{
	"id": "4ea6f91d-00eb-471d-9784-4cabc726364d",
	"created_at": "2026-04-10T03:20:37.232814Z",
	"updated_at": "2026-04-10T03:22:18.060152Z",
	"deleted_at": null,
	"sha1_hash": "814a11d389faf5fcd2ea29f85179173f5a69dd2d",
	"title": "An Update for a Very Active DDos Botnet: Moobot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 417543,
	"plain_text": "An Update for a Very Active DDos Botnet: Moobot\r\nBy Hui Wang\r\nPublished: 2020-07-09 · Archived: 2026-04-10 03:07:21 UTC\r\nMoobot is a mirai based botnet. Spread through weak telnet passwords and some nday and 0day  vulnerabilities.\r\nOverview\r\nMoobot is a Mirai based botnet. We first discovered its activity in July 2019. Here is our log about it[0]. And ever\r\nsince then, its sample updates, DDoS attacks and other activities have never stopped.Recently we saw it\r\nparticipated in some very high profile DDoS attacks, we got asked quite a few times in the security community\r\nregarding to what botnet is behind the attacks, so here is some more details.\r\nSample dissemination\r\nMoobot samples are mainly spread through weak telnet passwords and some nday and 0day [1][2]vulnerabilities.\r\nThe vulnerabilities we observed using Moobot are as follows:\r\nVulnerability Affected Aevice\r\nHiSilicon DVR/NVR Backdoor\r\nFirmware for Xiaongmai-based DVRs, NVRs and IP\r\ncameras\r\nCVE-2020-8515 DrayTek Vigor router\r\nJAWS Webserver unauthenticated shell\r\ncommand execution\r\nMVPower DVR\r\nLILIN DVR LILIN DVRs\r\nGPON Router RCE Netlink GPON Router 1.0.11\r\nTVT OEM API RCE\r\nTVT Digital Technology Co. Ltd \u0026 OEM\r\n{DVR/NVR/IPC} API RCE\r\nThinkPHP 5.0.23/5.1.31 RCE\r\nAndroid Debug Bridge Remote Payload\r\nExecution\r\nAVTECH Devices Multiple Vulnerabilities AVTECH IP Camera / NVR / DVR Devices\r\nCVE-2017-17215 Huawei Router HG532\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 1 of 7\n\nVulnerability Affected Aevice\r\nNetcore Router Udp 53413 Backdoor Netcore Router\r\nCVE-2014-8361 Devices using the Realtek SDK\r\nCVE_2020_5722 Grandstream UCM6202\r\nCVE-2017-8225 The Wireless IP Camera (P2P) WIFICAM\r\nDVRIP backdoor\r\nSample analysis\r\nIn the previous article, we introduced many variants of Moobot. We believe that its author is more inclined to\r\ndevelop and use new methods than to simply change C2. The authors of Moobot had made many attempts at the\r\nsample binary level \u0026 network traffic level. Generally, samples used multiple combinations of the following\r\nmethods to make job difficult for security researchers.\r\nUse DNS TXT to carry C2/ manually construct DNS TXT request\r\nPacking with the new UPX magic number\r\nHidden sensitive resources using encryption method of code table replacement\r\nUse SOCKS PROXY, TOR PROXY\r\nSince Jan 2020, another variant we called Moobot_xor became active. Moobot_xor doesn't adopt mothods\r\nmetioned above,but just only modified the register message?). Maybe the author of Moobot has found that only\r\none such simple modification and the constant replacement of C2 is needed to achieve very good benefits during\r\nthe operation for up to 1 year, there is no need to invest in new technology research.\r\nSample information\r\nMD5:98c8326b28163fdaeeb0b056f940ed72\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nPacker:None\r\nLib:uclibc\r\nVerdict: Moobot_xor\r\nMoobot_xor is very close to Mirai, so we are not going to cover things folks already knew. We will only introduce\r\nMoobot_xor’s encryption method and the communication protocol, understanding the encryption method will help\r\nextract the bot's configuration information, knowing the communication protocol should facility tracking C2 to\r\nobtain the attack instructions, we hope that these contents can help the community to better fight the Moobot\r\nfamily.\r\nEncryption method\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 2 of 7\n\nMoobot_xor uses Mirai's classic Xor encryption and decryption method, the key is 0DEADBEEFh ,\r\nCommunication protocol\r\nMoobot_xor has made some minor modifications on the basis of the Mirai communication protocol. Let’s look at\r\na few of them here.