{
	"id": "f031b478-6c4d-4ed6-97c1-c5afe21257eb",
	"created_at": "2026-04-06T00:09:37.939659Z",
	"updated_at": "2026-04-10T03:20:37.234992Z",
	"deleted_at": null,
	"sha1_hash": "3e2ee82cde0c0e437e0f4233dd715904ecf0721e",
	"title": "New Roboto botnet emerges targeting Linux servers running Webmin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 829063,
	"plain_text": "New Roboto botnet emerges targeting Linux servers running\r\nWebmin\r\nBy Written by Catalin Cimpanu, ContributorContributor Nov. 20, 2019 at 8:51 a.m. PT\r\nArchived: 2026-04-05 16:47:34 UTC\r\nSee als\r\nA cybercrime group is enslaving Linux servers running vulnerable Webmin apps into a new botnet that security\r\nresearchers are currently tracking under the name of Roboto.\r\nThe botnet's appearance dates back to this summer and is linked to the disclosure of a major security flaw in a web\r\napp installed on more than 215,000 servers -- which is the perfect cannon fodder to build a botnet on top.\r\nBack in August, the team behind Webmin, a web-based remote management app for Linux systems, disclosed and\r\npatched a vulnerability that allowed attackers to run malicious code with root privileges and take over older\r\nWebmin versions.\r\nBecause of the security flaw's easy exploitation and the vast number of vulnerable systems, attacks against\r\nWebmin installs began days after the vulnerability was disclosed.\r\nThe new Roboto botnet\r\nIn a report published today [Chinese, English], the Netlab team at Chinese cyber-security vendor Qihoo 360 said\r\nthat one of those early attackers was a new botnet they are currently tracking under the name of Roboto.\r\nFor the past three months, this botnet has continued to target Webmin servers.\r\nhttps://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin\r\nPage 1 of 2\n\nPer the research team, the botnet's primary focus seems to have been expansion, with the botnet growing in size,\r\nbut also in code complexity.\r\nCurrently, the botnet's main feature appears to be a DDoS capability. On the other hand, while the DDoS\r\ncapability is in the code, Netlab says they've never seen the botnet conduct any DDoS attacks, and the botnet\r\noperators seem to be have been primarily focused over the past months on growing the botnet in size.\r\nAccording to Netlab, the DDoS feature could launch attacks via vectors such as ICMP, HTTP, TCP, and UDP. But\r\nbesides DDoS attacks, the Roboto bot that's installed on hacked Linux systems (via the Webmin flaw) can also:\r\nFunction as a reverse shell and let the attacker run shell commands on the infected host\r\nCollect system, process, and network info from the infected server\r\nUpload collected data to a remote server\r\nRun Linux system() commands\r\nExecute a file downloaded from a remote URL\r\nUninstall itself\r\nAnother rare P2P botnet\r\nBut there's nothing special in the above features, as many other IoT/DDoS botnets come with similar functions --\r\nconsidered basic features of any modern botnet infrastructure.\r\nThe thing that's unique to Roboto is, however, its internal structure. Bots are organized in a peer-to-peer (P2P)\r\nnetwork, and relay commands that they receive from a central command and control (C\u0026C) server commands\r\nfrom one another, rather than each bot connecting to the main C\u0026C.\r\nPer Netlab, most bots are zombies, relaying commands, but some are also selected to prop up the P2P network or\r\nwork as scanners to search for other vulnerable Webmin systems, to expand the botnet further.\r\nRoboto\r\nImage: Netlab\r\nThe P2P structure is of note because P2P-based communications are rarely seen in DDoS botnets, and the only\r\nones known to use P2P are the Hajime [1, 2, 3, 4] and Hide'N'Seek botnets.\r\nIf the Roboto operators don't shut down the botnet on their own, taking it down will be a very hard task. Efforts to\r\ntake down the Hajime botnet have failed in the past, and according to a source, the botnet is still going strong,\r\nwith 40,000 infected bots on a daily average, and sometimes peaking at 95,000.\r\nIf Roboto will ever reach that size remains to be determined, but the botnet is not larger than Hajime, according to\r\nsources.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSource: https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin\r\nhttps://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin"
	],
	"report_names": [
		"new-roboto-botnet-emerges-targeting-linux-servers-running-webmin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434177,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e2ee82cde0c0e437e0f4233dd715904ecf0721e.pdf",
		"text": "https://archive.orkl.eu/3e2ee82cde0c0e437e0f4233dd715904ecf0721e.txt",
		"img": "https://archive.orkl.eu/3e2ee82cde0c0e437e0f4233dd715904ecf0721e.jpg"
	}
}