L7 DDoS Botnet Hijacked 5.76M Devices to Launch Massive Attacks

L7 DDoS Botnet Hijacked 5.76M Devices to Launch Massive Attacks

Posted on By CWS

In early March 2025, safety groups first noticed an unprecedented L7 DDoS botnet focusing on internet functions throughout a number of sectors.

The botnet, quickly increasing from an preliminary 1.33 million compromised units, employed HTTP GET floods to exhaust server assets and circumvent conventional charge limiting.

By mid-Could, the risk escalated because the botnet grew to 4.6 million nodes, leveraging compromised IoT units and poorly secured endpoints to amplify its assault floor.

By September, this sprawling community had mobilized 5.76 million IP addresses for a coordinated assault on a authorities group, producing tens of tens of millions of requests per second.

Qrator Labs analysts famous vital shifts in geographical distribution, with Brazil, Vietnam, and america rising as main sources of malicious site visitors.

The assault unfolded in two waves: an preliminary surge partaking roughly 2.8 million units, adopted an hour later by an extra 3 million nodes.

HTTP headers within the second wave revealed randomized Person-Agent strings designed to evade easy site visitors filtering.

Qrator Labs researchers recognized key diversifications within the botnet’s management mechanism that facilitated its fast scaling.

The malware communicates over encrypted channels with a decentralized command-and-control (C2) infrastructure, which the attackers rotate often to keep away from blacklisting.

Signature-based mitigation struggled to maintain tempo as every C2 endpoint was energetic for mere hours earlier than rotation.

An infection Mechanism and Persistence

The core an infection vector depends on brute-force exploitation of default credentials and unpatched vulnerabilities in frequent IoT firmware.

As soon as inside a tool, the malware deploys a light-weight rootkit that hooks into community interfaces and intercepts firmware replace routines.

A code snippet extracted by Qrator Labs illustrates the persistence technique:-

// Intercept firmware replace calls
int hook_update(char *path) {
if (!strcmp(path, “/usr/bin/fw_update”)) {
launch_payload();
return 0;
}
return orig_update(path);
}

This method ensures the malicious modules reload after every system restart, rendering easy reboot-based remediation ineffective.

The stealthy rootkit additionally suppresses suspicious course of listings, additional complicating detection and removing.

Increase your SOC and assist your crew defend your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.

Cyber Security News Tags:, , , , , , ,

Related Posts

10 Best Secure Network As a Service for MSP Providers 10 Best Secure Network As a Service for MSP Providers Cyber Security News
Malicious Python Package Mimic as Attacking Discord Developers With Malicious Remote Commands Malicious Python Package Mimic as Attacking Discord Developers With Malicious Remote Commands Cyber Security News
React Native’s Metro Server Targeted by Hackers React Native’s Metro Server Targeted by Hackers Cyber Security News
Role of Threat Intelligence in Proactive Defense Strategies Role of Threat Intelligence in Proactive Defense Strategies Cyber Security News
Multiple GitLab Vulnerabilities Allow Attackers to Achieve Complete Account Takeover Multiple GitLab Vulnerabilities Allow Attackers to Achieve Complete Account Takeover Cyber Security News
Hands-on Cybersecurity Threat Hunting Guide for SOC Analysts and MSSPs Hands-on Cybersecurity Threat Hunting Guide for SOC Analysts and MSSPs Cyber Security News