\r\nRegistration packet\r\nmsg parsing\r\n----------------------------------------------------------------\r\n33 66 99 -----\u003e hardcoded magic\r\n06 -----\u003e group string length\r\n67 6c 61 69 76 65 -----\u003e group string,here it is \"glaive\"\r\nHeartbeat packet\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 3 of 7\n\nmsg parsing\r\n----------------------------------------------------------------\r\n00 00 -----\u003e hardcoded msg from bot\r\n00 00 -----\u003e hardcoded msg from c2\r\nAttack command\r\nmsg parsing\r\n----------------------------------------------------------------\r\nsimilar to Mirai\r\n01 -----\u003e number of targets\r\n77 a7 B5 CB 20 -----\u003etarget/mask, 119.167.181.203/32\r\n02 -----\u003e number of flags\r\n00 -----\u003e flag type\r\n02 -----\u003e flag length\r\n32 30 -----\u003e flag data\r\n07 -----\u003e flag type\r\n02 -----\u003e flag length\r\n38 30 -----\u003e flag data\r\nMoobot DDoS activity\r\nSince we started tracking Moobot, its attack activity has never stopped. There are only a handful of C2s, but attack\r\ntargets are all over the world, with about 100 targets per day.\r\nMoobot's target\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 4 of 7\n\nThe trend of Moobot's daily attack targets is shown in the figure below:：\r\nIt can be seen from the above figure that Moobot's DDoS attack activity has obvious anomalies from the end of\r\nMarch 2020 to the beginning of May 2020, and the daily attack target of Moobot has increased from a few\r\nhundred to nearly 20,000. When we took a close look, we found that Moobot's attack target surged because\r\nMoobot attacked about 48k of Brazilian IP during this period. We don’t know what was reason behind that. After\r\ntaking Brazil our from the attack targets. Moobot's daily live attack targets are as follows, about 100 attack targets\r\nper day:\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 5 of 7\n\nMoobot attack target geographic location distribution\r\nMoobot's attack targets are all over the world.The geographical distribution of its attack targets is as follows:\r\nMoobot attacks the affected domain name\r\nWe were able to confirm that Moobot has been behind some very high profile DDos attacks.We cannot disclose\r\nmore detail here, but we had a tag cloud in our prior blog here[3].\r\nReaders are always welcomed to reach us on Twitter, WeChat 360Netlab or email to netlab at 360 dot cn.\r\nIOC\r\nC2\r\n190.115.18.238 AS262254|DANCOM_LTD Russian_Federation|Moscow|Unknown\r\n31.13.195.56 AS34224|Neterra_Ltd. Bulgaria|Sofia|Unknown\r\n37.49.226.216 AS208666|Estro_Web_Services_Private_Limited Netherlands|Overijssel|Enschede\r\n45.95.168.90 AS42864|Giganet_Internet_Szolgaltato_Kft Hungary|Szabolcs-Szatmar-Bereg_County|Nyiregyhaz\r\nabcdefg.elrooted.com\r\naudi.n1gger.com\r\nbotnetisharam.com\r\ncykablyat.raiseyourdongers.pw\r\ndbkjbueuvmf5hh7z.onion\r\nfrsaxhta.elrooted.com\r\ngcc.cyberium.cc\r\nn1gger.com\r\nnd3rwzslqhxibkl7.onion\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 6 of 7\n\nnlocalhost.wordtheminer.com\r\npark.cyberium.cc\r\npark.elrooted.com\r\nproxy.2u0apcm6ylhdy7s.com\r\nrr442myy7yz4.osrq.xyz\r\nsisuugde7gzpef2d.onion\r\ntypicalniggerdayatthecoolaidparty.n1gger.com\r\nwor.wordtheminer.com\r\nzrqq.xyz\r\ntbpsboy.com\r\nSource: https://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nhttps://blog.netlab.360.com/ddos-botnet-moobot-en/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/ddos-botnet-moobot-en/"
	],
	"report_names": [
		"ddos-botnet-moobot-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775791237,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/814a11d389faf5fcd2ea29f85179173f5a69dd2d.pdf",
		"text": "https://archive.orkl.eu/814a11d389faf5fcd2ea29f85179173f5a69dd2d.txt",
		"img": "https://archive.orkl.eu/814a11d389faf5fcd2ea29f85179173f5a69dd2d.jpg"
	}
}