an Android TV device — make sure you buy from a reputable brand and retailer. Malware can be pre-installed on Android TV devices, either by the device manufacturer or introduced by a middleman along the production chain.

Recommended read:
References :
  • CyberInsider: Vo1d Botnet Resurfaces, Infects 1.6 Million Android TVs Worldwide
  • securityaffairs.com: Enhanced capabilities sustain the rapid growth of Vo1d botnet
  • PCWorld: New botnet malware infects 1.6 million Android TV devices worldwide
  • The420.in: Vo1d Botnet Expands to 1.59 Million Infected Android TVs, Fueling Massive Cybercrime Operations
  • Cyber Security News: Vo1d Botnet Hacks 1.6 Million Android TVs Worldwide
  • Talkback Resources: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes [net] [mal]
  • Techzine Global: Android TV botnet Vo1d grows explosively and bypasses security
  • Talkback Resources: Recent cybersecurity incidents highlight the importance of network security, government regulations, and vulnerability management, including the PolarEdge botnet targeting network edge devices and Xerox VersaLink printer flaws potentially leading to credential compromise.
  • Talkback Resources: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes
  • Talkback Resources: Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries [net] [mal]
  • The Hacker News: Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries
  • heise online English: New version of Vo1d botnet on hundreds of thousands of devices with Android TV
  • www.cysecurity.news: Android TV Users Watch Out: Dangerous Vo1d Botnet Hits 1.6 Million Devices

@securityonline.info //
The BADBOX botnet has infected over 190,000 Android devices, including high-end products like Yandex 4K QLED TVs. This botnet's widespread infection is attributed to supply chain vulnerabilities, potentially involving pre-installed malware embedded during the manufacturing or distribution phases. This discovery highlights the significant security risks associated with compromises in the supply chain of Android devices.

A recent investigation revealed over 160,000 unique IP addresses communicating with BADBOX command-and-control servers daily. These infections are concentrated in countries like Russia, China, India, Brazil, Belarus, and Ukraine. The BADBOX malware is believed to originate from the Triada family of Android malware, known for its stealth. Once activated, infected devices are transformed into residential proxies, enabling cybercriminals to route internet traffic through them for illegal activities and ad fraud.

Recommended read:
References :
  • Cyber Security News: CyberPress article about the BADBOX botnet infection of Android devices, including LED TVs.
  • gbhackers.com: GBHackers article reporting on the BADBOX botnet.
  • securityonline.info: Security Online article on the BADBOX botnet infecting Android devices with pre-installed malware.
  • cyberpress.org: Cyberpress.org article on BADBOX botnet and the affected devices.
  • securityonline.info: SecurityOnline article about BADBOX botnet and pre-installed malware targeting Android devices.
  • gbhackers.com: The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over 192,000 systems globally.

Cybereason Security Services Team@Blog //
The Phorpiex botnet, previously known for spam and cryptocurrency mining, has been observed distributing LockBit Black ransomware, also known as LockBit 3.0. This new attack vector signifies a significant shift in the botnet's operations, now focusing on automated ransomware deployment through compromised websites and phishing emails. The malicious activity begins with phishing emails that contain malicious SCR files. When these files are executed, they establish a connection with a command-and-control server, download the LockBit binary, and execute the ransomware payload to begin file encryption.

Unlike traditional ransomware tactics that involve human operators and attempts at lateral movement within a network, this variant focuses on immediate execution of LockBit, reducing the attack's footprint and making it harder to detect. Phorpiex and LockBit employ various anti-detection strategies, such as deleting URL caches, obfuscating function calls, removing Zone.Identifier metadata, and modifying the Windows registry, all to ensure the ransomware runs automatically. This shift highlights the increasing trend of botnets being used as a tool for ransomware attacks.

Recommended read:
References :
  • cyberpress.org: Phorpiex botnet Host on Hacked Website to Launch LockBit Ransomware on Windows
  • securityonline.info: Phorpiex Botnet Now Deploying LockBit Ransomware in Automated Attacks
  • Virus Bulletin: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).
  • Blog: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).

@www.bleepingcomputer.com //
A new Mirai botnet variant, named Aquabot, has emerged, actively exploiting a command injection vulnerability, identified as CVE-2024-41710, in Mitel SIP phones. This malware targets Mitel 6800, 6900, and 6900w series phones, including the 6970 Conference Unit, and is being used to construct a botnet for launching distributed denial-of-service (DDoS) attacks. The Aquabot malware utilizes a proof-of-concept code previously published to spread to vulnerable devices.

The Aquabot botnet stands out due to its novel ability to communicate with its command and control server when it detects a kill signal attempting to terminate the malware on an infected device. This behaviour is new for a Mirai variant, and could be a method for the botnet author to monitor its health. The exploit, discovered in January 2025, roughly six months after the vulnerability was publicly disclosed by Mitel, injects a shell script that downloads and executes the Mirai malware onto targeted systems.

Recommended read:
References :
  • ciso2ciso.com: Aquabot Botnet Targeting Vulnerable Mitel Phones – Source: www.securityweek.com
  • ciso2ciso.com: A Mirai-based malware family, Aquabot, started targeting vulnerable Mitel SIP phones to build a botnet for DDoS attacks.
  • The Register: A new variant of the Mirai-based malware Aquabot is actively exploiting a vulnerability in Mitel phones to build a remote-controlled botnet, according to Akamai's Security Intelligence and Response Team.
  • go.theregister.com: Why is my Mitel phone DDoSing strangers?
  • Pyrzout :vm:: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet – Source: go.theregister.com
  • ciso2ciso.com: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
  • The Hacker News: New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks
  • www.theregister.com: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
  • www.bleepingcomputer.com: New Aquabotv3 Botnet Malware Targets Mitel Command Injection Flaw
  • AAKL: The Register: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
  • gbhackers.com: New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability
  • securityaffairs.com: Aquabot, a new variant of Mirai-based malware, actively targeting Mitel SIP phones.
  • gbhackers.com: New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability
  • BleepingComputer: New Aquabotv3 botnet malware targets Mitel command injection flaw