{ "id": "c9d4f47b-c194-406f-8013-6068632013d3", "created_at": "2026-04-06T00:21:06.399467Z", "updated_at": "2026-04-10T03:24:17.040146Z", "deleted_at": null, "sha1_hash": "8b6af4f7e52b8f8e774c8d13e340b9e6e9ab62a4", "title": "Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87048, "plain_text": "Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules\r\nDiscovered\r\nBy Albert Zsigovits\r\nPublished: 2021-09-07 · Archived: 2026-04-05 13:16:38 UTC\r\nOn the 27th of August, we have found evidence that an IoT device in one of our customer environments had\r\naccessed a malicious software sample. We have investigated the sample and discovered that a Gafgyt fork has\r\nbeen updated and it is now being distributed with two new Distributed Denial of Service (DDoS) modules to\r\nlaunch attacks against targeted machines.\r\nMirai and Gafgyt have been the go-to IoT malware for many years now in cybercrime circles: their versions have\r\nsuccessfully infected millions of vulnerable IoT devices over the years. Since their source code have been released\r\npublicly, many threat actors use the Mirai or Gafgyt code as a malware-skeleton and then retrofit it with their\r\nunique improvements, creating their own special version of the botnet.\r\nIn this short threat alert, we will detail the most important findings related to this new malicious campaign.\r\nOverview of the New Mirai/Gafgyt Fork\r\nTwo interesting entries in our logs started the investigation. Previously, we have not observed the name “Korpze”\r\nas a campaign tag. The set of numbers at the end of the filename suggests a random keyboard typing with a\r\nreference to the l33t internet-slang with “1337”.\r\nDate: 27-08-2021 16:31 UTC\r\nURL: http://103[.]161[.]17[.]233/bins/Korpze1233121337[.]sparc\r\nDate: 27-08-2021 15:47 UTC\r\nURL: http://103[.]161[.]17[.]233/bins/Korpze1233121337[.]mpsl\r\nTechnical Details\r\nAll of the investigated malware samples had retained their debug information and symbols, their binaries had not\r\nbeen stripped, which is, as we have observed, standard with these campaigns, as malware operators do not pay\r\nmuch attention to operational security.\r\nnew botnet gafgyt mirai unstripped binary\r\nLack of stripping usually observed in immature campaigns\r\nOrigins of the New Botnet\r\nThere are two references in the binary to YakuzaBotnet and Scarface, the developer of a Mirai variant:\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 1 of 8\n\nYakuzaBotnet\r\nScarface1337Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS\r\nIt suggests that the base of this variant was most likely taken from Yakuza botnet, a Mirai variant leaked to the\r\npublic:\r\nhttps://github.com/m1lw0rm/Yakuza\r\nHow the Botnet Gains an Initial Foothold\r\nThe function telnet_scanner_init is in charge of setting the initial foothold in vulnerable devices. It scans\r\nrandomly generated IPs and tries to log in with a list of pre-defined, hardcoded credentials on port 23 (Telnet).\r\nThese leaked credentials are the default credentials of many poorly secured IoT devices. Users are strongly\r\nadvised to change these passwords once they purchase the following appliances:\r\nUsername Password Related appliance\r\nadmin admin –\r\nadmin smcadmin SMC routers\r\ndefault default –\r\nftp ftp –\r\nguest 12345 –\r\nguest guest –\r\nmg3500 merlin Camtron IP cameras\r\nroot calvin Dell DRAC/iLO\r\nroot cat1029 HiSilicon IP cameras/DVRs/NVRs\r\nroot gm8182 Grain Media DVR\r\nroot hi3518 HiSilicon IP cameras/DVRs/NVRs\r\nroot icatch99 Lilin DVR\r\nroot pon521 GPON module DFP-34G-2C2\r\nroot root –\r\nroot root621 SNR-ONU-EPON-1G\r\nroot xc3511 VTA-83170 DVR\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 2 of 8\n\nroot xmhdipc HiSilicon IP cameras/DVRs/NVRs\r\nroot vizxv Dahua IP cameras\r\ntelnetadmin telnetadmin –\r\nImportant Functions in this Mirai/Gafgyt Fork\r\nThe following table lists all attack modules that were present in the investigated sample. Besides the Telnet\r\ndictionary attack module, it uses many different DoS modules. Most of these have already been investigated by\r\nother researchers, but the last two modules are quite new:\r\nFunction\r\nentry\r\nFunction name Description\r\n080490fe sendCNC CNC Botnet flood, resource starvation attack\r\n0804b096 sendDOMINATE DoS attack with random gibberish data\r\n0804b804 sendJUNK Send junk data as DoS attack\r\n0804b488 sendHTTP HTTP DoS server resource exhaustion attack\r\n0804b5c3 sendHTTPCloudflare Attacking a site protected by