{ "id": "49238456-11f2-46e9-b67a-9a27e7c396c9", "created_at": "2026-04-06T00:17:23.417056Z", "updated_at": "2026-04-10T13:11:24.909823Z", "deleted_at": null, "sha1_hash": "37725bb1b10d398475167caefbd11010b47afa8c", "title": "Brief technical analysis of the \"Gorilla\" botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62156, "plain_text": "Brief technical analysis of the \"Gorilla\" botnet\r\nBy Federal Department of Defence, Civil Protection and Sport DDPS\r\nArchived: 2026-04-02 10:38:55 UTC\r\nBrief technical analysis of the \"Gorilla\" botnet\r\n10.10.2024 - In September 2024, the NCSC recorded an increase in DDoS attacks carried out by a botnet\r\ncalled \"Gorilla\". This is a \"DDoS-as-a-service\" service offered on Telegram, which can be rented for some\r\nfee. As an operator of a critical infrastructure in Switzerland was affected by such DDoS attacks, the NCSC\r\nhas published the technical findings in a short report.\r\nLast September, the NCSC received a report from a national critical infrastructure operator about an overload\r\nattack (a so-called \"DDoS\" attack) against its infrastructure. The technical analysis carried out together with the\r\ncritical infrastructure showed that the DDoS attack was presumably carried out by a \"DDoS-as-a-service\" service,\r\nwhich is offered on the Telegram channel under the name \"Gorilla Services\", among others. The NCSC was able\r\nto identify the infrastructure used by the attackers and initiate appropriate defence measures. In addition, the\r\nTelegram channel of \"Gorilla Services\" was shut down by means of a complaint sent to Telegram.\r\nThe technical report sheds light on the infrastructure used by the \"Gorilla\" botnet and the malware used by the\r\nattackers. The malware has code similarities to the \"Mirai\" and infects devices with a Linux/Unix operating\r\nsystem. The malware receives attack commands from a central botnet command \u0026 control server and executes\r\nthem accordingly.\r\nThe DDoS attacks against Swiss infrastructures were DNS amplification attacks. In these attacks, extremely large\r\ndata streams are directed at the victim's infrastructure by misusing the Domain Name System (DNS), thereby\r\noverloading it. While the attacks led to short interruptions of some services, the security and integrity of data was\r\nnot at risk at any time.\r\nSource: https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/gorilla_bericht.html\r\nhttps://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/gorilla_bericht.html\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/gorilla_bericht.html" ], "report_names": [ "gorilla_bericht.html" ], "threat_actors": [ { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37725bb1b10d398475167caefbd11010b47afa8c.pdf", "text": "https://archive.orkl.eu/37725bb1b10d398475167caefbd11010b47afa8c.txt", "img": "https://archive.orkl.eu/37725bb1b10d398475167caefbd11010b47afa8c.jpg" } }