A botnet with a unique name, Gayfemboy, is breaking the usual trend with Mirai variants to become a persistent DDoS threat.
First identified by cybersecurity researchers at QiAnXin’s XLab in February 2024, Gayfemboy confounded analysts with its resilience, rapid evolution, and aggressive nature. Unlike the transient Mirai derivatives that litter the landscape, Gayfemboy has grown into a sophisticated and large-scale botnet capable of exploiting zero-day (0-day) vulnerabilities and launching ferocious attacks.
When Gayfemboy emerged in February 2024, it appeared to be just another Mirai clone. The initial samples were unremarkable, packed with a standard UPX shell and lacking notable innovation. Many would have dismissed it as another fleeting botnet doomed to fade. However, over the following months, Gayfemboy underwent aggressive iterative development to integrate new capabilities.
By April 2024, its developers modified the UPX shell with a new magic number, “YTS\x99”, and adopted a customised registration packet labelled “gayfemboy.” By mid-June, the botnet advanced further, adjusting its UPX shell and achieving relative stability, with only incremental changes to command-and-control (C2) domains.
As researchers continued tracking its development, the team at XLab observed Gayfemboy becoming increasingly innovative. In November 2024, the botnet advanced dramatically, exploiting a 0-day vulnerability in Four-Faith industrial routers (later disclosed as CVE-2024-12856) – alongside apparent unknown vulnerabilities in Neterbit routers and Vimar smart home devices – to dramatically expand its infection scale.
Gayfemboy’s capabilities and aggression became glaringly evident when researchers at XLab attempted to analyse its scale by registering unclaimed C2 domains. Upon detecting the researchers’ actions, the botnet operators launched retaliatory DDoS attacks against the registered domains—a hostile move that underscored Gayfemboy’s sophistication and operational tenacity.
The analysis revealed Gayfemboy to be an ambitious and fast-evolving entity. XLab measured over 15,000 daily active nodes orchestrated under the botnet’s command. These compromised devices were organised into more than 40 separate groups, demonstrating an advanced mechanism for managing the botnet’s sprawling network of infected devices.
Gayfemboy exploits 0-day and N-day vulnerabilities
Gayfemboy distinguishes itself by using a mix of more than 20 vulnerabilities alongside Telnet weak credentials to compromise devices. The operators integrate both N-day vulnerabilities (well-documented security holes) and 0-day exploits to scale their botnet.
Undisclosed vulnerabilities affected devices such as Vimar smart home solutions. For understandable ethical reasons, the researchers omitted details of the undisclosed vulnerabilities.)
The infection method varies based on the targeted device. Researchers identified several infected devices based on the grouping information embedded in the botnet’s data. This enables attackers to efficiently categorise and control infected nodes. The primary targets include:
- ASUS routers, using N-day vulnerabilities.
- Four-Faith routers, breached via CVE-2024-12856.
- Neterbit routers, methodological details unknown.
China, the US, Iran, Russia, and Turkey account for the majority of compromised devices, although Gayfemboy’s infections span other regions as well.
A persistent DDoS threat
Gayfemboy’s true strength lies in its ability to launch devastating DDoS attacks. From February 2024 onward, the botnet shifted its focus towards intermittent but high-impact DDoS offensives targeting hundreds of entities daily.
Analysts tracked a sharp uptick in activity around October and November 2024, affecting industries spanning from telecoms to government organisations. Geographically, the attacks primarily hit entities in China, the US, Germany, the UK, and Singapore.
When XLab researchers used a virtual private server (VPS) from a cloud provider to monitor Gayfemboy’s C2 domains, the botnet unleashed recurring DDoS strikes against the VPS.
The attacks against the VPS, lasting between 10 and 30 seconds, succeeded in rendering it inaccessible. When the cloud provider detected the behaviour, they blackholed traffic to the VPS for 24 hours—a testament to the botnet’s substantial firepower, with attack traffic estimated at 100GB.
Evolution of Gayfemboy
Despite Gayfemboy’s advanced functionalities, certain elements of its code highlight the operators’ roots in Mirai.
The bot retains Mirai’s command structure but has removed its signature string table, substituted plaintext strings, and added new capabilities. For instance:
- Commands allow operators to initiate or halt scans, kill active attacks, or update the bot itself.
- Upon execution, the bot displays “we gone now\n”—a line that has persisted through every iteration.
One peculiar feature is Gayfemboy’s attempt to hide itself by exploiting writable directories. Upon startup, the bot searches for writable paths, writes a test file, and deletes it. If successful, it mounts the directory to `/proc/` to obscure the process ID, concealing its presence in the `/proc` filesystem.
Gayfemboy’s embedding of new operational commands allows attackers to launch DDoS campaigns, download malicious payloads, and initiate scanning operations—all with clear precision and consistent updates.
With increasing accessibility and low costs, distributed botnets like Gayfemboy demonstrate how easily malicious actors can continuously evolve as they integrate new vulnerabilities and methods. Gayfemboy’s sophisticated approach, from exploiting 0-days to strategic retaliatory attacks, reflects a broader escalation in the capabilities of modern botnets.
(Photo by Marek Piwnicki)
See also: Eseye: IoT connectivity and security challenges persist
Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Intelligent Automation Conference, Edge Computing Expo, and Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Discover more from TrendyShopToBuy
Subscribe to get the latest posts sent to your email.
