{
	"id": "4f955618-32a3-41d3-beb4-212e64f2f220",
	"created_at": "2026-04-06T00:15:06.131504Z",
	"updated_at": "2026-04-10T03:23:51.70782Z",
	"deleted_at": null,
	"sha1_hash": "3316ce3ff1fbe6c43e80a2ce40a4be1276cef740",
	"title": "A New IoT Botnet Storm is Coming - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46076,
	"plain_text": "A New IoT Botnet Storm is Coming - Check Point Research\r\nBy deugenio\r\nPublished: 2017-10-19 · Archived: 2026-04-05 18:37:42 UTC\r\nKey Points:\r\nA massive Botnet is forming to create a cyber-storm that could take down the internet.\r\nAn estimated million organizations have already been scanned with an unknown amount actually infected.\r\nThe Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.\r\nNew cyber-storm clouds are gathering. Check Point Researchers have discovered a brand new Botnet, dubbed\r\n‘IoTroop’, evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai\r\nbotnet of 2016.\r\nIoT Botnets are Internet connected smart devices which have been infected by the same malware and are\r\ncontrolled by a threat actor from a remote location. They have been behind some of the most damaging\r\ncyberattacks against organizations worldwide, including hospitals, national transport links, communication\r\ncompanies and political movements.\r\nWhile some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far\r\nmore sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the\r\nthreat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that\r\norganizations make proper preparations and defense mechanisms are put in place before an attack strikes.\r\nOminous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of\r\nSeptember. An increasing number of attempts were being made by hackers to exploit a combination of\r\nvulnerabilities found in various IoT devices.\r\nWith each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP\r\nCamera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and\r\nothers. It soon became apparent that the attempted attacks were coming from many different sources and a variety\r\nof IoT devices, meaning the attack was being spread by the IoT devices themselves.\r\nIoT Botnet Trend of Attacking IP Addresses\r\nSo far we estimate over a million organizations have already been scanned worldwide, including the US, Australia\r\nand everywhere in between, and the number is only increasing.\r\nOur research suggests we are now experiencing the calm before an even more powerful storm. The next cyber\r\nhurricane is about to come.\r\nResearch Background\r\nhttps://research.checkpoint.com/new-iot-botnet-storm-coming/\r\nPage 1 of 4\n\nCreating networks of infected devices is not a quick task for an attacker. In order to establish an effective Botnet,\r\nthe attacker needs to be able to control a vast number of devices. As sending the malicious code to each device\r\nindividually would be a large and time consuming task, it is much easier to have each infected device spreading\r\nthe malicious code to other similar devices themselves. This method of attack is considered a propagation attack,\r\nand is essential in quickly creating a large network of controlled devices.\r\nOur research began at the end of September ‘17 after noticing an increase in attempts to penetrate our IoT IPS\r\nprotections. Following this suspicious activity, we soon realized we were witnessing the recruitment stages of a\r\nvast IoT Botnet.\r\nAnalyzing A Node In The Chain\r\nWith the Check Point Global Threat Map showing a large number of hits on our IoT IPS protections, our team\r\nstarted to look into some of the attack sources in order to get a better picture of what was going on. Below is an\r\nanalysis of one of these devices.\r\nGoAhead Map\r\nFrom looking at this site, we can gather that this specific IP (blurred above) belongs to a GoAhead camera with an\r\nopen Port 81 running over TCP. This is just one example of an infected device type. There are many others – e.g.\r\nD-Link, NETGEAR and TP-Link devices to name a few.\r\nOn further inspection, the System.ini file (shown below) of the device at this IP was accessed to check for\r\ncompromise. On a normal machine, this file would contain the credentials of the user. What was found on this\r\ndevice, however, was an edited version with a ‘Netcat’ command which opened a reverse shell to the attack’s IP.