{
	"id": "3d800cd9-5542-4eb5-ae7c-e4eb209c36f2",
	"created_at": "2026-04-06T00:09:58.353349Z",
	"updated_at": "2026-04-10T03:25:15.77303Z",
	"deleted_at": null,
	"sha1_hash": "3671db425bb0be5d5af2adb76d1c69e95268cecd",
	"title": "Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1616979,
	"plain_text": "Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard\r\nLabs\r\nPublished: 2022-04-12 · Archived: 2026-04-05 17:26:48 UTC\r\nIn mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to\r\nKeksec, a threat group that specializes in cryptomining and DDoS attacks.\r\nThis botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from\r\nMirai’s original source code.\r\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets.\r\nFurthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its\r\ntakedown more complicated.\r\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ\r\nrouter vulnerability to infect more devices.\r\nThis blog details how this malware leverages these vulnerabilities and the commands it can execute once inside an\r\ninfected device.\r\nAffected Platforms: Linux\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nEnemybot by Keksec\r\nOne of the first things Enemybot does is to drop a file in /tmp/.pwned, containing a message that attributes itself to\r\nKeksec. In earlier samples, this message was stored as cleartext. Only a few days after, a new sample was released\r\nwith the message encoded with an XOR operation using a multiple-byte key. This suggests that this malware is\r\nbeing actively developed.\r\nA sample, SHA256: fec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473, captured on\r\nMarch 24, 2022 has the message in cleartext:\r\n“ENEMEYBOT V3.1-ALCAPONE  hail KEKSEC”\r\nA sample from March 28, 2022 SHA256:\r\n93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9, encoded the message with an XOR\r\noperation using a multi-byte key.\r\nUpon decoding, the message has also been changed to:\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 1 of 12\n\n“ENEMEYBOT V3.1-ALCAPONE - hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device\r\nliterally has the security of a [shitty device] / [smart doorbell])”\r\nFigure 1: Code snippet from decoding .pwned message\r\nSubsequently, FortiGuard Labs researchers discovered newer samples that reverted to the cleartext versions of the\r\n/tmp/.pwned message, which might suggest the possibility of multiple developers working with different versions\r\nof the codebase or having different programming habits.\r\nKeksec is known for operating multiple botnets, some of which are based on Gafgyt (a.k.a. Bashlite). Gafgyt is a\r\nDDoS botnet whose source code was leaked way back in 2015.\r\nIn the case of Enemybot, although it is mainly based on Gafgyt, it was observed that some of its modules are\r\nclearly borrowed from Mirai’s source code. One of these is Enemybot’s scanner module as shown in the\r\nscreenshots below.\r\nFigure 2: Obvious code similarities between Mirai and Enemybot’s scanner modules\r\nAnother module shared with Mirai is the bot killer module where it searches for any running processes started\r\nfrom certain file paths or with specific keywords in its process memory. It then terminates these processes.\r\nEnemybot enhances the original Mirai code with over sixty keywords to identify and kill off any competitors\r\nrunning on the same devices.\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 2 of 12\n\nWhile researching this botnet, FortiGuard Labs observed that Enemybot shares several similarities with\r\nGafgyt_tor previously reported by other researchers, and assessed that Enemybot is likely an updated and\r\n“rebranded” variant of Gafgyt_tor.\r\nTechnical Details\r\nInfects Multiple Architectures\r\nLike most botnets, this malware infects multiple architectures to increase its chances of infecting more devices. In\r\naddition to IoT devices, Enemybot also targets desktop/server architectures such as BSD, including Darwin\r\n(macOS), and x64.