{
	"id": "9248cccc-24ea-44ae-9d4d-20f0ec44c1ee",
	"created_at": "2026-04-06T01:31:54.407897Z",
	"updated_at": "2026-04-10T03:20:47.002716Z",
	"deleted_at": null,
	"sha1_hash": "372bab8d5406139ffb7e0d38f75510ec59aead1d",
	"title": "\"Hide and Seek\" Becomes First IoT Botnet Capable of Surviving Device Reboots",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1325011,
	"plain_text": "\"Hide and Seek\" Becomes First IoT Botnet Capable of Surviving Device\r\nReboots\r\nBy Catalin Cimpanu\r\nPublished: 2018-05-08 · Archived: 2026-04-06 01:07:59 UTC\r\nSecurity researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on\r\ninfected devices after the initial compromise.\r\nThis is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could\r\nalways remove IoT malware from their smart devices, modems, and routers by resetting the device.\r\nThe reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT\r\nmalware strains.\r\nhttps://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Hide and Seek\" malware copies itself to /etc/init.d/\r\nBut today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies\r\nitself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT\r\ndevices.\r\nBy placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.\r\nThe malware strain that achieved something that even the Mirai strain couldn't is called Hide and Seek (HNS) —also spelled\r\nHide 'N Seek.\r\nHNS botnet has evolved considerably in the past few months\r\nBitdefender experts first spotted the HNS malware and its adjacent botnet in early January, this year, and the botnet grew to\r\naround 32,000 bots by the end of the same month. Experts say HNS has infected 90,000 unique devices from the time of\r\ndiscovery until today.\r\nCrooks used two exploits to create their initial botnet, which was unique from other IoT botnets active today because it used\r\na custom P2P protocol to control infected systems.\r\nNow, experts have found new HNS versions that have added support not only for two other exploits [1, 2] but also for brute-force operations.\r\nWhat this means is that HNS infected devices will scan for other devices that have an exposed Telnet port and attempt to log\r\ninto that device using a list of preset credentials.\r\nResearchers say that HNS authors have also had time to fine-tune this brute-forcing scheme, as the malware can identify at\r\nleast two types of devices and attempt to log into those systems using their factory default credentials, instead of blindly\r\nguessing passwords.\r\nFurthermore, the HNS codebase also received updates, and the bot now has ten different binaries for ten different device\r\narchitectures.\r\nNot all HNS bots are boot persistent\r\nBut HNS is not capable of gaining boot permission on all infected devices. According to Bitdefender senior e-threat analyst\r\nBogdan Botezatu, \"in order to achieve persistence, the infection must take place via Telnet, as root privileges are required to\r\ncopy the binary to the init.d directory.\"\r\nThe security expert also adds that the HNS botnet is still a work-in-progress, and the malware still doesn't support launching\r\nDDoS attacks.\r\nNonetheless, the functions to steal data and execute code on infected devices are still there, which means the botnet supports\r\na plugin/module system and could be expanded at any point with any type of malicious code.\r\nhttps://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/\r\nhttps://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/"
	],
	"report_names": [
		"hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots"
	],
	"threat_actors": [],
	"ts_created_at": 1775439114,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/372bab8d5406139ffb7e0d38f75510ec59aead1d.pdf",
		"text": "https://archive.orkl.eu/372bab8d5406139ffb7e0d38f75510ec59aead1d.txt",
		"img": "https://archive.orkl.eu/372bab8d5406139ffb7e0d38f75510ec59aead1d.jpg"
	}
}