\r\nThis tells us that this machine was merely one link in the chain and that it was both infected and then also\r\ntransmitting the infection. In this case the ‘CVE-2017-8225’ vulnerability was used to penetrate the GoAhead\r\ndevice and, after infecting a target machine, that same target started to look for other devices to infect.\r\nInfected Targets\r\nUpon further research, it was found that numerous devices were both being targeted and later sending out the\r\ninfection. These attacks were coming from many different types of devices and many different countries, totaling\r\napproximately 60% of the corporate networks which are part of the ThreatCloud global network.\r\nThreatCloud Global Network\r\nTo conclude, in the last few days a new botnet has been evolving. While some technical aspects lead us to suspect\r\na possible connection to the Mirai botnet, this is an entirely new campaign rapidly spreading throughout the globe.\r\nhttps://research.checkpoint.com/new-iot-botnet-storm-coming/\r\nPage 2 of 4\n\nIt is too early to assess the intentions of the threat actors behind it, but it is vital to have the proper preparations\r\nand defense mechanisms in place before an attack strikes.\r\nIPS Coverage\r\nWhile this may be an emerging threat of millions of attacks being conducted, the methods of infection are already\r\nbeing prevented by Check Point IPS. The vulnerability listed has been covered, and devices are currently being\r\nmonitored for new variants. The table below outlines the IoT protections released by IPS that are related and\r\npotentially related to this attack.\r\nVendor Protection Name\r\nSeen in the Context of the\r\ncurrent Attack?\r\nGoAhead\r\nWireless IP Camera (P2P) WIFICAM Cameras Information\r\nDisclosure\r\n+\r\nWireless IP Camera (P2P) WIFICAM Cameras Remote\r\nCode Execution\r\n+\r\nD-Link\r\nD-Link 850L Router Remote Code Execution +\r\nD-Link DIR800 Series Router Remote Code Execution +\r\nD-Link DIR800 Series Router Information Disclosure +\r\nD-Link 850L Router Remote Unauthenticated Information\r\nDisclosure\r\n+\r\nD-Link 850L Router Cookie Overflow Remote Code\r\nExecution\r\n+\r\nDlink IP Camera Video Stream Authentication Bypass –\r\nVer2\r\n+\r\nDlink IP Camera Luminance Information Disclosure – Ver2\r\nD-Link DIR-600/300 Router Unauthenticated Remote\r\nCommand Execution\r\n+\r\n+\r\nDlink IP Camera Authenticated Arbitrary Command\r\nExecution – Ver2\r\n–\r\nTP-Link\r\nTP-Link Wireless Lite N Access Point Directory Traversal –\r\nTP-LINK WR1043N Multiple Cross-Site Request Forgery –\r\nhttps://research.checkpoint.com/new-iot-botnet-storm-coming/\r\nPage 3 of 4\n\nNetgear DGN Unauthenticated Command Execution\r\nNetgear ReadyNAS Remote Command Execution\r\n+\r\n+\r\nNETGEAR\r\nNetgear DGN2200 dnslookup.cgi Command Injection –\r\nNetgear ProSAFE NMS300 fileUpload.do Arbitrary File\r\nUpload\r\n–\r\nNETGEAR Routers Authentication Bypass –\r\nNETGEAR ReadyNAS np_handler Code Execution –\r\nNetgear R7000 and R6400 cgi-bin Command Injection –\r\nAVTECH AVTECH Devices Multiple Vulnerabilities +\r\nMikroTik\r\nMikroTik RouterOS SNMP Security Bypass –\r\nMikroTik RouterOS Admin Password Change –\r\nMikrotik Router Remote Denial Of Service –\r\nLinksys\r\nBelkin Linksys WRT110 Remote Command Execution –\r\nVer2\r\n–\r\nLinksys WRH54G HTTP Management Interface DoS Code\r\nExecution – Ver2\r\n–\r\nBelkin Linksys WRT110 Remote Command Execution –\r\nBelkin Linksys Multiple Products Directory Traversal –\r\nBelkin Linksys E1500/E2500 Remote Command Execution +\r\nCisco Linksys PlayerPT ActiveX Control Buffer Overflow –\r\nCisco Linksys PlayerPT ActiveX Control SetSource sURL\r\nArgument Buffer Overflow\r\n–\r\nSynology\r\nSynology DiskStation Manager SLICEUPLOAD Code\r\nExecution\r\n–\r\nLinux Linux System Files Information Disclosure + \r\nSource: https://research.checkpoint.com/new-iot-botnet-storm-coming/\r\nhttps://research.checkpoint.com/new-iot-botnet-storm-coming/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/new-iot-botnet-storm-coming/"
	],
	"report_names": [
		"new-iot-botnet-storm-coming"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3316ce3ff1fbe6c43e80a2ce40a4be1276cef740.pdf",
		"text": "https://archive.orkl.eu/3316ce3ff1fbe6c43e80a2ce40a4be1276cef740.txt",
		"img": "https://archive.orkl.eu/3316ce3ff1fbe6c43e80a2ce40a4be1276cef740.jpg"
	}
}