Researchers observed the Gayfemboy botnet in early 2024 as a basic Mirai variant. Still, the botnet rapidly evolved through iterative development, including UPX polymorphic packing, integrating N-day vulnerabilities, and ultimately leveraging a 0-day vulnerability in Four-Faith industrial routers.
By November 2024, Gayfemboy had infected over 15,000 devices, utilizing over 40 grouping categories for command and control. Upon detecting researchers’ registration of its C2 domains, Gayfemboy aggressively retaliated with DDoS attacks.
The analysis demonstrates the botnet’s rapid evolution from a generic threat to a significant player in the botnet landscape, equipped with advanced capabilities and a proactive defense mechanism.
.png
)
The Gayfemboy botnet leverages various vulnerabilities, including critical remote code execution flaws like CVE-2024-12856 (Four-Faith router 0-day) and undisclosed vulnerabilities affecting Neterbit and Vimar devices.
It combined with the exploitation of well-known CVEs (e.g., CVE-2013-3307, CVE-2014-8361, and CVE-2020-25499) and leveraging weak Telnet credentials allows the botnet to maintain a significant presence, with approximately 15,000 daily active bots.
Infections are widespread, with notable concentrations observed in China, the United States, Iran, Russia, and Turkey. The botnet likely utilizes the compromised devices for a variety of malicious activities, including DDoS attacks, data exfiltration, and cryptocurrency mining.
It communicates with a Command and Control (C2) server, transmitting grouping information, such as device operating system or infection method, which allows attackers to efficiently manage and control the botnet.
Key affected devices include ASUS routers (infected via NDAY exploits), Kguard DVRs (NDAY), Four-Faith industrial routers (0DAY exploit CVE-2024-12856), and various routers and smart home devices (infection method unknown).
The Gayfemboy botnet is a Mirai-based botnet that has been active since February 2024 and targets hundreds of different entities each day and its attacks are spread across the globe.
It uses a modified UPX shell with the magic number 1wom and also hides the malicious process by attempting to find writable directories starting from the root directory upon startup.
Not only does the botnet keep the Mirai command format, but it also modifies the registration packet and adds new command functionalities.
DDoS attacks leverage distributed botnets, malicious tools, or amplification techniques to overwhelm target networks with excessive traffic and deplete available resources, causing service disruption and denial.
According to XLab, attackers exploit diverse attack vectors, including volumetric, protocol, and application layer attacks, often employing sophisticated techniques like reflection/amplification and low-and-slow attacks.
Organizations must implement countermeasures such as traffic scrubbing, rate limiting, and intrusion detection systems to mitigate the impact of DDoS attacks and ensure business continuity.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free