\r\nEnemybot targets the following architectures:\r\narm\r\narm5\r\narm64\r\narm7\r\nbsd\r\ndarwin\r\ni586\r\ni686\r\nm68k\r\nmips\r\nmpsl\r\nppc\r\nppc-440fp\r\nsh4\r\nspc\r\nx64\r\nx86\r\nEnemybot’s download server was previously misconfigured and displayed a list of ELF binaries for different\r\narchitectures (Figure 3). Threat actors have fixed this at the time of writing.\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 3 of 12\n\nFigure 3: Open directory of Enemybot’s download server\r\nObfuscation\r\nEnemybot obfuscates strings in a variety of ways:\r\nC2 domain uses XOR encoding with a multi-byte key\r\nCredentials for SSH brute-forcing and bot killer keywords use Mirai-style encoding, i.e., single byte\r\nXOR encoding with 0x22\r\nCommands are encrypted with a substitution cipher, i.e,, swapping one character for another\r\nSome strings are encoded by just adding three to the numeric value of each character\r\nWhile these obfuscation techniques are simplistic, they are sufficient to hide tell-tale indicators of its presence\r\nfrom casual analysis and other botnets. Most IoT botnets including Enemybot are known for searching for such\r\nindicators to terminate other botnets running on the same device.\r\nInfecting More Devices\r\nIn terms of spreading, Enemybot uses several methods that have also been observed in other IoT botnet\r\ncampaigns.\r\nOne way is using a list of hardcoded username/password combinations to login into devices configured with weak\r\nor default credentials. This is another module that was copied from Mirai’s source code.\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 4 of 12\n\nThis malware also tries to run shell commands to infect misconfigured Android devices that expose Android\r\nDebug Bridge port (5555).\r\nThe last method is to target devices with specific vulnerabilities as listed below: \r\nCVE-2020-17456 is a vulnerability that targets SEOWON INTECH SLC-130 and SLR-120S routers.\r\nMalicious commands can be injected into the pingIPAddr parameter (Figure 4)\r\nFigure 4: CVE-2020-17456 exploit request\r\nAnother vulnerability (no CVE assigned) targets the Seowon SLC-130 router. This is similar to the\r\nprevious exploit, only this time the command could be injected in the vulnerable queriesCnt parameter. The\r\nimplementation was likely based on publicly available exploit code.\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 5 of 12\n\nFigure 5: Another exploit targeting Seowon SLC-130 router\r\nCVE-2018-10823 is an older D-Link router vulnerability that allows an authenticated user to execute a\r\nmalicious command into the Sip parameter of the chkisg.htm page (Figure 6).  The following devices are\r\naffected by this vulnerability.\r\nDWR-116 through 1.06\r\nDWR-512 through 2.02\r\nDWR-712 through 2.02\r\nDWR-912 through 2.02\r\nDWR-921 through 2.02\r\nDWR-111 through 1.01\r\nD-Link provided updated firmware for some of the above-mentioned devices. It’s recommended to check and\r\nupdate these devices if they still have vulnerable versions.\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 6 of 12\n\nFigure 6: CVE-2018-10823 exploit request\r\nCVE-2022-27226 is a recent vulnerability on iRZ mobile routers that was exploited by Enemybot shortly\r\nafter it was published on March 19, 2022. In fact, this is the first botnet observed by FortiGuard Labs to\r\ntarget devices from this vendor.\r\nThis vulnerability allows an attacker to execute a command by adding a crontab entry in the infected device via\r\nthe /api/crontab (Figure 7).