Researchers observed over 21,000 command-and-control (C2) servers between July and December 2025. Along with this growth, attackers are increasingly using infected devices as residential proxies, not just for DDoS attacks.

This rise also aligns with a surge in massive DDoS campaigns. Reports highlight “hyper-volumetric” attacks, including one reaching 31.4 Tbps, showing how far these botnets have evolved. At the same time, botnet activity has sharply increased after a period of stability, indicating a renewed wave of large-scale operations.

Evolution of Mirai-Based Botnets

Mirai first appeared in 2016, targeting internet-connected devices such as routers and IoT systems that often rely on weak or default credentials. Once compromised, these devices are added to a botnet that can launch high-volume traffic floods across multiple layers.

The public release of Mirai’s source code played a major role in its growth. It allowed attackers to create multiple variants, each adding new capabilities while keeping the core attack techniques intact.

One well-known variant, Satori, rapidly spread by exploiting vulnerabilities in routers, especially through command injection flaws. It used automated scripts to download and execute malware across different device architectures, allowing infections to scale quickly without user interaction.

Expanding Capabilities and Abuse Techniques

Modern Mirai botnets are no longer limited to DDoS attacks. They are now being used in more advanced and flexible ways, increasing their overall impact.

Key capabilities seen in recent campaigns include:

• Large-scale DDoS attacks reaching record-breaking volumes
• Use of infected devices as residential proxy networks
• Automated exploitation of IoT vulnerabilities
• Multi-architecture malware deployment for wider coverage
• Stealthier operations to avoid detection

Aisuru-Kimwolf Expanding DDoS and Proxy Abuse

Newer botnet families like Aisuru and Kimwolf have taken Mirai-based threats to the next level. These botnets are now used not only for massive DDoS attacks but also as residential proxy networks that can be rented for cybercrime activities.

Security reports have linked Aisuru-Kimwolf to extremely large attacks, including one reaching 31.4 Tbps. These attacks often generate massive traffic with billions of packets per second, using random patterns to avoid basic detection and filtering systems.

At the same time, Kimwolf, which targets Android devices, is being used to exploit residential proxy services. Attackers use these networks to access internal systems, infect devices like smart TVs and smartphones, and then sell that access for activities such as fraud and credential stuffing.

Ongoing Threat and Defensive Focus

Law enforcement and tech companies have started taking action against these botnets by targeting their command-and-control infrastructure and disrupting the platforms used to manage proxy networks.

However, these efforts have not fully stopped the threat. Mirai-based botnets continue to survive and grow because many devices remain unpatched, especially routers and Android systems. Attackers can also quickly rebuild their infrastructure after disruptions.

For defenders, the focus should remain on strong basic security practices:

• Keep routers and IoT devices updated
• Monitor unusual outbound traffic
• Secure Android and edge devices
• Track indicators linked to Mirai variants

As these botnets continue to evolve, they are becoming more powerful and more versatile, combining large-scale disruption with stealthy abuse of network access.

The post Mirai Botnets Now Driving DDoS and Proxy Abuse appeared first on First Hackers News.

DDoS attacks aim to overload a target’s online services by flooding them with excessive traffic, causing them to crash.

The Mirai botnet, known for exploiting IoT devices, is notorious for gathering large numbers of compromised devices to carry out these attacks.In this case, the attack came from more than 13,000 IoT devices, highlighting the botnet’s powerful capabilities.

The historic attack lasted only 80 seconds but showed the massive traffic modern DDoS attacks can generate.

Cloudflare’s infrastructure handled the attack automatically, with no human help needed. The attack was highly efficient, with each unique source IP contributing less than 8 Gbps, averaging about 1 Gbps per second.

Cloudflare’s analysis revealed that 49% of DDoS attacks in Q4 2024 were Layer 3/Layer 4 attacks, while 51% were HTTP-based attacks.

The Mirai botnet’s ability to launch such a powerful attack highlights an alarming trend in DDoS techniques, as botnets evolve to bypass security measures.

The recent quarter saw a massive 1,885% increase in hyper-volumetric attacks over 1 Tbps compared to the previous quarter.

This rise in bandwidth indicates growing scale and sophistication of DDoS threats, posing major challenges for network security providers and businesses.

