{"id":58021,"date":"2025-01-17T00:00:00","date_gmt":"2025-01-17T00:00:00","guid":{"rendered":"urn:uuid:91d24361-10d0-6233-7629-11a5f89bf93d"},"modified":"2025-01-17T00:00:00","modified_gmt":"2025-01-17T00:00:00","slug":"iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/","title":{"rendered":"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"description\" content=\"Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,iot,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2025-01-17\"> <meta property=\"article:tag\" content=\"iot\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/a\/iot-botnet-linked-to-ddos-attacks.html\"> <title>IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/a\/iot-botnet-linked-to-ddos-attacks.html\"><br \/>\n<meta property=\"og:title\" content=\"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024\"><br \/>\n<meta property=\"og:description\" content=\"Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/large-scale-iot-botnet-976.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024\"><br \/>\n<meta name=\"twitter:description\" content=\"Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/large-scale-iot-botnet-976.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.072265876594\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1761313902\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"37\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">IoT<\/p>\n<p class=\"article-details__description\">Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.<\/p>\n<p class=\"article-details__author-by\">By: Trend Micro Research <time class=\"article-details__date\">January 17, 2025<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.648621041879\">\n<div readability=\"30.746680286006\">\n<ul>\n<li><span class=\"rte-red-bullet\">Since the end of 2024, we have been continuously observing large-scale DDoS attacks targeting companies in Japan, issued from the command-and-control (C&amp;C) servers of an IoT botnet that has been attacking various countries globally.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The botnet comprises malware variants derived from Mirai and Bashlite and infects IoT devices by exploiting vulnerabilities and weak credentials. Infection stages include the downloading and execution of malware payloads that connect to C&amp;C servers for attack commands.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The botnet\u2019s commands include those that can incorporate various DDoS attack methods, update malware, and enable proxy services.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">There is a wide geographic dispersion of attack targets, mostly concentrated in North America and Europe. Differences in command usage exist between domestic (Japan) and international targets, with varied impact on different industry sectors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The primary devices used in the botnet were wireless routers and IP cameras from well-known brands.<\/span><\/li>\n<\/ul>\n<h2><span class=\"body-subhead-title\">Introduction<\/span><\/h2>\n<p>We discovered an <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/internet-of-things\">Internet-of-Things<\/a> (IoT) botnet and have been continuously observing large-scale distributed denial-of-service (DDoS) attack commands sent from its command-and-control (C&amp;C) server targeting Japan, as well as other countries around the world, since the end of 2024. These attacks targeted various companies in different countries, including multiple major Japanese corporations and banks.<\/p>\n<p>Although we cannot confirm the exact relationship with the attack commands at this time, some of the organizations that were targeted reported temporary connection and network disruptions of web services during the same period. In this article, we will summarize the attack commands sent to this botnet and report the results of our analysis.<\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>This botnet is composed of malware derived from Mirai and Bashlite (also known as <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/l\/gafgyt-malware-targeting-docker-remote-api-servers.html\">Gafgyt<\/a> and Lizkebab, among others). It infects IoT devices by exploiting remote code execution (RCE) vulnerabilities or weak initial passwords, and goes through the following stages of infection:<\/p>\n<ol>\n<li>The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host. This script downloads and executes a second-stage executable file (loader) from a distribution server.<\/li>\n<li>The executable file (loader) downloads the executable payload (the actual malware) from the distribution server via HTTP. During this time, the executable payload is written to the memory image and executed, so that the executable file is not left on the infected host. In addition, a specific User-Agent header is set in the HTTP request for access, preventing the executable payload from being downloaded via normal web access.<\/li>\n<\/ol>\n<p>The executable payload (the actual malware) connects to the C&amp;C server and waits for commands for DDoS attacks and other purposes. When a command is received, it performs the corresponding action based on its contents.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"517d48\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig1.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig1.png\" alt=\"Figure 1. A code to download binaries from the distribution server with custom User-Agent header\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. A code to download binaries from the distribution server with custom User-Agent header<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>The command messages are text messages with a message length of two bytes added at the beginning, and use the following structure:<\/p>\n<p><span class=\"blockquote\">&lt;Message Length 2 bytes&gt;.&lt;Text Message&gt;<\/span><\/p>\n<p>The text message portion is a string that represents the command and arguments separated by spaces (for example, a message like &#8220;syn xxx.xxx.xxx.xxx 0 0 60 1&#8221;). This command means that it will perform a SYN Flood attack for 60 seconds on a random port number (0 meaning random) of the attack target IP address indicated by xxx.xxx.xxx.xxx.<\/p>\n<p>We found that the commands shown in Table 1 may be used. From the identified commands, we discovered that hosts infected with this malware may not only participate in DDoS attacks, but could also be used as part of an underground proxy service. Table 1 shows the commands that were identified through the analysis.