L7 DDoS Botnet Hijacked 5.76M Devices to Launch Massive Attacks

Posted on By CWS

In early March 2025, safety groups first noticed an unprecedented L7 DDoS botnet focusing on internet functions throughout a number of sectors.

The botnet, quickly increasing from an preliminary 1.33 million compromised units, employed HTTP GET floods to exhaust server assets and circumvent conventional charge limiting.

By mid-Could, the risk escalated because the botnet grew to 4.6 million nodes, leveraging compromised IoT units and poorly secured endpoints to amplify its assault floor.

By September, this sprawling community had mobilized 5.76 million IP addresses for a coordinated assault on a authorities group, producing tens of tens of millions of requests per second.

Qrator Labs analysts famous vital shifts in geographical distribution, with Brazil, Vietnam, and america rising as main sources of malicious site visitors.

The assault unfolded in two waves: an preliminary surge partaking roughly 2.8 million units, adopted an hour later by an extra 3 million nodes.

HTTP headers within the second wave revealed randomized Person-Agent strings designed to evade easy site visitors filtering.

Qrator Labs researchers recognized key diversifications within the botnet’s management mechanism that facilitated its fast scaling.

The malware communicates over encrypted channels with a decentralized command-and-control (C2) infrastructure, which the attackers rotate often to keep away from blacklisting.

Signature-based mitigation struggled to maintain tempo as every C2 endpoint was energetic for mere hours earlier than rotation.

An infection Mechanism and Persistence

The core an infection vector depends on brute-force exploitation of default credentials and unpatched vulnerabilities in frequent IoT firmware.

As soon as inside a tool, the malware deploys a light-weight rootkit that hooks into community interfaces and intercepts firmware replace routines.

A code snippet extracted by Qrator Labs illustrates the persistence technique:-

// Intercept firmware replace calls
int hook_update(char *path) {
if (!strcmp(path, “/usr/bin/fw_update”)) {
launch_payload();
return 0;
}
return orig_update(path);
}

This method ensures the malicious modules reload after every system restart, rendering easy reboot-based remediation ineffective.

The stealthy rootkit additionally suppresses suspicious course of listings, additional complicating detection and removing.

Increase your SOC and assist your crew defend your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.

Cyber Security News Tags:, , , , , , ,

Related Posts

CrowdStrike Fires Insider for Sharing Internal System Details with Hackers Cyber Security News
Adobe Acrobat Reader Vulnerabilities let Attackers Execute Arbitrary Code and Bypass Security Cyber Security News
Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure Cyber Security News
New Banking Malware DoubleTrouble Attacking Users Via Phishing Sites To Steal Banking Credentials Cyber Security News
WordPress Theme RCE Vulnerability Actively Exploited to Take Full Site Control Cyber Security News
Google Threat Intelligence Launches Actionable Technique To Hunt for Malicious .Desktop Files Cyber Security News