Cloudflare\r\n080491a0 sendSTD DoS attack with random strings\r\n08049861 sendSTDHEX DoS attack with random hexadecimal bytes\r\n08049e39 sendTCP TCP DoS attack with random TCP packet parameters\r\n0804939d vseattack1\r\nDoS attack against servers running Valve’s Source\r\nEngine\r\n08049310 makevsepacket1\r\nDoS attack against servers running Valve’s Source\r\nEngine\r\n080508d4 telnet_scanner_init\r\nTelnet scanner attacks random IPs with hardcoded\r\ncreds\r\n0804fe00 add_auth Wrapper for adding credentials to the auth function\r\n0804fedd init_auth Initializing hardcoded credentials\r\n0804b6fb UDPBYPASS UDP DoS flood with hardcoded hex bytes\r\n0804a7bf UDPRAW UDP DoS flood with raw copied bytes\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 3 of 8\n\n0804aa43 ovhl7\r\nHTTP DDoS attack on OVH servers with a specific\r\npayload\r\n0804c384 attacks_vector_openvpn_swak New\r\n0804bdd0 attacks_vector_wabba_jack New\r\nAttacks_vector modules\r\nThis is the first time these modules have been observed in Gafgyt variants. The name of the first one suggests a\r\nmodule to DoS OpenVPN servers. The name choice for the second one is curious, as it is the name of a famous\r\nmodding tool for PC games like Skyrim.\r\nHowever, the two functions work similarly by building the UDP header via build_udp_header and then\r\nconnecting to the target via socket_connect_raw_udp, and launching the UDP flood.\r\nudp flood function botnet\r\nUDP Flood initialized in openvpn_swak function\r\nThe wabbajack function uses socket_connect_icmp to launch an ICMP flood at the target.\r\nicmp flood funtion botnet\r\nICMP Flood initiated in wabba_jack function\r\nSimilar Naming to PBot Modules\r\nRecently, CN-CERT has released an article on a new, emerging P2P botnet called PBot. PBot consists of 6\r\ninteresting DDoS modules that have similar goals to the two DDoS modules we have observed in the Korpze\r\ncampaign.\r\nattacks_vector_game_killer\r\nattacks_vector_nfo_v6\r\nattacks_vector_plainudp\r\nattacks_vector_plaintcp\r\nattacks_vector_l7_ghp\r\nattacks_vector_ovh_l7\r\nInterestingly, neither PBot, nor the Korpze variant uses each other’s DDoS modules, but their naming convention\r\nis the same. Most likely these DDoS modules are now disseminated in cybercrime forums, and it is up to the\r\nmalware developers, which ones they include in their own campaigns.\r\nThe less likely assumption is that PBot and this Korpze campaign are related as they share DDoS modules from\r\nthe same attack corpus, but we cannot really attribute based on a poor string match.\r\nUpdating nameservers\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 4 of 8\n\nThere is a specific function called UpdateNameSrvs to change nameservers on the infected device. The function\r\nis responsible for writing the file /etc/resolv.conf with Google’s DNS servers.\r\nvoid UpdateNameSrvs() {\r\n uint16_t fhandler = open(\"/etc/resolv.conf\", O_WRONLY | O_TRUNC);\r\n if (access(\"/etc/resolv.conf\", F_OK) != -1) {\r\n const char* resd = \"nameserver 8.8.8.8nnameserver 8.8.4.4n\";\r\n size_t resl = strlen(resd);\r\n write(fhandler, resd, resl);\r\n } else { return; }\r\n close(fhandler);\r\n}\r\nThis is most likely to aid malware operators: the developer likely wanted to circumvent any DNS servers that\r\nblock malicious IPs from reaching users, as Google’s 8.8.8.8 DNS does no block malicious IPs:\r\n“Google Public DNS rarely performs blocking or filtering, though it may if we believe this is necessary\r\nto protect our users from security threats.”\r\nhttps://developers.google.com/speed/public-dns/docs/intro\r\nUser-Agents Used in HTTP DoS Attacks\r\nThere are 60 hardcoded User-Agents included in the sample, which are used in the DoS module ovhl7,\r\nSendHTTP, and SendHTTPCloudflare. Once the DoS module is launched at a target, the function randomly\r\nchooses a User-Agents to attack with.\r\nDoS module using randomized user agents\r\nSendHTTPCloudflare DoS module uses randomized User-Agents\r\nThis mechanism is in place for evading security countermeasures: victims cannot simply block the attack by\r\ndenying a single specific User-Agent.\r\nHere’s a small excerpt of User-Agents used:\r\nFAST-WebCrawler/3.6 (atw-crawler at fast dot no; http://fast.no/support/crawler.asp)\r\nTheSuBot/0.2 (www.thesubot.de)\r\nOpera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16\r\nBillyBobBot/1.0 (+http://www.billybobbot.com/crawler/)\r\nFAST-WebCrawler/3.7 (atw-crawler at fast dot no; http://fast.no/support/crawler.asp)\r\nzspider/0.9-dev http://feedback.redkolibri.com/\r\n…\r\nNew Campaigns Appearing\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 5 of 8\n\nJust as we were investigating the Command-and-Control server, we have observed a new campaign being\r\nswitched on and all malicious binaries being exchanged with a new set of binaries for various architectures.