The October 29 attack highlighted the need for strong, proactive DDoS mitigation strategies.

As DDoS attacks grow in size, traditional protection methods are less effective, requiring advanced solutions to handle the massive traffic volumes.

The Mirai botnet’s involvement in this record attack highlights a critical cybersecurity vulnerability.

Many IoT devices, like smart TVs and home appliances, often lack sufficient security, making them easy targets for hijacking.

This incident calls on both manufacturers and consumers to prioritize security to prevent IoT devices from being turned into botnets.

Following the 5.6 Tbps attack, experts emphasize the need for organizations to implement robust DDoS protection strategies in advance.

Cloudflare also reported a rise in Ransom DDoS attacks during the 2024 holiday season, which can severely disrupt businesses and lead to significant financial losses.

Cloudflare’s defenses effectively handled the attack, demonstrating the importance of automated, real-time DDoS protection.

Their autonomous systems successfully mitigated the attack, highlighting the importance for organizations to invest in strong cybersecurity infrastructures that can adapt to emerging threats.

The record-breaking 5.6 Tbps DDoS attack highlighted the growing challenges in cyber defense, particularly the risks posed by unsecured IoT devices. This incident underscores the need for robust, automated DDoS protection solutions to defend against emerging threats. The future of cybersecurity depends on our ability to adapt, innovate, and respond quickly to increasingly sophisticated attacks.

The post Mirai Botnet Launches Record-Breaking 5.6 Tbps DDoS Attack appeared first on First Hackers News.

Campaign Overview

Matrix’s operation highlights how public scripts and open-source tools enable large-scale cyberattacks. The actor targets vulnerabilities in IoT and enterprise devices, using brute-force attacks and weak credentials to build a botnet for global DDoS disruptions.

• Tools and Methods: Matrix uses public scripts to exploit vulnerabilities in routers, DVRs, cameras, and telecom equipment. Key vulnerabilities include CVE-2017-18368 (command injection in ZTE routers) and CVE-2021-20090 (Arcadyan firmware flaw).
• Targeted Devices: The focus is on IoT devices with weak security, such as IP cameras, routers, and DVRs. The campaign also targets enterprise systems with misconfigured services like Hadoop’s YARN and HugeGraph servers.
• Geographic Focus: The operation mainly targets devices in the Asia-Pacific region, particularly China and Japan, while avoiding Russia and Ukraine, indicating financial rather than political motives.

Technical Analysis

Matrix uses various tools to control and grow its botnet. Analysis of its GitHub repositories shows it relies on Python, Shell, and Golang scripts, often adapted from open-source projects.

This suggests a “script kiddie” approach, where pre-made tools are modified rather than created from the ground up.

Exploited Vulnerabilities

The campaign takes advantage of both recent and older vulnerabilities in various devices. Key vulnerabilities include:

• CVE-2024-27348 in HugeGraph, used for remote code execution.
• CVE-2022-30525 and CVE-2018-10562, targeting IoT devices to maintain botnet activity.

These vulnerabilities allow attackers to hijack devices and add them to a botnet used for DDoS attacks.

Findings by Aqua Nautilus highlight a troubling trend: the rise of cyberattacks by low-skilled actors, thanks to AI tools and readily available hacking resources. This poses new challenges for global cybersecurity efforts.

In response to threats like Matrix, organizations should:

• Strengthen Default Security: Change default passwords and update firmware on all network-connected devices.
• Implement Network Segmentation: Isolate critical systems from IoT devices to limit exposure.
• Monitor and Respond: Use advanced threat detection to spot and address unusual network activity quickly.

DDoS attacks can have a significant economic impact, disrupting businesses and infrastructure. Devices compromised by Matrix’s botnet could also be used in future attacks, escalating the threat.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Matrix Orchestrates Global DDoS Attack Campaign appeared first on First Hackers News.

A modified version of Mirai, it supports multiple CPU architectures and uses advanced techniques for long-term control of infected devices.

GorillaBot reigns as DDoS king

The botnet employs encryption algorithms used by the KekSec group to hide key information, showcasing its sophistication and evasiveness.

Gorilla Botnet targets critical infrastructure like universities, government sites, telecoms, and banks, showing its potential for major disruption.

A notorious DDoS botnet launched over 300,000 attacks daily in September 2024, targeting victims in 113 countries using UDP Flood attacks.

