{"id":57800,"date":"2024-12-03T00:00:00","date_gmt":"2024-12-03T00:00:00","guid":{"rendered":"urn:uuid:1cb1cca2-4b3e-e17b-8e55-89568f33f1c5"},"modified":"2024-12-03T00:00:00","modified_gmt":"2024-12-03T00:00:00","slug":"gafgyt-malware-broadens-its-scope-in-recent-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/","title":{"rendered":"Gafgyt Malware Broadens Its Scope in Recent Attacks"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"description\" content=\"Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,malware,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-12-03\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers.html\"> <title>Gafgyt Malware Broadens Its Scope in Recent Attacks | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers.html\"><br \/>\n<meta property=\"og:title\" content=\"Gafgyt Malware Broadens Its Scope in Recent Attacks\"><br \/>\n<meta property=\"og:description\" content=\"Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/gafgyt.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Gafgyt Malware Broadens Its Scope in Recent Attacks\"><br \/>\n<meta name=\"twitter:description\" content=\"Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/gafgyt.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.083061129258\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1914825896\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2801724137931\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.043103448276\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior.<\/p>\n<p class=\"article-details__author-by\">By: Sunil Bharti <time class=\"article-details__date\">December 03, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p><b>Report highlights:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Trend Micro Research observed threat actors targeting misconfigured Docker Remote API servers with the Gafgyt malware.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Threat actors can perform a DDoS attack on the target servers if the Gafgyt malware is successfully deployed.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Gafgyt primarily targets vulnerable IoT devices, but we\u2019ve recently observed this malware being used to attack Docker Remote API servers, signifying a notable shift in its behavior.<\/span><\/li>\n<\/ul>\n<p>Recently, we&#8217;ve observed the Gafgyt malware (also known as Bashlite or Lizkebab) targeting publicly exposed Docker Remote API servers. Traditionally, this malware has focused on vulnerable IoT devices, but we&#8217;re now seeing a shift in its behavior as it expands its targets beyond its usual scope.<\/p>\n<p>We noticed attackers targeting publicly exposed misconfigured Docker remote API servers to deploy the malware by creating a Docker container based on a legitimate \u201calpine\u201d docker image. Along with deployment of Gafgyt malware, attackers used Gafgyt botnet malware to infect the victim. After the deployment, the attacker can launch DDoS attack on targeted servers.<\/p>\n<p>We&#8217;ll take a close look at the attack process, showing how attackers exploit exposed Docker Remote API servers.<\/p>\n<p><b><span class=\"body-subhead-title\">The attack sequence<\/span><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig1.png\" alt=\"Attack chain\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Attack chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The attacker first tried to deploy Gafgyt botnet binary written in Rust with file name \u201crbot\u201d in a Docker container created by the \u201calpine\u201d docker image.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig2.jpg\" alt=\"Container create request along with botnet deployment\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Container create request along with botnet deployment<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>In the above request, the attacker created a container with the \u201calpine\u201d image. The attacker is also using \u201cchroot\u201d to change the root directory of the container to \u201c\/mnt\u201d along with <i>&#8220;Binds&#8221;:[&#8220;\/:\/mnt&#8221;]<\/i> option. The attacker uses this command to mount the host&#8217;s root directory (\/:) to the \/mnt directory inside the container. This means the container can access and modify the host&#8217;s filesystem as if it were part of its own filesystem. By doing so, the attacker can escalate privileges and potentially gain control over the host system.<\/p>\n<p>In the container creation request, the attacker downloaded the Gafgyt botnet binary as file name \u201crbot\u201d and executed it. While examining the binary we found that it contained hardcoded command-and-control server IP address and Port.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig3.png\" alt=\"C&amp;C server address\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. C&amp;C server address<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>&nbsp;In case of successful communication with the C2C&amp;C server, the malicious bot parses the response and launches a DDoS attack using <i>UDP, TCP and HTTP<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig4.png\" alt=\"UDP flooding\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. UDP flooding<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig5.png\" alt=\"HTTP connection creation code\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. HTTP connection creation code<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>If the container creation request failed and the attacker could not create a container, the attacker tried to deploy another container based on the same alpine Docker image but this time the attacker tried with a different Gafgyt binary, using \u201catlas.i586\u201d as the binary name. The container creation request observed is below.