cyber security

DDoS-as-a-Service Botnet Backed by Mirai Attacking Gaming Community

DDoS-as-a-Service botnets are used by hackers to facilitate the most easily and cheaply launch of devastating distributed denial-of-service (DDoS) attacks.

Purposely, these botnets are made up of hacked devices that can be rented or leased to cause service disruptions or outages by flooding targets with high traffic volumes.

DDoS-as-a-Service is much easier for hackers looking for ways of extorting businesses, hurting others, and remaining anonymous.

Cybersecurity researchers at Sysdig Threat Research Team (TRT) recently discovered that DDoS-as-a-Service botnet is backed by Mirai attacking the gaming community.

DDoS-as-a-Service Botnet

The Sysdig Threat Research Team discovered that the “rebirthltd.com” domain was involved in a financially motivated and growing DDoS-as-a-Service botnet based on Mirai malware in March 2024. 

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

This service, advertised via Telegram or an online shop, focuses mostly on the gaming community but also introduces risks for corporate entities. 

Mirai-derived botnet operators who are threat actors employ hacked devices to engage in massive distributed denial of service attacks targeting potential buyers, giving a glimpse into the changing world of cybercrime services that can stall business activities.

The Mirai malware sourced RebirthLtd for its botnet that delivers DDoS-as-a-Service and is marketed as a subscription service accessible through an online store and Telegram channel.

This is mainly focused on gamers who may have video game streamers or persons known as “trolls” who disrupt the whole gameplay process.

By operating under different hacking groups, some of whom are claimed to be part of this ring, including CazzG, supposedly a Chinese administrator, it represents one emerging illicit ecosystem that promotes the illegal sale of bots and DDoS tools using anonymity and simple access.

From where the RebirthLtd DDoS botnet came from can be traced to previous malware families and campaigns. Investigations show it to shop4youv2.de (Mirai was responsible for the FBI’s Operation PowerOFF) and Tsuki. army (advertising a second network of bots). 

Docx69 on TikTok under the moniker ‘prixnuke’ (Source – Sysdig)

Preliminary analysis from 2020 showed that “Rebirth” or “Vulcan” was an IoT-oriented botnet distinctively constructed on Gafgyt, QBot, and STDBot with known exploits. 

The fact that initial campaigns probably involved the developers of the botnet, since August 2022, people may have been drawn to the commercialized model of offering DDoS-as-a-service with a wider range of customers utilizing malicious capabilities by RebirthLtd. 

This change is proof that threat actors continuously repackage and sell malware strains.

An investigation of the RebirthLtd DDoS botnet revealed that it evolved from previous malware variants like Rebirth/Vulcan. The latter featured code similarities and common infrastructure connections such as to domains yosh[.]ltd and blkyosh[.]com.

Though the first campaigns in 2019-2020 must have largely involved its developers, multiple countries have recently been hit with massive attacks.

These payloads consist of malicious bash scripts trying to download and execute architecture-specific ELF files, sometimes by names of vulnerabilities or services.

The release of Mirai’s source code fueled a botnet industry and threats like Rebirth, reinforcing the need for diligent vulnerability management and runtime threat detection.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago