L7 DDoS Botnet Hijacked 5.76M Devices to Launch Massive Attacks

Posted on By CWS

In early March 2025, safety groups first noticed an unprecedented L7 DDoS botnet focusing on internet functions throughout a number of sectors.

The botnet, quickly increasing from an preliminary 1.33 million compromised units, employed HTTP GET floods to exhaust server assets and circumvent conventional charge limiting.

By mid-Could, the risk escalated because the botnet grew to 4.6 million nodes, leveraging compromised IoT units and poorly secured endpoints to amplify its assault floor.

By September, this sprawling community had mobilized 5.76 million IP addresses for a coordinated assault on a authorities group, producing tens of tens of millions of requests per second.

Qrator Labs analysts famous vital shifts in geographical distribution, with Brazil, Vietnam, and america rising as main sources of malicious site visitors.

The assault unfolded in two waves: an preliminary surge partaking roughly 2.8 million units, adopted an hour later by an extra 3 million nodes.

HTTP headers within the second wave revealed randomized Person-Agent strings designed to evade easy site visitors filtering.

Qrator Labs researchers recognized key diversifications within the botnet’s management mechanism that facilitated its fast scaling.

The malware communicates over encrypted channels with a decentralized command-and-control (C2) infrastructure, which the attackers rotate often to keep away from blacklisting.

Signature-based mitigation struggled to maintain tempo as every C2 endpoint was energetic for mere hours earlier than rotation.

An infection Mechanism and Persistence

The core an infection vector depends on brute-force exploitation of default credentials and unpatched vulnerabilities in frequent IoT firmware.

As soon as inside a tool, the malware deploys a light-weight rootkit that hooks into community interfaces and intercepts firmware replace routines.

A code snippet extracted by Qrator Labs illustrates the persistence technique:-

// Intercept firmware replace calls
int hook_update(char *path) {
if (!strcmp(path, “/usr/bin/fw_update”)) {
launch_payload();
return 0;
}
return orig_update(path);
}

This method ensures the malicious modules reload after every system restart, rendering easy reboot-based remediation ineffective.

The stealthy rootkit additionally suppresses suspicious course of listings, additional complicating detection and removing.

Increase your SOC and assist your crew defend your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.

Cyber Security News Tags:, , , , , , ,

Related Posts

Linux Legitimate System Behaviours Weaponized to Harvest Secrets from Shared Environments Cyber Security News
How to Solve Alert Fatigue in Your SOC without Extra Staff or Effort Cyber Security News
Threat actors Breach High Value targets like Google in Salesforce Attacks Cyber Security News
Critical Microsoft’s Entra ID Vulnerability Allows Attackers to Gain Complete Administrative Control Cyber Security News
Allianz Life Insurance Data Breach Cyber Security News
Threat Actors Abuse Proofpoint’s and Intermedia’s Link Wrapping Features to Hide Phishing Payloads Cyber Security News