From Ripples to Waves: The Swift Evolution of the “Boat” Botnet

agosto 18, 2023

The botnet family “Boat” was first discovered by NSFOCUS Security Labs in June 2022. Its name comes from the fact that malicious samples in its early versions propagate with the file name “boat”. At the same time, since some malicious samples in later versions of this family retain symbolic information and there are a large […]

KmsdBot: A Customized Botnet Family with DDoS and Mining Capabilities

Uma imagem que ilustra um hacker mexendo em um notebook.

agosto 7, 2023

I. Overview NSFOCUS Security Labs recently detected that a new botnet family KmsdBot, which combines DDoS and mining functions, has become active again. Attackers continue to replace C&C infrastructure and update Trojan versions. Compared with the traditional botnet-like family, KmsdBot adopts a brand-new architecture and is developed in the Go programming language. The simplicity, high […]

A New Botnet Family Discovered by NSFOCUS

março 13, 2023

Background Recently NSFOCUS Security Labs detected a batch of suspicious ELF files spreading widely. Further analysis confirmed that these ELF samples belonged to a new botnet family. We named the family “Peachy Botnet” according to the signature information left by the Bot author in the sample. The Peachy Botnet began to spread as early as […]

Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-1

outubro 16, 2020


In the distributed denial-of-service (DDoS) botnet activities in 2020 H1, most were from Mirai, Gafgyt, and other major families.

In 2020 H1, DDoS attack means were dominated by UDP floods, CC, and TCP floods.

In 2020 H1, Hostwinds, Digital Ocean, and OVH were the major hosted cloud service providers of C&C servers. We predict that it will remain unchanged in 2020 H2.

In the same period, 128 types of vulnerabilities were detected to be spread and exploited by the Internet of Things (IoT) trojans. Of all these vulnerabilities, CVE-2017-17215 (in Huawei HG532 routers), CVE-2014-8361 (Realtek rtl81xx SDK remote code execution vulnerability), and ThinkPHP remote code execution vulnerability were the most frequently exploited.

Through NSFOCUS’s threat hunting system, we have kept an eye on a botnet specializing in Monero cryptomining for a long time. The botnet intrudes upon hosts by cracking weak passwords and gains control privileges by implanting bot programs. Meanwhile, it downloads and executes Monero cryptomining scripts via the downloader for malicious cryptomining. The cryptomining botnet became increasingly active in 2020 H1, involving a total of 20,830 active bots. China was the country with the most bots, which were as many as 8304, accounting for 40% of the total. Port 22 was opened on 13,664 bots, approximately 66% of all bots. According to known asset intelligence, routers and cameras were dominant device types reduced to bots.


Vollgar Botnet Threat Alert

abril 14, 2020


On April 1, the Guardicore Labs team uncovered a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. At least since May 2018, the campaign uses password brute force to breach victim machines, deploys multiple backdoors, and executes numerous malicious modules, such as remote access tools (RATs). We dubbed the campaign Vollgar.

It is not uncommon for attackers to use password brute force to breach systems and then inject malware. However, according to the report, there are still 2000–3000 databases being attacked every day. Victims are distributed in different countries (including China, India, South Korea, Turkey, and the USA) and belong to various industry sectors (including healthcare, aviation, IT, telecommunications, and higher education). (mais…)

Technical Analysis Report on Rowdy, A New Type of IoT Malware Exploiting STBs

outubro 19, 2017

In August 2017, NSFOCUS’s DDoS situation awareness platform detected anoma-lous bandwidth usage over a customer’s network, which, upon analysis, was confirmed to be a distributed denial-of-service (DDoS) attack. The attack was characterized by different types of traffic, including TCP flood, HTTP flood, and DNS flood. Tracing source IP addresses, we found that the attack had […]


Inscreva-se no Blog da NSFOCUS