{
	"id": "3b25d069-ee30-4a50-93cb-f39f5fc6bf47",
	"created_at": "2026-04-06T00:11:42.617352Z",
	"updated_at": "2026-04-10T13:12:24.125986Z",
	"deleted_at": null,
	"sha1_hash": "115098a96b9469c0b0c09a659d64d3e929ac67c1",
	"title": "New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 498409,
	"plain_text": "New DDoS Botnet Discovered: Over 30,000 Hacked Devices,\r\nMajority of Observed Activity Traced to Iran\r\nBy Noah StoneFebruary 28, 2025\r\nArchived: 2026-04-05 13:12:13 UTC\r\nUpdate (5 March 2025): Key Clarifications on Eleven11bot\r\nFurther analysis has refined the understanding of the scale and nature of Eleven11bot. Key clarifications:\r\nLikely a Mirai Variant\r\nEleven11bot is likely not a distinct botnet, but rather a Mirai variant using a single new exploit targeting\r\nHiSilicon-based devices, particularly those running TVT-NVMS9000 software.\r\nOverestimated Infection Numbers\r\nWhile reports estimated 86,400 infections globally, the actual number of compromised devices is likely\r\nfewer than 5,000.\r\nMisidentified Tracking Signature\r\nThe \"head[...]1111\" signature, initially associated with Eleven11bot, is not malware-related but rather part\r\nof the HiSilicon SDK protocol used for remote management across white-labeled devices.\r\nFaulty Detection Method Inflated Infection Estimates\r\nThe reported 86K+ infections appear to be based on a misidentification of normal HiSilicon device\r\nprotocol traffic as botnet activity.\r\nHow GreyNoise Identified This Activity\r\nGreyNoise analyzed a list of 1,400 IPs provided by Censys, identifying 1,042 of them engaging in scanning and\r\nexploitation attempts. These were primarily embedded systems that typically do not initiate outbound internet\r\ncommunication, reinforcing their likely compromise.\r\nWhile initial infection estimates were high, the activity observed in GreyNoise suggests that a subset of these\r\ndevices are actively participating in Mirai-related behavior. Because these IPs are unlikely to change dynamically\r\nhttps://www.greynoise.io/blog/new-ddos-botnet-discovered\r\nPage 1 of 5\n\n(e.g., through DHCP), they may continue to be involved in future Mirai botnet activity.\r\nGreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging\r\nthreats. Click here to learn more about GreyNoise Block.\r\nA newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has\r\nidentified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices,\r\nprimarily security cameras and network video recorders (NVRs). \r\nAccording to DeepField, Eleven11bot has been used in distributed denial of service (DDoS) attacks against\r\ntelecom providers and gaming platforms, with some attacks lasting multiple days and causing widespread\r\ndisruptions. Jérôme Meyer, a security researcher tracking the botnet, described it as “one of the largest known\r\nDDoS botnet campaigns observed since the invasion of Ukraine in February 2022.” \r\nGreyNoise Observations on Eleven11bot\r\nFollowing Deepfield’s findings, Censys provided GreyNoise with a list of 1,400 IPs that appear to be linked to\r\nEleven11bot due to the configuration of the endpoint devices and the banners matching what Deepfield identified\r\nin their research. GreyNoise has observed 1,042 IPs actively hitting our sensors in the past 30 days. \r\nhttps://www.greynoise.io/blog/new-ddos-botnet-discovered\r\nPage 2 of 5\n\nKey findings from our data:\r\n96% of these IPs are non-spoofable, meaning they originate from genuine, accessible devices. \r\n61% of the 1,042 observed IPs (636) are traced to Iran. \r\n305 IPs are currently classified as malicious by GreyNoise.\r\nWhile GreyNoise does not speculate on attribution, this increase in botnet activity comes just two days after the\r\nU.S. administration reasserted its “maximum pressure” campaign on Iran, imposing new economic sanctions. \r\nHow the Botnet is Expanding\r\nGreyNoise data indicates that the botnet is involved in malicious activities. Observations from GreyNoise show\r\nthat the botnet is engaging in actions presumably aimed at expanding its operations, including:\r\nBrute-force attacks against login systems.\r\nExploitation of weak and default passwords on IoT devices.\r\nTargeting specific security camera brands, such as VStarcam, using hardcoded credentials. \r\nNetwork scanning for exposed Telnet and SSH ports is often left unprotected on IoT hardware.\r\nGreyNoise has identified 305 IP addresses actively carrying out malicious attacks linked to the botnet. \r\nhttps://www.greynoise.io/blog/new-ddos-botnet-discovered\r\nPage 3 of 5\n\nHow to See the Botnet in Action\r\nSOC teams, vulnerability management professionals, and threat hunters can track the botnet’s live activity using\r\nGreyNoise:\r\n1. Navigate to the Analysis feature.\r\n2. Paste the list of botnet IPs (source: Censys) into the search bar. \r\n3. Download the CSV of malicious IPs to take immediate blocking actions.\r\nCensys-Provided IP List\r\nA list of IPs associated with this botnet is available below: \r\nHow Organizations Can Defend Themselves \r\nGreyNoise recommends the following steps to protect against the botnet and similar cyber threats: \r\nBlock traffic from known malicious IPs. GreyNoise provides real-time data for defenders to block threats\r\nproactively. \r\nMonitor network logs for unusual login attempts. Attackers are brute-forcing weak Telnet and SSH\r\ncredentials. \r\nSecure IoT devices immediately. Change default passwords, update firmware, and disable remote access\r\nwhere unnecessary. \r\nEnable DDoS protection and rate-limiting. The botnet is designed for high-intensity attacks, so\r\norganizations should harden their network defenses.\r\nGreyNoise is Actively Monitoring Eleven11bot-Linked Activity\r\nGreyNoise continues to track real-time scanning and attack activity from the botnet. We will provide further\r\nupdates if new information arises. \r\nTrack the botnet in real time — see if your network is a target. Navigate to the GreyNoise Analysis feature,\r\npaste the IPs above into the search bar, and download the CSV of malicious IPs for immediate blocking\r\nactions. \r\n— — — \r\nhttps://www.greynoise.io/blog/new-ddos-botnet-discovered\r\nPage 4 of 5\n\nStone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of\r\ninternet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of\r\nHomeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a\r\nmultidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.\r\nThis article is a summary of the full, in-depth version on the GreyNoise Labs blog.\r\nRead the full report\r\nRelated content\r\nCookie Settings\r\nWe use cookies to ensure you get the best experience on our website. Learn more\r\nGot it\r\nSource: https://www.greynoise.io/blog/new-ddos-botnet-discovered\r\nhttps://www.greynoise.io/blog/new-ddos-botnet-discovered\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.greynoise.io/blog/new-ddos-botnet-discovered"
	],
	"report_names": [
		"new-ddos-botnet-discovered"
	],
	"threat_actors": [],
	"ts_created_at": 1775434302,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/115098a96b9469c0b0c09a659d64d3e929ac67c1.pdf",
		"text": "https://archive.orkl.eu/115098a96b9469c0b0c09a659d64d3e929ac67c1.txt",
		"img": "https://archive.orkl.eu/115098a96b9469c0b0c09a659d64d3e929ac67c1.jpg"
	}
}