\r\nold botnet campaign binary\r\nnew botnet campaign binary\r\nA new campaign just launched with a new set of malicious binaries\r\nThis new campaign goes by the tag-name daddyl33t as it is revealed by its supposed creator.\r\ndaddyl33t new botnet campaignbinary\r\nDaddyl33t, the creator\r\nThe campaigns are short lived for many reasons:\r\nThe campaign operator might want to hold on to the surprise element as long as possible: traditional\r\nantivirus engines do not usually detect the samples on release, as they need some time to build up\r\ndetection.\r\nA compromised Command-and-Control server could be under siege from many different threat actors: as\r\nthey fight to keep their own ground, new players could come in by exploiting vulnerable servers and\r\noverwrite the malicious binaries with their own campaign, distributing a different set of binaries from that\r\npoint on.\r\nAlso, as new source codes are released on cybercrime or other underground forums, campaign operators\r\nadjust and update their malicious tools whenever there is a better malware version with more or better\r\nfeatures.\r\nCreating a flavor of Mirai/Gafgyt has never been so easy. The leaked source codes of Mirai and\r\nGafgyt/QBot are all over GitHub and other repositories, and implementing new functions, removing\r\nunnecessary features, and adjusting malicious tools with recent exploits (as new vulnerabilities are\r\ndiscovered) is widely practiced by script-kiddies.\r\nCoverage\r\nThe malicious IPs and URLs related to the Korpze campaign are blocked by CUJO AI Sentry.\r\nIndicators of Compromise\r\nSHA256\r\n2be9013823dbcb7dd4cbed30e37ffd51ac9b3a0f78d168879c6a59ff1b2704d8\r\n009f8f752458e6bbd340ca3cd34f5ebc520b2846fdbb5339add824d31f195413\r\nCampaign name\r\n“Korpze1233121337”\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 6 of 8\n\nIP\r\n103[.]161[.]17[.]233 – ASN 135967 – Vietnam\r\nC2\r\n103[.]161[.]17[.]233:1227\r\n103[.]161[.]17[.]233:1228\r\n103[.]161[.]17[.]233:1229\r\nURL\r\nhttp://103[.]161[.]17[.]233/bins[.]sh\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]arm\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]arm4\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]arm5\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]arm6\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]m68k\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]mips\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]x86\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]ppc\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]sparc\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]i586\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]i686\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]mpsl\r\nhttp://103[.]161[.]17[.]233/Korpze1233121337[.]sh4\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]arm\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]arm4\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]arm5\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]arm6\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]m68k\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 7 of 8\n\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]mips\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]x86\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]ppc\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]sparc\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]i586\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]i686\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]mpsl\r\nhttp://103[.]161[.]17[.]233/bins/Korpze1233121337[.]sh4\r\nSource: https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nhttps://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/" ], "report_names": [ "mirai-gafgyt-with-new-ddos-modules-discovered" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434866, "ts_updated_at": 1775791457, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b6af4f7e52b8f8e774c8d13e340b9e6e9ab62a4.pdf", "text": "https://archive.orkl.eu/8b6af4f7e52b8f8e774c8d13e340b9e6e9ab62a4.txt", "img": "https://archive.orkl.eu/8b6af4f7e52b8f8e774c8d13e340b9e6e9ab62a4.jpg" } }