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"14.5\">\n<tr>\n<th scope=\"col\">Command<\/th>\n<th scope=\"col\">Description<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>socket<\/b><\/td>\n<td width=\"213\">Performs DDoS attack using massive TCP connections<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>handshake<\/b><\/td>\n<td width=\"213\">Performs DDoS attack by establishing massive TCP connections and sending random data<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"27\" width=\"213\"><b>stomp<\/b><\/td>\n<td width=\"213\">Performs DDoS attack using Simple Text Oriented Messaging Protocol (after TCP connection, sends massive random payload)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>syn<\/b><\/td>\n<td width=\"213\">Performs TCP SYN Flood attack<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>ack<\/b><\/td>\n<td width=\"213\">Performs TCP ACK Flood attack<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>udph<\/b><\/td>\n<td width=\"213\">Performs UDP Flood attack<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>tonudp<\/b><\/td>\n<td width=\"213\">Performs UDP Flood attack to a hardcoded target within the malware<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>gre<\/b><\/td>\n<td width=\"213\">Performs DDoS attack using the General Router Encapsulation protocol<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>update<\/b><\/td>\n<td width=\"213\">Updates the malware&#8217;s execution code<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>exec<\/b><\/td>\n<td width=\"213\">Executes a command on the infected host<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>kill<\/b><\/td>\n<td width=\"213\">Forcibly terminates the malware&#8217;s process<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td height=\"27\" width=\"213\"><b>socks<\/b><\/td>\n<td width=\"213\">Connects to a specified IP address and makes the infected host available as a Socks proxy server (using open-source reverse Socks proxy code)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"27\" width=\"213\"><b>udpfwd<\/b><\/td>\n<td width=\"213\">Forwards the UDP messages of a specified port to a specified destination<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><sup>Table 1. Command list<\/sup><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>The malware deactivates the watchdog timer, which prevents the device from restarting when it detects high loads during DDoS attacks. This behavior was also observed in variants of Mirai in the past.<\/p>\n<p>Note that a watchdog timer (WDT) is a program that periodically starts on a computer system and has a timer function confirming that the system continues to function. It detects states such as the hang-up of the main program.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"aa68a8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig2.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig2.png\" alt=\"Figure 2. Malware code to disable the Watchdog timer\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Malware code to disable the Watchdog timer<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<p>The malware abuses the <i>iptables<\/i> command in Linux systems to delay the discovery of the infection and manipulate the packets used in the DDoS attacks.<\/p>\n<p>During startup, the malware sets rules for <i>iptables<\/i> using the code shown in Figure 3. These rules perform the following actions:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Allow TCP connection requests from the LAN side<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Deny TCP connection requests from the WAN side<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Allow packet reception related to established TCP connections<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Allow communication with the C&amp;C server<\/span><\/li>\n<\/ul>\n<p>By denying TCP connection requests from the WAN side, we believe that the intent was to prevent the infection of other botnets that exploit the same vulnerabilities used for intrusion. Allowing TCP connections from the LAN side enables the administrator to access the device&#8217;s management console, making it difficult to detect abnormalities in the device.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"5a4b50\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig3.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig3.png\" alt=\"Figure 3. The iptables rules that the malware set in the initialization phase\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"f3e197\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig3b.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig3b.png\" alt=\"Figure 3. The iptables rules that the malware set in the initialization phase\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. The iptables rules that the malware set in the initialization phase<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The malware dynamically sets the necessary <i>iptables<\/i> rules when executing commands. When the <i>udpfwd<\/i> command is executed, it sets a configuration that allows the reception of external UDP packets to the specified port. When the<i> socket<\/i> command is executed, it sets a configuration to refuse the sending of TCP RST packets.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"3fe020\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig4.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig4.png\" alt=\"Figure 4. An iptables rule which the malware sets upon performing the \u201cudpfwd\u201d command\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. An iptables rule which the malware sets upon performing the \u201cudpfwd\u201d command<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"480493\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig5.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig5.png\" alt=\"Figure 5. Setting iptables rules when executing socket commands\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Setting iptables rules when executing socket commands<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>This section discusses the results of our analysis of the IP addresses included in the commands. The following figures were all collected and aggregated between December 27, 2024, and January 4, 2025.<\/p>\n<p>When checking the location of the IP addresses attack targets, we can see that the attacks include Asia, North America, South America, and Europe. Counting the number of unique IP address strings (including cases where an IP range is specified as one case), the targets are primarily concentrated in North America and Europe, with the United States at 17%, Bahrain at 10%, and Poland at 9%.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"876274\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig6.