\r\nFigure 7: CVE-2022-27226 exploit request\r\nDuring the past few weeks, FortiGuard Labs researchers also observed different samples adding and removing\r\nexploits. A list of these exploits seen in use by Enemybot for propagation are as follows:\r\nCVE-2022-25075 to 25084: Targets TOTOLINK routers, previously exploited by the Beastmode botnet\r\nCVE-2021-44228/2021-45046: Better known as Log4j, more details are available on our Fortinet PSIRT\r\nblog\r\nCVE-2021-41773/CVE-2021-42013: Targets Apache HTTP servers\r\nCVE-2018-20062: Targets ThinkPHP CMS\r\nCVE-2017-18368: Targets Zyxel P660HN routers\r\nCVE-2016-6277: Targets NETGEAR routers\r\nCVE-2015-2051: Targets D-Link routers\r\nCVE-2014-9118: Targets Zhone routers\r\nNETGEAR DGN1000 exploit (No CVE assigned): Targets NETGEAR routers\r\nThis mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide\r\nrange of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 7 of 12\n\nlow-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them\r\nfor cryptomining is a big possibility.\r\nAfter a successful exploit, a shell command is executed to download another shell script from a URL. In most\r\ncases, particularly in Mirai-based botnets, this URL is hardcoded. In the case of Enemybot however, this URL is\r\ndynamically updated by the C2 server via the command LDSERVER. The clear advantage of this method is that\r\nwhen the download server is down for whatever reason, the botnet operators can just update the bot clients with a\r\nnew URL.\r\nThe shell script update.sh then downloads the actual Enemybot binaries compiled for every architecture it targets\r\nand executes them.\r\nFigure 8: Code snippet from update.sh\r\nCommands and DDoS capabilities\r\nOnce the bot gets installed on a victim’s device, it connects to its C2 server and waits for further commands. The\r\nC2 server hides in the Tor network and the bot tries to access the server using a hardcoded list of SOCKS proxy\r\nIPs.\r\nThis bot supports several commands listed in the following table.\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 8 of 12\n\nConclusion\r\nBased on the analysis of FortiGuard Labs, Enemybot is Keksec’s latest tool for performing DDoS attacks.\r\nTo protect itself, it uses simple obfuscation techniques on its strings as well as hosting its C2 server in the Tor\r\nnetwork, taking advantage of the network’s anonymity. It uses several techniques commonly found in other DDoS\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 9 of 12\n\nbotnet malware to infect other devices.\r\nSeeing how this malware has undergone changes during the research for this article, we expect that more updated\r\nversions will be distributed in the wild soon.\r\nFortiGuard Labs will keep monitoring this botnet.\r\nFortinet Protections\r\nFortinet customers are protected by the following:\r\nThe FortiGuard Antivirus service detects and blocks this threat as ELF/Gafgyt, Linux/Gafgyt, and\r\nLinux/Mirai\r\nFortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerabilities:\r\nCVE-2022-27226 - iRZ.Mobile.Router.API.crontab.AUTH.Remote.Code.Execution\r\nCVE-2021-44228/2021-45046 - Apache.Log4j.Error.Log.Remote.Code.Execution\r\nCVE-2021-41773/CVE-2021-42013 - Apache.HTTP.Server.cgi-bin.Path.Traversal\r\nCVE-2020-17456 - Seowon.Intech.Routers.system_log.CGI.Command.Injection\r\nSeowon SLC-130 Vulnerability RCE (vulnerable “queriesCnt” parameter) -\r\n Seowon.Intech.Routers.Unauthenticated.Remote.Code.Execution \r\nCVE-2018-20062 - ThinkPHP.Controller.Parameter.Remote.Code.Execution\r\nCVE-2018-10823 - D-Link.DWR.CVE-2018-10823.Remote.Code.Execution\r\nCVE-2017-18368 - TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection\r\nCVE-2016-6277 - NETGEAR.WebServer.Module.Command.Injection\r\nCVE-2015-2051 - D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution\r\nNetgear DGN1000 exploit (No CVE) -\r\nNETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution\r\nThe FortiGuard Web Filtering Service blocks downloaded URLs.\r\nFortiGuard IP Reputation \u0026 Anti-Botnet Security Service proactively blocks these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nFortiGuard Application Control Service provides organizations the capability to monitor or block access to\r\nmalicious, risky, or unwanted applications. Customers without specific business requirements for Tor can refer to\r\nthese Fortinet Technical Tips for blocking inbound and outbound Tor traffic using the Application Control Service.