China, the U.S., Canada, and Germany were heavily impacted, especially critical infrastructure organizations.

The botnet’s persistent targeting and use of proven methods pose a serious threat to global online services and infrastructure.

The GorillaBot trojan, a variant of Mirai, supports multiple architectures and connects randomly to one of five C&C servers for commands.

It offers a broader range of DDoS attack methods, including UDP, TCP, GRE, and specialized attacks on protocols like OpenVPN, Discord, and FiveM.

NSFOCUS analysis shows that GorillaBot uses encryption favored by the KekSec group to protect data, and the presence of lol.sh in its code suggests a possible link to KekSec.

This raises suspicions that GorillaBot may be connected to KekSec or using its methods to hide its origin.

GorillaBot shows greater persistence than typical Mirai botnets by using the “yarn_init” function to exploit a Hadoop YARN RPC vulnerability for high privileges.

To maintain operation, it creates a service file for automatic startup and tries to download a malicious script (“lol.sh”) at boot, user login, or through custom scripts.

Notably, the bot avoids honeypots by checking for the “/proc” filesystem first.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post GorillaBot reigns as DDoS king with 300,000+ commands appeared first on First Hackers News.

AhnLab’s ASEC researchers identified the mentioned campaign through their regular threat monitoring of database servers. According to ASEC, the operators of Ddostf either capitalize on vulnerabilities in outdated MySQL environments or persistently attempt to compromise servers by exploiting weak administrator accounts.

Cyber attackers scour the web for accessible MySQL servers, attempting credential brute-force attacks upon discovery. In the case of Windows MySQL servers, threat actors employ a technique known as user-defined functions (UDFs) to execute commands on the compromised system.

UDF is a MySQL feature enabling users to define functions in C or C++ and compile them into a dynamic link library (DLL) file, thereby expanding the database server’s capabilities.

In this scenario, adversaries generate their own UDFs and register them on the database server as a DLL file (amd.dll) containing the following malicious functions:

• Downloading payloads like the Ddostf DDoS bot from a remote server.
• Execute system-level commands sent by attackers.
• Save results of command execution to a temporary file and send them to attackers.

Exploiting the UDF provides a convenient method for loading the primary payload of this attack, namely the Ddostf malware client. Additionally, it opens avenues for installing other malware, exfiltrating data, establishing a persistent backdoor for sustained access, and more.

Ddostf, a Chinese-origin botnet detected seven years ago, targets both Linux and Windows systems. On Windows, it establishes persistence by registering as a system service during its initial run and decrypts the C2 (command and control) configuration for a connection.

The malware assesses the host’s system, transmitting data like CPU details, language settings, Windows version, and network speed to its command and control (C2). The C2 server can then issue DDoS attack commands, such as SYN Flood, UDP Flood, and HTTP GET/POST Flood, instruct the botnet to cease system state information transmission, change to a new C2 address, or download and execute a new payload.

ASEC notes that Ddostf’s capability to switch to a new C2 address distinguishes it from typical DDoS botnet malware, enhancing its resilience against countermeasures. The cybersecurity firm advises MySQL administrators to apply the latest updates and employ robust, unique passwords to safeguard administrator accounts against brute-force and dictionary attacks.

To safeguard your MySQL servers against the ‘Ddostf’ botnet, consider implementing the following preventive measures:

1. Regular Updates: Ensure your MySQL server is up-to-date with the latest security patches and updates. This helps address potential vulnerabilities that attackers might exploit.
2. Strong Authentication: Enforce the use of strong, complex passwords for MySQL accounts, especially for administrator accounts. This helps protect against brute-force and dictionary attacks.
3. Access Control: Restrict access to your MySQL server by configuring proper access controls. Only grant necessary permissions to users, and avoid using default or overly permissive settings.
4. Network Security: Implement network security best practices, such as firewalls and intrusion detection/prevention systems, to monitor and control traffic to and from your MySQL server.
5. Monitor for Anomalies: Set up monitoring systems to detect unusual activities or patterns that may indicate a potential DDoS attack or unauthorized access attempts.
6. User-defined Function (UDF) Security: If possible, restrict or carefully manage the use of user-defined functions (UDFs) within MySQL to prevent misuse by potential attackers.
7. Backup and Recovery: Regularly back up your MySQL databases and have a robust recovery plan in place. This ensures that you can quickly restore operations in case of a successful attack.
8. Security Awareness: Educate your team about security best practices and the risks associated with the ‘Ddostf’ botnet. Encourage a security-conscious culture within your organization.
9. Collaborate with Security Experts: Work closely with cybersecurity experts or firms to stay informed about emerging threats and to receive guidance on securing your MySQL infrastructure.
10. Incident Response Plan: Develop and regularly update an incident response plan to efficiently handle and mitigate the impact of a security incident, should one occur.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post MySQL: Servers Targeted by DDoS-as-a-Service, Ddostf appeared first on First Hackers News.