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig6.jpg\" alt=\"Container create request along with another botnet binary deployment\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Container create request along with another botnet binary deployment<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p>In the above request, the attacker used chroot and bind command to elevate the privileges like in the previous instance and deployed the botnet binary on the victim\u2019s system with file name \u201catlas.i586\u201d. The interesting point here is the argument \u201c0day.\u201d While we could not find evidence that it exploits any 0day vulnerabilities, we believe it\u2019s just a parameter given while executing the botnet.<\/p>\n<p>The bot is controlled by the same C&amp;C server as the previous one. When executed with the argument <i>Name:0day<\/i> it receives responses from the server. Based on the server responses, it performs various actions, primarily executing distributed denial of service (DDoS) attacks using different protocols such as UDP, ICMP, HTTP, SYN, and more.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig7.png\" alt=\"C&amp;C address\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. C&amp;C address<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig8.png\" alt=\"List of protocols can be used for DDoS\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. List of protocols can be used for DDoS<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>It also tries to find the local IP address of the victim host.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig9.jpg\" alt=\"Local IP address discovery\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Local IP address discovery<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Essentially, the code is using Google&#8217;s DNS server 8.8.8.8 as a target IP to determine which network interface and local IP address the system would use for outbound communication. Once the socket is created and the connection attempt is made to 8.8.8.8 on port 53,the function calls <i>getsockname()<\/i> to retrieve the local IP address of the interface that would be used to communicate with Google\u2019s DNS server.<\/p>\n<p>In case of a failed attempt of container deployment, the attacker gives another try to deploy another variant of Gafgyt botnet binary via deployment of a shell script, which downloads and executes the botnet binaries for different system architectures.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig10.jpg\" alt=\"Deployment of \u201ccve.sh\u201d shell script via Docker container creation request\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Deployment of \u201ccve.sh\u201d shell script via Docker container creation request<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>In the above request, the attacker is using same technique to elevate the privileges using \u201cchroot\u201d and \u201cBind\u201d while creating the docker container. This time, the attacker uses a shell script named \u201ccve.sh\u201d to deploy the botnet binaries of various system architectures hosted on attacker\u2019s C&amp;C server 178[.]215[.]238[.]31. This shell script is straightforward and contains only the botnet binaries URL; it downloads them and executes them.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers\/fig11.jpg\" alt=\"Contents of cve.sh shell script\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Contents of cve.sh shell script<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"41.847250509165\">\n<div readability=\"32.547861507128\">\n<p>All these binaries have the same hardcoded C2 server IP address.<\/p>\n<p><b>Recommendations<\/b><\/p>\n<p>We recommend the following steps to enhance the security of Docker Remote API servers and mitigate the risks associated with potential exploitation for malicious activities:<b><\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Secure Docker Remote API servers by implementing strong access controls and authentication mechanisms to prevent unauthorized access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regularly monitor Docker Remote API servers for any unusual or unauthorized activities, and promptly investigate and address any suspicious behavior.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Implement container&nbsp;<a href=\"https:\/\/docs.docker.com\/engine\/security\/\" title=\"open on a new tab\">security best practices<\/a>, such as avoiding the use of &#8220;Privileged&#8221; mode and carefully reviewing container images and configurations before deployment.