{
	"id": "c54285ff-3bd9-460e-b00b-8a3902642b88",
	"created_at": "2026-04-06T00:09:47.628202Z",
	"updated_at": "2026-04-10T03:19:57.596902Z",
	"deleted_at": null,
	"sha1_hash": "23d3e543a9214283cb8a00a940c6cc43d2c60dc2",
	"title": "HNS Evolves From IoT to Cross-Platform Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 854730,
	"plain_text": "HNS Evolves From IoT to Cross-Platform Botnet\r\nBy Catalin Cimpanu\r\nPublished: 2018-07-06 · Archived: 2026-04-05 13:18:23 UTC\r\nA botnet discovered at the start of the year and named Hide 'N Seek (HNS) has expanded from infecting Internet of Things\r\n(IoT) devices and is now also targeting cross-platform database solutions as well.\r\nThis is an important development in the botnet's evolution, which also passed a significant milestone in May when it became\r\nthe first IoT malware that was capable of surviving device reboots.\r\nHNS now targets more devices\r\nNow, the Netlab research team at Qihoo 360 says that HNS has expanded beyond the scope of routers and DVRs and is now\r\nalso targeting database applications running on server operating systems.\r\nhttps://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to Netlab researchers, the botnet is now capable of infecting the following types of devices, with the following\r\ntypes of exploits:\r\n1. TPLink-Routers RCE\r\n2. Netgear RCE\r\n3. (new) AVTECH RCE\r\n4. (new) CISCO Linksys Router RCE\r\n5. (new) JAW/1.0 RCE\r\n6. (new) OrientDB RCE\r\n7. (new) CouchDB RCE\r\nAs a side-effect for adding more payloads, HNS is also noisier now, as it needs to scan more ports to find new hosts to\r\ninfect. Experts say they've seen HNS bots initiating scans on ports:\r\n23      Telnet  \r\n80      HTTP Web Service  \r\n2480  OrientDB  \r\n5984  CouchDB  \r\n8080  HTTP Web Service  \r\n... but also random ports\r\nBut HNS was easy to spot anyway because it's only the second major IoT botnet besides Hajime known to use a P2P\r\nstructure, so security researchers would have an easy time identifying it regardless.\r\nHNS testing coinminer payload\r\nHNS is not the first botnet to target OrientDB servers, which have become quite the favorite among various botnets. For\r\nexample, DDG, a botnet discovered last year, which is still alive today, has targeted OrientDB servers in the past with\r\ncryptocurrency-mining malware.\r\nIn fact, it appears that HNS operators might have learned something from the DDG crew because Netlab says HNS has also\r\nstarted dropping a coinminer payload on some of the infected systems.\r\nFortunately, for the time being, it appears that these deployments have all failed, as the additional coinminer payload failed\r\nto start and generate funds for the HNS operators.\r\nBut if they manage to get it up and running, they'll be in for some profits, as the DDG gang collected well over $1 million\r\nfrom their coinmining last year.\r\nThe Netlab team has published an in-depth analysis of the changes in HNS compared to its previous variant spotted back in\r\nJanuary.\r\nhttps://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/\r\nhttps://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/"
	],
	"report_names": [
		"hns-evolves-from-iot-to-cross-platform-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/23d3e543a9214283cb8a00a940c6cc43d2c60dc2.pdf",
		"text": "https://archive.orkl.eu/23d3e543a9214283cb8a00a940c6cc43d2c60dc2.txt",
		"img": "https://archive.orkl.eu/23d3e543a9214283cb8a00a940c6cc43d2c60dc2.jpg"
	}
}