Introduction

In February 2024 [2] [6] [7] [8] [10] [11] [13], Qi’anxin XLab identified a sophisticated botnet named “Gayfemboy,” which represents a new variant of the Mirai malware. This botnet has evolved into a complex, large-scale distributed denial of service (DDoS) attack network [5], posing significant threats to various sectors worldwide.

Description

A sophisticated botnet named “Gayfemboy,” identified by Qi’anxin XLab in February 2024, represents a new variant of the Mirai malware [7]. This complex, large-scale distributed denial of service (DDoS) attack network has evolved significantly [5], now operating approximately 15,000 active nodes daily across various countries, including China [3] [6] [7] [11] [13], Russia [1] [2] [3] [7] [8] [11] [12] [13], the US [2] [3] [5] [7] [8] [11] [12] [13], Iran [2] [3] [7] [8] [11] [12] [13], and Turkey [2] [3] [7] [8] [11] [13]. The botnet exploits over 20 vulnerabilities [2] [7] [11] [12], including zero-day flaws [7] [11], particularly targeting Four-Faith industrial routers (CVE-2024-12856) and affecting more than 15,000 of these devices. It also takes advantage of undisclosed weaknesses in ASUS, Kguard [3], Neterbit [1] [2] [4] [6] [7] [8] [9] [11] [13], and LB-Link routers, as well as Vimar smart home devices. Its infection strategy capitalizes on weak Telnet passwords and previously unidentified vulnerabilities, including CVE-2014-8361 [8] [9], CVE-2017-17215 [9], CVE-2020-9054 [9], CVE-2013-3307 [8], CVE-2021-35394 [8], and CVE-2024-8957 [8] [9].

Since its discovery [2], the Gayfemboy botnet has been actively conducting DDoS attacks against hundreds of victims worldwide, with peak activity observed in late 2024, particularly affecting sectors in China, the US [2] [3] [5] [7] [8] [11] [12] [13], Germany [2] [5] [8] [11], the UK [2] [3] [5] [7] [8] [11] [13], and Singapore [2] [5] [11]. These high-intensity DDoS assaults have involved traffic exceeding 100 Gbps, especially targeting domains used for analysis, resulting in significant traffic blackholing for over 24 hours [8]. Notably, in November 2024 [2] [3] [6] [7] [8] [11] [12], the botnet exploited the zero-day vulnerability in Four-Faith routers to deliver its payloads [6], which included malware samples executed with a unique parameter, “faith2,” during the infection process [4]. The botnet’s operators have shown notable hostility [5], retaliating against researchers monitoring its activities [8], including repeated DDoS attacks on Qi’anxin XLab after they registered command-and-control (C2) domain names for analysis. Due to a lack of DDoS mitigation [13], XLab ultimately ceased their investigation to prevent further disruptions [13].

To mitigate risks associated with such attacks [5], organizations and individuals are advised to update router firmware [5], isolate critical systems from vulnerable devices [3], and implement DDoS protection measures [3], as these basic security practices can help limit potential exploitation [5]. Analysis of the botnet’s code has revealed plaintext strings and a custom “gayfemboy” registration packet [8], indicating insufficient protective measures despite its advancements. DDoS attacks [2] [3] [4] [5] [7] [8] [10] [11] [12] [13], characterized as low-cost and highly reusable [8], can quickly deplete or disable target networks [8], making them a prevalent and destructive form of cyberattack [8]. The botnet employs diverse attack modes [8], self-updating capabilities [10], and scanning functions [10], continuously evolving its strategies to target various industries and systems [8], posing significant threats to enterprises [8], government organizations [8], and individual users [5] [8]. The introduction of new encryption commands and mechanisms has further enhanced the botnet’s resilience and advanced capabilities, making it particularly dangerous in the current cybersecurity landscape.

Conclusion

The Gayfemboy botnet exemplifies the evolving nature of cyber threats, with its sophisticated capabilities and widespread impact. To combat such threats, it is crucial for organizations and individuals to adopt robust cybersecurity measures, including regular updates and DDoS protection. As cyberattacks continue to grow in complexity, proactive defense strategies will be essential in safeguarding critical infrastructure and sensitive information.

References

[1] https://www.01net.com/actualites/milliers-routeurs-pirates-botnet-exploite-20-failles-lancer-cyberattaques.html
[2] https://www.infosecurity-magazine.com/news/mirai-botnet-zerodays-routers/
[3] https://hackyourmom.com/en/novyny/botnet-gayfemboy-vykorystovuye-vrazlyvist-0-day-routeriv-dlya-globalnyh-ddos-atak/
[4] https://news.hackreports.com/gayfemboy-0-day-router-attacks-ongoing-what-you-need-to-know-forbes/
[5] https://www.forbes.com/sites/daveywinder/2025/01/08/gayfemboy-0-day-router-attacks-ongoing-what-you-need-to-know/
[6] https://blog.xlab.qianxin.com/gayfemboy-en/
[7] https://www.world-today-news.com/new-mirai-botnet-targets-zero-day-vulnerabilities-in-routers-and-smart-devices/
[8] https://securityaffairs.com/172805/malware/gayfemboy-mirai-botnet-four-faith-flaw.html
[9] https://cybersecuritynews.com/mirai-botnet-exploiting-routers-0-day-vulnerabilities/
[10] https://blog.netmanageit.com/gayfemboy-a-botnet-deliver-through-a-four-faith-industrial-router-0-day-exploit/
[11] https://osintcorp.net/new-mirai-botnet-exploits-zero-days-in-routers-and-smart-devices/
[12] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-january-08-2025
[13] https://thecyberwire.com/podcasts/daily-podcast/2219/transcript