RapperBot

The RapperBot campaign is bringing in some fresh talent to its arsenal of malware beats, adding cryptomining capability to its existing distributed denial-of-service (DDoS) botnet malware in order to expand its financial horizons.

According to analysis by Fortinet’s FortiGuard Labs, the malware is a customized variant of the well-known XMRig Monero miner, tailored specifically for Intel x64 machines.

Once a device is infected, it becomes a node in the botnet, allowing the hacker to use it for various purposes. In many cases, owners of infected devices are completely unaware that their devices have been compromised, making botnets a particularly insidious threat.

XMRig is an open-source Monero miner, and its incorporation by a DDoS botnet that specializes in infesting consumer IoT gear makes sense, according to FortiGuard researchers.

FortiGuard analysts first noticed that something was new with RapperBot in late January, when they collected a significantly larger x64 sample than is common for the malware.

“On further analysis, we verified that the bot developers had merged the RapperBot C source code with the C++ code of XMRig Monero miner to create a combined bot client with mining capabilities,” they explained.

Merging the two together instead of deploying them separately offers a few advantages, according to the analysis. 

The Researchers discovered that the latest version supports the following commands:

• Perform DDoS attacks (UDP, TCP and HTTP GET)
• Stop DDoS attacks
• Terminate itself

IOCs – RapperBot

Files

RapperBot

7c9e6d63bc1f26e9c8a8703439e12de12da9892f2d6cd9bda5f45ec00c98a29f

912e151641f20f9d689c6ea26cf6f11d5ee0b6fdc4d4a1179fac413391748c65

f06d698967cee77e5a7bf9835b0a93394097e7590c156ed0d8c6304345701cfa

6c034ff9b5447da62822e3231e5e2d5db225756b3e216f6fc469469cb1d81813

dfaffe78b8ccb03626c2f55596f977da917e8e9a00ee7576ce9eca688d88447d

95aa6882f5ea5a892ef832ef15dea77261394a7fec6db9d91267d40f1cf2bfa5

XMRig miner

0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404

Bash scripts

bd87ac780e574ae8415907f88a3b48af578bb269308b56826e2f33438559e4b7

3296598c79748322dfff8eb786705d048725c04b23dd3a293f52a1acafe9e7ae

7f6e0fa785820075a61819ca6b272a239733b770eb8a92a4056cf5d26d89795f 

Download URLs

hxxp://109[.]206[.]243[.]207/d

hxxp://109[.]206[.]243[.]207/ssh/arm4

hxxp://109[.]206[.]243[.]207/ssh/arm5

hxxp://109[.]206[.]243[.]207/ssh/arm6

hxxp://109[.]206[.]243[.]207/ssh/arm7

hxxp://109[.]206[.]243[.]207/ssh/bot

hxxp://109[.]206[.]243[.]207/ssh/scan_arm4

hxxp://109[.]206[.]243[.]207/ssh/scan_arm5

hxxp://109[.]206[.]243[.]207/ssh/scan_arm6

hxxp://109[.]206[.]243[.]207/ssh/scan_arm7

hxxp://109[.]206[.]243[.]207/ssh/x86_64

hxxp://109[.]206[.]243[.]207/ssh/xmrig

hxxp://171[.]22[.]136[.]15/arm4

hxxp://171[.]22[.]136[.]15/arm5

hxxp://171[.]22[.]136[.]15/arm6

hxxp://171[.]22[.]136[.]15/arm7

C2s

109[.]206[.]243[.]207

171[.]22[.]136[.]15

Mining Pools

109[.]206[.]243[.]207:31271

109[.]206[.]243[.]207:25621

pool[.]hashvault[.]pro:80

Monero Wallets

43Zs6jyniktVUNfiN8NY16TrvFKWbx3qogoRvstuquZdVA8EXvhqhz1W4hUzpjQXHAf3pDQ8UXxegFh8G26uCycKPz41ceW