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig6.png\" alt=\"Figure 6. The target IP location mapping results\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. The target IP location mapping results<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"789672\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig7.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig7.png\" alt=\"Figure 7. Distribution of countries targeted by the DDoS attacks\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Distribution of countries targeted by the DDoS attacks<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>We observed differences in the types of commands used for attacks targeting Japan (which we focused on in this research) and other international targets. For international targets, we found commands such as <i>socket<\/i> and <i>handshake <\/i>that were not used in attacks against Japanese targets. Additionally, the<i> stomp<\/i> command was more frequent in attacks targeting Japan at 21%, while it was only used in 7% of the attacks targeting international targets. Conversely, the <i>gre<\/i> command was less frequent in attacks targeting Japan, but more frequent in attacks targeting international targets at 16%. Additionally, we found that two or more commands were sometimes combined and used in attacks against a single organization.<\/p>\n<p>After January 11th, we observed that <i>socket <\/i>and <i>handshake <\/i>commands targeting Japanese organizations were issued to the botnet. However, the attacks did not last long. Following that, other DDoS attacks were conducted instead. We believe that the actor behind the attacks was testing the effectiveness of these commands after these organizations took countermeasures against DDoS attacks.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"c66a17\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig8.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig8.png\" alt=\"Fig 8. Observed attack command ratio\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Fig 8. Observed attack command ratio<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>For attacks targeting Japanese organizations, attempts made against the transportation, information and communication, and finance and insurance industries were confirmed. For&nbsp; international organizations, attacks against the information and communication industry were the most frequent at 34%, while attacks on the finance and insurance industry were approximately 8%.<\/p>\n<p>While there were some commonalities, there was a significant difference in the lack of attack commands targeting the transportation industry for international targets.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"1654b5\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig9.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig9.png\" alt=\"Figure 9. Distribution of targeted industries outside Japan (statistics were calculated only from mechanically verified industries of IP addresses in observed attack commands)\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Distribution of targeted industries outside Japan (statistics were calculated only from mechanically verified industries of IP addresses in observed attack commands)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>We used our global threat intelligence to monitor communication with a botnet&#8217;s C&amp;C server. As a result, we identified the IP addresses of 348 devices used in the attack. Additionally, by investigating the attributes and device vendors of these devices, we obtained the following results.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"58f3d0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig10.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig10.png\" alt=\"Fig 10. Analysis of 224 devices identified by their IP Addresses based on categorized devices. Left shows device category, while right shows device vendor distribution (statistics calculated only from devices with confirmed information among the 348 identified botnet devices).\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Fig 10. Analysis of 224 devices identified by their IP Addresses based on categorized devices. Left shows device category, while right shows device vendor distribution (statistics calculated only from devices with confirmed information among the 348 identified botnet devices).<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The majority of the devices used in the attack were wireless routers, accounting for 80% of the total, followed by IP cameras at 15%. In terms of vendors, TP-Link and Zyxel wireless routers accounted for 52% and 20% respectively, while Hikvision IP cameras accounted for 12%. For device distribution, India accounted for 57% and South Africa accounted for 17% of the botnet&#8217;s location.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"f0e1fe\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig11.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/fig11.png\" alt=\"Figure 11. Country distribution of 348 Devices identified by IP address that were part of the botnet \"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Country distribution of 348 Devices identified by IP address that were part of the botnet <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"49.379228614523\">\n<div readability=\"44.979099332041\">\n<p>In recent years, there has been an increase in cases where IoT devices were <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/internet-of-things\/smart-yet-flawed-iot-device-vulnerabilities-explained\">being exploited as a platform for cyberattacks<\/a>. These devices can become infected with bot malware and be incorporated into a botnet, generating and transmitting a massive amount of traffic, either to cause damage through DDoS attacks, or used as a stepping stone for intrusion attacks on other networks. The following are some of the factors that make these devices vulnerable to attacks.<\/p>\n<ol>\n<li><b>Failure to change default settings<br \/><\/b>Many users do not change the default settings (especially the default password) of their devices, making it easy for attackers to gain access to the machine\u2019s firmware.<\/li>\n<li><b>Lack of updates<br \/><\/b>Old firmware and software often have known vulnerabilities that can be exploited by attackers.<\/li>\n<li><b>Lack of security features<br \/><\/b>Some IoT devices lack sufficient security features, making them more vulnerable to attacks.<\/li>\n<\/ol>\n<p>To prevent or minimize botnet expansion and impact, we recommend the following best practices to improve device security:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Immediately<b> change the default username and password<\/b> to something secure and difficult to brute-force after purchasing the device.