{
	"id": "09385530-0d78-4b81-b949-67a9efc94ebc",
	"created_at": "2026-04-06T00:21:54.903447Z",
	"updated_at": "2026-04-10T03:21:28.882767Z",
	"deleted_at": null,
	"sha1_hash": "c6b33d99015b80fbb4f0b8ee1ae11d76332f38bc",
	"title": "New HNS IoT Botnet Has Already Amassed 14K Bots",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1125844,
	"plain_text": "New HNS IoT Botnet Has Already Amassed 14K Bots\r\nBy Catalin Cimpanu\r\nPublished: 2018-01-24 · Archived: 2026-04-05 19:46:36 UTC\r\nA new botnet is growing around the world, feeding off unsecured IoT devices, mainly IP cameras, and getting ready to do\r\nsome harm.\r\nDiscovered by security researchers from Bitdefender, the new botnet is called Hide 'N Seek (HNS), and according to\r\nexperts, the botnet first appeared on January 10, died off for a few days, and came back strong over the weekend, on January\r\n20.\r\nIn all this time, the botnet grew from an initial list of 12 compromised devices to over 14,000 bots, as of writing.\r\nhttps://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNot Mirai related\r\nUnlike all the Internet of Things (IoT) botnets that have appeared in recent weeks, HNS is not another modification of the\r\nMirai IoT malware source code that was leaked online last year.\r\nIn fact, according to Bogdan Botezatu, Bitdefender senior e-threat analyst, the HNS botnet is more similar to Hajime rather\r\nthan Mirai.\r\n\"It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer\r\narchitecture,\" Botezatu says. \"However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol,\r\nhere we have a custom-built P2P communication mechanism.\"\r\nAccording to an analysis Botezatu authored today, each bot contains a list of IPs of other infected bots, a list that can be\r\nupdated in real-time, as the botnet grows and bots are lost or gained.\r\nHNS bots relay instructions and commands from one another, similar to the basics of the P2P protocol. Botezatu says an\r\nHNS bot can receive and execute several types of commands, such as \"data exfiltration, code execution and interference\r\nwith a device’s operation.\"\r\nNo DDoS function (yet)\r\nSurprisingly, Bitdefender experts did not find a DDoS function, meaning the botnet is intended to be deployed as a proxy\r\nnetwork, similar to how most IoT botnets have been weaponized in the past year after DDoS functions drew too much\r\nattention and led to the downfall of many aggressive botnets.\r\nThe botnet spreads via dictionary brute-force attacks against devices with open Telnet ports. Just like its unique P2P bot\r\nmanagement protocol, this spreading mechanism is also heavily customized. Botezatu explains below:\r\nThe bot features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets. It\r\nthen initiates a raw socket SYN connection to each host in the list and continues communication with those that answer the\r\nrequest on specific destination ports (23 2323, 80, 8080). Once the connection has been established, the bot looks for a\r\nspecific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in with a set of\r\npredefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list.\r\nOnce a session is established with a new victim, the sample will run through a “state machine” to properly identify the target\r\ndevice and select the most suitable compromise method. For example, if the victim has the same LAN as the bot, the bot sets\r\nup TFTP server to allow the victim to download the sample from the bot. If the victim is located on the internet, the bot will\r\nattempt a specific remote payload delivery method to get the victim to download and run the malware sample. These\r\nexploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering.\r\nThis list can be updated remotely and propagated among infected hosts.\r\nThe good news is that just like all IoT malware, HNS cannot establish persistence on infected devices, meaning the malware\r\nis automatically removed with every device reboot.\r\nThis makes managing the HNS botnet a 24-hour job, with the botnet needing constant supervision from its creator in order\r\nto ensure the botnet continues to add new bots before the old ones die off.\r\nHNS still under development\r\nIn addition, because it's a new arrival on the IoT malware scene, HNS is also in a state of constant change, as its operator(s)\r\nexplores new spreading and bot management techniques.\r\nAs many of these \"new\" botnets have had a tendency to disappear after a few weeks, let's hope HNS' author gets bored and\r\nabandons his \"experiment.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/\r\nPage 3 of 4\n\nA 14K botnet is nothing to ignore. If we learned anything from the ProxyM botnet is that you don't need tens of thousands of\r\ninfected devices to run a profitable botnet. Four-five thousands are enough.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/\r\nhttps://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/"
	],
	"report_names": [
		"new-hns-iot-botnet-has-already-amassed-14k-bots"
	],
	"threat_actors": [],
	"ts_created_at": 1775434914,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c6b33d99015b80fbb4f0b8ee1ae11d76332f38bc.pdf",
		"text": "https://archive.orkl.eu/c6b33d99015b80fbb4f0b8ee1ae11d76332f38bc.txt",
		"img": "https://archive.orkl.eu/c6b33d99015b80fbb4f0b8ee1ae11d76332f38bc.jpg"
	}
}