\r\nIOCs\r\nFiles\r\n5260b9a859d936c5b8e0dd81c0238de136d1159e41f0b148f86e2555cf4a4e38\r\nDownload URLsb025a17de0ba05e3821444da8f8fc3d529707d6b311102db90d9f04c11577573\r\nbf2f2eb08489552d46b8f50fb07073433f4af94e1215865c48d45f795f96342f\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 10 of 12\n\nadb51a8d112590a6fdd02ac8d812b837bbe0fcdd762dba6bbba0bd0b538f9aef\r\n373b43345a7e4a6b1d5a6d568a8f6a38906760ea761eacd51a11c164393e4bad\r\nb56655c3c9eed7cd4bce98eeebdcead8daa75a33498ad4f287c753ecc9554aca\r\ncebd50b3a72a314c935b426c0e6b30ec08e0e0cb53e474efffb66f0907309243\r\n73e929575afc04758a23c027ebe4f60ab5c4ba0ab7fa8756b27ed71548302009\r\n33d282c6bccf608d4fbf3a211879759019741c1b822c6cea56c6f479be598367\r\n80f264d7b45a52bd000165f3f3b0fdc0e405f3f128a60a9ec6f085bfba114971\r\n9acf649b74f4aae43a2db90b8d39a7cd39bf6b82c995da7a1ffa6f23c3549b14\r\na7213ae906a008ad06020436db120a14568c41eae4335d6c76f2bbc33ee9fbcc\r\n2ea62957b9dd8e95052d64a48626c0fa137f0fa9ca4fa53f7f1d8fe35aa38dc0\r\n2ec8016e5fb8375d0cc66bc81f21c2d3f22b785eb4f8e2a02b0b5254159696f5\r\n06f9083e8109685aecb2c35441932d757184f7749096c9e23aa7d8b7a6c080f8\r\nfec09b614d67e8933e2c09671e042ce74b40048b5f0feed49ba81a2c18d4f473\r\nc01156693d1d75481dc96265b41e661301102f3da4edae89338ee9c64dc57d32\r\n820703b9a28d4b46692b7bf61431dc81186a970c243182740d623817910051d1\r\n9790f79da34a70e7fb2e07896a5ada662978473457ca5e2701bd1d1df0b9f10f\r\na799be50ad82e6338c9e0b33d38612e6ad171872407d5d7de36022adf9b8bf63\r\n4b2b4876ecc7d466eceb30ecbd79001af142b629200bbe61ebd45f4e63cd62ef\r\nd14df997bdf1e3fd3d18edf771376a666dd791dcac550c7dd8de0323823e1037\r\n32faf178c5929510234f2d02aea39ca67ab893e18f60c1593f0c043153625e9d\r\ncc5a743b458bb098998693a73b6a13b9946d375c7c01ac6d37937871d6539102\r\n980fb4731a70a472699fcbee1a16e76c78c1b36ab6430b94dbe2169f8ac21340\r\n93706966361922b493d816fa6ee1347c90de49b6d59fc01c033abdd6549ac8b9\r\nf805f22f668bd0414497ddc061e021c5b80b80c9702053d72fc809f19307073b\r\n2e6305521d4ac770fc661658da6736d658eef384a9aa68bc49613d2be2d23a0d\r\ne8c9452581830668941b3dca59896d339eb65cd8f21875b0e36261e5c093f7fe\r\nDownload URLs\r\nhttp://198[.]12[.]116[.]254/folder/dnsamp.txt\r\nhttp://198[.]12[.]116[.]254/folder/enemybotarm\r\nhttp://198[.]12[.]116[.]254/folder/enemybotarm5\r\nhttp://198[.]12[.]116[.]254/folder/enemybotarm64\r\nhttp://198[.]12[.]116[.]254/folder/enemybotarm7\r\nhttp://198[.]12[.]116[.]254/folder/enemybotbsd\r\nhttp://198[.]12[.]116[.]254/folder/enemybotdarwin\r\nhttp://198[.]12[.]116[.]254/folder/enemyboti586\r\nhttp://198[.]12[.]116[.]254/folder/enemyboti686\r\nhttp://198[.]12[.]116[.]254/folder/enemybotm68k\r\nhttp://198[.]12[.]116[.]254/folder/enemybotmips\r\nhttp://198[.]12[.]116[.]254/folder/enemybotmpsl\r\nhttp://198[.]12[.]116[.]254/folder/enemybotppc\r\nhttp://198[.]12[.]116[.]254/folder/enemybotppc-440fp\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 11 of 12\n\nhttp://198[.]12[.]116[.]254/folder/enemybotsh4\r\nhttp://198[.]12[.]116[.]254/folder/enemybotspc\r\nhttp://198[.]12[.]116[.]254/folder/enemybotx64\r\nhttp://198[.]12[.]116[.]254/folder/enemybotx86\r\nhttp://198[.]12[.]116[.]254/folder/enemybotx64\r\nhttp://198[.]12[.]116[.]254/update.sh\r\nC2\r\nxfrvkmokgfb2pajafphw3upl6gq2uurde7de7iexw4aajvslnsmev5id[.]onion (Tor network)\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nhttps://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet"
	],
	"report_names": [
		"enemybot-a-look-into-keksecs-latest-ddos-botnet"
	],
	"threat_actors": [
		{
			"id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb",
			"created_at": "2023-11-03T02:00:07.794425Z",
			"updated_at": "2026-04-10T02:00:03.383096Z",
			"deleted_at": null,
			"main_name": "Keksec",
			"aliases": [],
			"source_name": "MISPGALAXY:Keksec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434198,
	"ts_updated_at": 1775791515,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3671db425bb0be5d5af2adb76d1c69e95268cecd.pdf",
		"text": "https://archive.orkl.eu/3671db425bb0be5d5af2adb76d1c69e95268cecd.txt",
		"img": "https://archive.orkl.eu/3671db425bb0be5d5af2adb76d1c69e95268cecd.jpg"
	}
}