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Regularly apply the latest firmware<\/b> and software provided by the manufacturer to prevent attackers from exploiting vulnerabilities and weaknesses in the device.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Consider disabling remote access or port forwarding functions<\/b> that are not in use.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Separate IoT devices into a dedicated network<\/b> to reduce risks to other systems.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Review the settings of home routers<\/b> and avoid opening unnecessary ports.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Properly manage and configure machines and other assets<\/b><span>, including IoT devices, to eliminate situations where devices are running without being recognized and to prevent leaving unnecessary devices unused.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">If it is necessary to use the management function from the internet, <b>restrict the access source to the minimum necessary<\/b> to prevent abuse.<\/span><\/li>\n<\/ul>\n<p>The DDoS attacks carried out by the IoT botnet discussed in this blog entry are divided into two types: attacks that overload the network by sending a large number of packets, and attacks that exhaust server resources by establishing a large number of sessions. In addition, we observed two or more commands used in combination, making it possible that both network overload attacks and server resource exhaustion attacks occur simultaneously.<\/p>\n<p>Here are some examples of countermeasures that can be considered for each type of attack. We recommend that organizations consider implementing these suggestions, taking into account their environment and consulting with their contracted communication service provider.<\/p>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<ul>\n<li><span class=\"rte-red-bullet\">Use a firewall or router to block specific IP addresses or protocols and restrict traffic.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collaborate with communication service providers to filter DDoS traffic at the backbone or edge of the network.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Strengthen router hardware to increase the number of packets that can be processed.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Perform real-time monitoring and block IP addresses with high communication traffic.<\/span><\/li>\n<\/ul>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<ul>\n<li><span class=\"rte-red-bullet\">Use a CDN provider to distribute and mitigate the load of the attack.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Limit the number of requests that can be sent by a specific IP address within a certain period of time.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Use third-party services to separate attack traffic and process clean traffic.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Perform real-time monitoring and block IP addresses with a high number of connections.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Detect and block abnormal traffic with IDS\/IPS.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Cut off clients that have been connected for a long time but have not sent packets via behavioral analysis.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Strengthen server hardware to increase the number of packets that can be processed.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Increase the upper limit of server connections to improve availability.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Shorten timeout periods to quickly reuse server resources.<\/span><\/li>\n<\/ul>\n<p>In addition, other types of DDoS attacks may be carried out by other IoT botnets. For an overview and countermeasures for such DDoS attacks, please refer to the guide provided by <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/DDoS%20Quick%20Guide.pdf\">U.S. Cybersecurity and Infrastructure Security Agency<\/a> (CISA).<\/p>\n<p>As seen in the recent botnet attacks, the use of infected devices can result in attacks crossing physical borders and causing significant damage to targeted countries or regions. It is essential to thoroughly implement IoT device security measures to avoid becoming an &#8220;accomplice&#8221; to such attacks. By taking proactive steps to secure IoT devices, individuals and organizations can help prevent the spread of botnets and protect against potential cyberthreats linked with these types of attacks.<\/p>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/a\/large-scale-iot-botnet-linked-to-ddos-attacks\/ioc-large-scale-iot-botnet-linked-to-ddos-attacks-since-the-end-of-2024.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/a\/iot-botnet-linked-to-ddos-attacks.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9514,9513,9509],"class_list":["post-58021","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-iot","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-17T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024\",\"datePublished\":\"2025-01-17T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/\"},\"wordCount\":2313,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/large-scale-iot-botnet-976:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : IoT\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/\",\"name\":\"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/large-scale-iot-botnet-976:Large?qlt=80\",\"datePublished\":\"2025-01-17T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/large-scale-iot-botnet-976:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/large-scale-iot-botnet-976:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/","og_locale":"en_US","og_type":"article","og_title":"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-01-17T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024","datePublished":"2025-01-17T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/"},"wordCount":2313,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : IoT","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/","url":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/","name":"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80","datePublished":"2025-01-17T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/large-scale-iot-botnet-976:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/iot-botnet-linked-to-large-scale-ddos-attacks-since-the-end-of-2024\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58021"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58021\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}