Saturday, April 19, 2025
HomeBotnetHackers Offered IoT Botnet as Service "TheMoon" : Botnet-as-a-Service

Hackers Offered IoT Botnet as Service “TheMoon” : Botnet-as-a-Service

Published on

SIEM as a Service

Follow Us on Google News

TheMoon botnet was first identified in 2014 and it targets exploits on the router developed by companies such as Linksys, ASUS, MikroTik and D-Link.

The botnet operators used the proxy botnet for various activities such as brute forc, video advertisement fraud, general traffic obfuscation and more.

To expand the botnet the threat actor will continuously scan for vulnerable services running on IoT devices and if they detect any vulnerable device it then drops a shell script.

- Advertisement - Google News

TheMoon botnet targets IoT applications running on port 8080 and the once the dropped shell script executed it downloads the initial stages of the payload.

Security researchers from CenturyLink found the new module is different from the previous one, the new module turns the infected device into a SOCKS5 proxy. The new module allows the botnet author to sell its proxy network as a service to others.

TheMoon

CenturyLink discovered that each IP hosted on TCP port 8002 When connecting to this port, a stream of log messages associated with a video advertisement fraud campaign was automatically received.

“One six-hour time period from a single server resulted in requests to 19,000 unique URLs on 2,700 unique domains. After browsing some of the URLs, it was apparent they all had embedded YouTube videos.”

The IP key has a base64 encoded string and it represents the proxy used for the video ad fraud request.

TheMoon

Centurylink blocked the TheMoon infrastructure on it’s ISP network and it notified another other network operators to potentially block the infected devices. Further details and IoC can be found in Century link report.

“The always-on nature of IoT devices and the ability to masquerade as normal home users make broadband networks prime targets for these types of attacks,” reads CenturyLink report.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

New Hacking Group Outlaw Distributing Botnet to Scan The Network & Perform Cryptocurrency-Mining & Brute-Force Attack

Hackers Exploiting ThinkPHP Vulnerability To Expand Hakai and Yowai Botnets

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

How SMBs Can Improve SOC Maturity With Limited Resources

Small and Medium-sized Businesses (SMBs) have become prime targets for cybercriminals, being three times...

How To Detect Obfuscated Malware That Evades Static Analysis Tools

Obfuscated malware presents one of the most challenging threats in cybersecurity today. As static...

How Security Analysts Detect and Prevent DNS Tunneling Attack In Enterprise Networks

DNS tunneling represents one of the most sophisticated attack vectors targeting enterprise networks today,...

How to Conduct a Cloud Security Assessment

Cloud adoption has transformed organizations' operations but introduces complex security challenges that demand proactive...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

How SMBs Can Improve SOC Maturity With Limited Resources

Small and Medium-sized Businesses (SMBs) have become prime targets for cybercriminals, being three times...

How To Detect Obfuscated Malware That Evades Static Analysis Tools

Obfuscated malware presents one of the most challenging threats in cybersecurity today. As static...

How Security Analysts Detect and Prevent DNS Tunneling Attack In Enterprise Networks

DNS tunneling represents one of the most sophisticated attack vectors targeting enterprise networks today,...