A botnet with a novel identify, Gayfemboy, is breaking the same old pattern with Mirai variants to develop into a persistent DDoS risk.
First recognized by cybersecurity researchers at QiAnXin’s XLab in February 2024, Gayfemboy confounded analysts with its resilience, fast evolution, and aggressive nature. In contrast to the transient Mirai derivatives that litter the panorama, Gayfemboy has grown into a complicated and large-scale botnet able to exploiting zero-day (0-day) vulnerabilities and launching ferocious assaults.
When Gayfemboy emerged in February 2024, it gave the impression to be simply one other Mirai clone. The preliminary samples had been unremarkable, full of a regular UPX shell and missing notable innovation. Many would have dismissed it as one other fleeting botnet doomed to fade. Nonetheless, over the next months, Gayfemboy underwent aggressive iterative improvement to combine new capabilities.
By April 2024, its builders modified the UPX shell with a brand new magic quantity, “YTSx99”, and adopted a personalized registration packet labelled “gayfemboy.” By mid-June, the botnet superior additional, adjusting its UPX shell and attaining relative stability, with solely incremental modifications to command-and-control (C2) domains.
As researchers continued monitoring its improvement, the workforce at XLab noticed Gayfemboy changing into more and more modern. In November 2024, the botnet superior dramatically, exploiting a 0-day vulnerability in 4-Religion industrial routers (later disclosed as CVE-2024-12856) – alongside obvious unknown vulnerabilities in Neterbit routers and Vimar sensible residence units – to dramatically increase its an infection scale.
Gayfemboy’s capabilities and aggression turned obviously evident when researchers at XLab tried to analyse its scale by registering unclaimed C2 domains. Upon detecting the researchers’ actions, the botnet operators launched retaliatory DDoS assaults towards the registered domains—a hostile transfer that underscored Gayfemboy’s sophistication and operational tenacity.
The evaluation revealed Gayfemboy to be an bold and fast-evolving entity. XLab measured over 15,000 day by day energetic nodes orchestrated underneath the botnet’s command. These compromised units had been organised into greater than 40 separate teams, demonstrating a sophisticated mechanism for managing the botnet’s sprawling community of contaminated units.
Gayfemboy exploits 0-day and N-day vulnerabilities
Gayfemboy distinguishes itself by utilizing a mixture of greater than 20 vulnerabilities alongside Telnet weak credentials to compromise units. The operators combine each N-day vulnerabilities (well-documented safety holes) and 0-day exploits to scale their botnet.
Undisclosed vulnerabilities affected units corresponding to Vimar sensible residence options. For comprehensible moral causes, the researchers omitted particulars of the undisclosed vulnerabilities.)
The an infection technique varies primarily based on the focused gadget. Researchers recognized a number of contaminated units primarily based on the grouping info embedded within the botnet’s information. This permits attackers to effectively categorise and management contaminated nodes. The first targets embody:
- ASUS routers, utilizing N-day vulnerabilities.
- 4-Religion routers, breached through CVE-2024-12856.
- Neterbit routers, methodological particulars unknown.
China, the US, Iran, Russia, and Turkey account for almost all of compromised units, though Gayfemboy’s infections span different areas as properly.
A persistent DDoS risk
Gayfemboy’s true energy lies in its potential to launch devastating DDoS assaults. From February 2024 onward, the botnet shifted its focus in direction of intermittent however high-impact DDoS offensives concentrating on a whole lot of entities day by day.
Analysts tracked a pointy uptick in exercise round October and November 2024, affecting industries spanning from telecoms to authorities organisations. Geographically, the assaults primarily hit entities in China, the US, Germany, the UK, and Singapore.
When XLab researchers used a digital personal server (VPS) from a cloud supplier to watch Gayfemboy’s C2 domains, the botnet unleashed recurring DDoS strikes towards the VPS.
The assaults towards the VPS, lasting between 10 and 30 seconds, succeeded in rendering it inaccessible. When the cloud supplier detected the behaviour, they blackholed visitors to the VPS for twenty-four hours—a testomony to the botnet’s substantial firepower, with assault visitors estimated at 100GB.
Evolution of Gayfemboy
Regardless of Gayfemboy’s superior functionalities, sure components of its code spotlight the operators’ roots in Mirai.
The bot retains Mirai’s command construction however has eliminated its signature string desk, substituted plaintext strings, and added new capabilities. As an example:
- Instructions enable operators to provoke or halt scans, kill energetic assaults, or replace the bot itself.
- Upon execution, the bot shows “we gone nown”—a line that has continued by each iteration.
One peculiar function is Gayfemboy’s try to cover itself by exploiting writable directories. Upon startup, the bot searches for writable paths, writes a check file, and deletes it. If profitable, it mounts the listing to `/proc/<pid>` to obscure the method ID, concealing its presence within the `/proc` filesystem.
Gayfemboy’s embedding of recent operational instructions permits attackers to launch DDoS campaigns, obtain malicious payloads, and provoke scanning operations—all with clear precision and constant updates.
With rising accessibility and low prices, distributed botnets like Gayfemboy show how simply malicious actors can repeatedly evolve as they combine new vulnerabilities and strategies. Gayfemboy’s subtle method, from exploiting 0-days to strategic retaliatory assaults, displays a broader escalation within the capabilities of contemporary botnets.
(Picture by Marek Piwnicki)
See additionally: Eseye: IoT connectivity and safety challenges persist
Wish to study in regards to the IoT from business leaders? Take a look at IoT Tech Expo happening in Amsterdam, California, and London. The excellent occasion is co-located with different main occasions together with Cyber Safety & Cloud Expo, AI & Huge Knowledge Expo, Clever Automation Convention, Edge Computing Expo, and Digital Transformation Week.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.
