Mirai Botnet Variant Exploits Zero-Day Vulnerabilities in Routers

Researchers observed the Gayfemboy botnet in early 2024 as a basic Mirai variant. Still, the botnet rapidly evolved through iterative development, including UPX polymorphic packing, integrating N-day vulnerabilities, and ultimately leveraging a 0-day vulnerability in Four-Faith industrial routers. 

By November 2024, Gayfemboy had infected over 15,000 devices, utilizing over 40 grouping categories for command and control. Upon detecting researchers’ registration of its C2 domains, Gayfemboy aggressively retaliated with DDoS attacks.

The analysis demonstrates the botnet’s rapid evolution from a generic threat to a significant player in the botnet landscape, equipped with advanced capabilities and a proactive defense mechanism.

The Gayfemboy botnet leverages various vulnerabilities, including critical remote code execution flaws like CVE-2024-12856 (Four-Faith router 0-day) and undisclosed vulnerabilities affecting Neterbit and Vimar devices. 

It combined with the exploitation of well-known CVEs (e.g., CVE-2013-3307, CVE-2014-8361, and CVE-2020-25499) and leveraging weak Telnet credentials allows ...