Monday, May 12, 2025
HomeBotnetWater Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in a residential proxy marketplace by leveraging automated scripts to identify vulnerable devices from public databases like Shodan. 

When the device is compromised, the Ngioweb malware is installed in a stealthy manner, thereby establishing a connection to command-and-control servers. 

The infected device is rapidly registered as a proxy, often within 10 minutes, enabling immediate monetization through the proxy marketplace, which highlights the significant threat posed by Water Barghest to IoT security.

- Advertisement - Google News
Automation by Water Barghest

It automates the process of exploiting vulnerable IoT devices, starting with acquiring n-day or zero-day exploits by using Shodan to identify vulnerable devices and their IP addresses, then launches attacks using data-center IP addresses.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Successful attacks lead to the installation of Ngioweb malware, which registers with a C&C server and connects to a residential proxy provider’s entry points. 

These compromised devices are then listed on a marketplace as residential proxies, generating revenue for Water Barghest. The threat actor maintains a consistent operation with multiple workers scanning for vulnerabilities and deploying malware.

Ngioweb, a versatile malware strain, first emerged in 2018 as a Windows botnet, leveraging the Ramnit Trojan for distribution, and evolved in 2019 to target Linux systems, particularly WordPress-powered web servers, exploiting vulnerabilities in the platform or its plugins. 

 Ngioweb’s main function

The malware, utilizing a two-stage C&C infrastructure and a custom binary protocol, demonstrates its adaptability and potential for widespread impact across diverse operating systems and web applications. 

Then initializes function pointers dynamically, ignores signals, renames itself to mimic a kernel thread, closes standard file descriptors, disables the kernel watchdog, reads the device’s machine ID, decrypts its configuration using AES-256-ECB, and generates and resolves DGA domains for C&C communication. 

 File downloaded from second-stage C&C

Ngioweb malware is a trojan that infects devices and turns them into rotating proxies by using a two-tier C2 architecture to communicate with the attackers. 

The first stage C2 server provides configuration parameters like DGA seed, count, and C&C URL path uses DNS TXT requests to retrieve additional data from the C2 server

While the second-stage C2 server provides commands like CONNECT, CERT, and WAIT and also downloads a large file to estimate the victim’s bandwidth before selling the victim’s IP address on a residential proxy marketplace.  

 Residential proxy marketplace’s website

According to Trend Micro, a residential proxy marketplace is offering access to a large number of infected IoT devices for rent, which, compromised by Ngioweb malware, are rapidly added to the marketplace after infection. 

The marketplace operates a backconnect proxy infrastructure, allowing users to route traffic through the infected devices, which enables malicious actors to anonymize their activities and evade detection. 

The increasing availability and affordability of such services poses significant challenges for security professionals, highlighting the urgent need for improved IoT device security and network hardening to mitigate these threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...