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.docker.com\/resources\/trainings\/\" title=\"open on a new tab\">Educate and train personnel<\/a>&nbsp;responsible for managing Docker Remote API servers about security best practices and potential attack vectors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Stay informed about&nbsp;<a href=\"https:\/\/docs.docker.com\/security\/security-announcements\/\" title=\"open on a new tab\">security updates<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.docker.com\/desktop\/release-notes\/\" title=\"open on a new tab\">patches<\/a>&nbsp;for Docker and related software to address any known vulnerabilities that could be exploited by threat actors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regularly review and update security policies and procedures related to Docker Remote API server management to align with the latest security best practices and recommendations.<\/span><\/li>\n<\/ul>\n<p><b><span class=\"body-subhead-title\">Trend Micro Vision One Threat Intelligence<\/span><\/b><\/p>\n<p>To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.<\/p>\n<p><b><span class=\"body-subhead-title\">Hunting Queries<\/span><\/b><\/p>\n<p><b>Trend Micro Vision One Search App<\/b><\/p>\n<p>Trend Micro Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.&nbsp;&nbsp;&nbsp;<\/p>\n<p><i>Presence of Gafgyt Malware Detection &#8211; Antimalware<\/i><\/p>\n<p><span class=\"blockquote\">malName: Backdoor.Linux.GAFGYT* AND eventName: Malware_DETECTION<\/span><\/p>\n<p>More hunting queries are available for Vision One customers with&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" title=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\">Threat Insights Entitlement enabled<\/a><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"30.739495798319\">\n<div class=\"responsive-table-wrap\" readability=\"6.9411764705882\">\n<p><b><span class=\"body-subhead-title\">MITRE ATT&amp;CK Techniques<\/span><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"4\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique ID<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Initial Access<\/td>\n<td width=\"208\" valign=\"top\">External Remote Services<\/td>\n<td width=\"208\" valign=\"top\">T113<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" rowspan=\"2\" valign=\"top\">Execution<\/td>\n<td width=\"208\" valign=\"top\">Deploy Container<\/td>\n<td width=\"208\" valign=\"top\">T1610<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Command and Scripting Interpreter: Unix Shell<\/td>\n<td width=\"208\" valign=\"top\">T1059.04<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Privilege Escalation<\/td>\n<td width=\"208\" valign=\"top\">Escape to Host<\/td>\n<td width=\"208\" valign=\"top\">T1611<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" rowspan=\"2\" valign=\"top\">Command and Control<\/td>\n<td width=\"208\" valign=\"top\">Application Layer Protocol<\/td>\n<td width=\"208\" valign=\"top\">T1071<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Ingress Tool Transfer<\/td>\n<td width=\"208\" valign=\"top\">T1105<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Discovery<\/td>\n<td width=\"208\" valign=\"top\">System Network Configuration Discovery<\/td>\n<td width=\"208\" valign=\"top\">T1016<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Impact<\/td>\n<td width=\"208\" valign=\"top\">Network Denial of Service<\/td>\n<td width=\"208\" valign=\"top\">T1498<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<p>The indicators of compromise can be found <a href=\"https:\/\/documents.trendmicro.com\/assets\/txt\/Gafgyt_IOCsmyR8dPb.txt\">here<\/a>:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9513,9509],"class_list":["post-57800","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Gafgyt Malware Broadens Its Scope in Recent Attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Gafgyt Malware Broadens Its Scope in Recent Attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-03T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Gafgyt Malware Broadens Its Scope in Recent Attacks\",\"datePublished\":\"2024-12-03T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/\"},\"wordCount\":1260,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/gafgyt:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/\",\"name\":\"Gafgyt Malware Broadens Its Scope in Recent Attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/gafgyt:Large?qlt=80\",\"datePublished\":\"2024-12-03T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/gafgyt:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/gafgyt:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gafgyt-malware-broadens-its-scope-in-recent-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Gafgyt Malware Broadens Its Scope in Recent Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Gafgyt Malware Broadens Its Scope in Recent Attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Gafgyt Malware Broadens Its Scope in Recent Attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-12-03T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Gafgyt Malware Broadens Its Scope in Recent Attacks","datePublished":"2024-12-03T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/"},"wordCount":1260,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/","name":"Gafgyt Malware Broadens Its Scope in Recent Attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80","datePublished":"2024-12-03T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/gafgyt:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/gafgyt-malware-broadens-its-scope-in-recent-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Gafgyt Malware Broadens Its Scope in Recent Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57800"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57800\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}