47RupsxSjeHb4sHMwJ681vbjpFHAwXg6kMn1znbioqy96Qj9j2VuHrD2mXsEReELEdjRsDVKBK3Ru3diW3AgZ41Z7mzDwb4

SSH Key

AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ== system key generated by server 20220709

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post RapperBot Crew Drops DDoS/CryptoJacking Botnet Collab appeared first on First Hackers News.

SLP Vulnerability

The vulnerability –CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet.

This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.

The collateral impact of SLP reflection/amplification attacks is potentially significant for organizations whose internet-exposed VMWare ESXi servers or other SLP-enabled systems can be abused as DDoS reflectors/amplifiers. This may include partial or full interruption of all applications and services in all virtual machines (VMs) running on these systems, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of NATs and stateful firewalls, etc.

“This flaw is easily exploitable and should be considered particularly dangerous to the global community given the large-scale amplification that can be achieved,” Pedro Umbelino, principal security researcher at BitSight, said via email.

Currently supported services, including ESXi 7.x and 8.x lines are not impacted by the amplification attack, according to VMware.

Mitigation

All potential DDoS attack mitigation/suppression measures described in this document *MUST* be tested and customized in a situationally-appropriate manner prior to deployment on production networks.

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks appeared first on First Hackers News.

The botnet “contains several modules, including self-replication, attacks for different protocols, and self-propagation,” Fortinet FortiGuard Labs researcher Cara Lin said. 

Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical

Zerobot targets i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.

Fortinet said there are 2 versions of Zerobot :

• The first one used before November 24 only contains basic functions.
• The current version has added a “selfRepo” module to reproduce itself and infect more endpoints with different protocols or vulnerabilities. 

This comprises vulnerabilities impacting TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal imaging cameras, D-Link DNS-320 NAS, and Spring Framework, among others.

IOCs

C2:

176[.]65[.]137[.]5

Files:

7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc

df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722

cd9bd2a6b3678b61f10bb6415fb37ea6b9934b9ec8bb15c39c543fd32e9be7bb

50d6c5351c6476ea53e3c0d850de47059db3827b9c4a6ab4d083dfffcbde3579

7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e8099774a320eaed39

2955dc2aec431e5db18ce8e20f2de565c6c1fb4779e73d38224437ac6a48a564

191ce97483781a2ea6325f5ffe092a0e975d612b4e1394ead683577f7857592f

447f9ed6698f46d55d4671a30cf42303e0bd63fe8d09d14c730c5627f173174d

e0766dcad977a0d8d0e6f3f58254b98098d6a97766ddac30b97d11c1c341f005

6c284131a2f94659b254ac646050bc9a8104a15c8d5482877d615d874279b822

5af002f187ec661f5d274149975ddc43c9f20edd6af8e42b6626636549d2b203

74f8a26eb324e65d1b71df9d0ed7b7587e99d85713c9d17c74318966f0bead0a

9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96a897735ab8e80fd45

b1d67f1cff723eda506a0a52102b261769da4eaf0551b10926c7c79a658061fd

f0bb312eacde86d533c922b87e47b8536e819d7569baaec82b9a407c68084280

2460434dabafe5a5dde0cce26b67f0230dbcd0d0ab5fabad1a1dbc289dc6432f

2af33e1ff76a30eb83de18758380f113658d298690a436d817bd7e20df52df91

4483c4f07e651ce8218216dd5c655622ff323bf3cdfe405ffeb69eafa75efad5

7c085185f6754aef7824c201d8443300ff2b104521d82f9a8b8feb5d4c8d3191

6ac49092ee1bdd55ddbf57df829f20aac750597d85b5904bb7bafa5b51fbb44d

f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f

6dd71163b6ab81a35ce373875a688ad9b31e0d1c292f02e8b2bafa7b3d1e3731

d88e9248ff4c983aa9ae2e77cf79cb4efc833c947ec2d274983e45c41bbe47e1

96bbb269fd080fedd01679ea82156005a16724b3cde1eb650a804fa31f18524e

439b2e500e82c96d30e1ef8a7918e1f864e6d706d944aeddffe61b8bf81ef6d3

af48b072d0070fa09bca0868848b62df5228c34ef24d233d8eb75a1fde8ac23f

5824fc51fcfba1a6315fd21422559d63c56f0e2192937085d65f9a0ac770eb3a

c9ea4cda12c14c895e23988229831b8f04ccab315c1cbc76a9efae888be55a3b

e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New Go-based Zerobot Botnet Exploiting Dozen of IoT Vulnerabilities to Expand its Network appeared first on First Hackers News.

Fodecha DDOS Botnet

Fodcha first came to light earlier this April, with the malware propagating through known vulnerabilities in Android and IoT devices as well as weak Telnet or SSH passwords.

The botnet achieved a new peak on Oct. 11, 2022, in which it attacked 1,396 targets, and currently has a global reach with targets infected in Brazil, Canada, Japan and Australia.

According to researchers, operators are now also able to embed ransom demands in the Data portion of Fodchas DDoS packets, informing victims that they seek payment of 10 XMR or Monero worth around $1,500 in exchange for stopping the attacks.

There have been changes made to the protocol used for communication between Fodcha and the users in the newly released version. At the file and traffic level, in an attempt to evade detection, the developers behind this botnet used two key algorithms to encrypt the sensitive resources and network communication. 

Two key algorithms used by the threat actors for encryption:-

• xxtea algorithm
• chacha20 algorithm

While as the primary choice C2, the developers presented the “OpenNIC domain name,” and as a dual C2 solution for backup C2 they presented the “ICANN domain name.”

Moreover, extortion is also included in this version where a Monero ransom is demanded in order to stop the attacks from going forward.

The threat actors demand Monero because it is a privacy coin, which means that the transaction can not be traced much more easily. In consequence, XMR is commonly requested as a payment method by ransomware gangs and other threat actors.

Sample IOCS for Fodcha

0e3ff1a19fcd087138ec85d5dba59715
1b637faa5e424966393928cd6df31849
208e72261e10672caa60070c770644ba
2251cf2ed00229c8804fc91868b3c1cb
2a02e6502db381fa4d4aeb356633af73
2ed0c36ebbeddb65015d01e6244a2846
2fe2deeb66e1a08ea18dab520988d9e4
37adb95cbe4875a9f072ff7f2ee4d4ae
3fc8ae41752c7715f7550dabda0eb3ba
40f53c47d360c1c773338ef5c42332f8
4635112e2dfe5068a4fe1ebb1c5c8771
525670acfd097fa0762262d9298c3b3b
54e4334baa01289fa4ee966a806ef7f1
5567bebd550f26f0a6df17b95507ca6d
5bdb128072c02f52153eaeea6899a5b1
6244e9da30a69997cf2e61d8391976d9
65dd4b23518cba77caab3e8170af8001
6788598e9c37d79fd02b7c570141ddcf
760b2c21c40e33599b0a10cf0958cfd4
792fdd3b9f0360b2bbee5864845c324c
7a6ebf1567de7e432f09f53ad14d7bc5
9413d6d7b875f071314e8acae2f7e390
954879959743a7c63784d1204efc7ed3
977b4f1a153e7943c4db6e5a3bf40345
9defda7768d2d806b06775c5768428c4
9dfa80650f974dffe2bda3ff8495b394
a996e86b511037713a1be09ee7af7490
b11d8e45f7888ce85a67f98ed7f2cd89
b1776a09d5490702c12d85ab6c6186cd
b774ad07f0384c61f96a7897e87f96c0
c99db0e8c3ecab4dd7f13f3946374720
c9cbf28561272c705c5a6b44897757ca
cbdb65e4765fbd7bcae93b393698724c
d9c240dbed6dfc584a20246e8a79bdae
e372e5ca89dbb7b5c1f9f58fe68a8fc7
ebf81131188e3454fe066380fa469d22
fe58b08ea78f3e6b1f59e5fe40447b11

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Fodcha DDoS Botnet Resurfaces with New Capabilities appeared first on First Hackers News.