{
	"id": "a07643cc-3d72-43d4-ba7e-ca423111393f",
	"created_at": "2026-04-06T00:16:33.29583Z",
	"updated_at": "2026-04-10T13:12:44.962955Z",
	"deleted_at": null,
	"sha1_hash": "e2c3d21c944ba7ae65d02327a49ca3134a69cb93",
	"title": "MedusaHTTP DDoS Slithers Back into the Spotlight | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1350213,
	"plain_text": "MedusaHTTP DDoS Slithers Back into the Spotlight | NETSCOUT\r\nArchived: 2026-04-05 12:54:14 UTC\r\nExecutive Summary\r\nMedusaHTTP is a HTTP-based DDoS botnet written in .NET, that surfaced in early 2017. MedusaHTTP is based\r\noff of MedusaIRC which leveraged IRC for its command and control communications instead of HTTP.\r\nMedusaIRC botnet has been advertised on various underground hacker marketplaces since 2015, while\r\nMedusaHTTP started appearing in 2017.\r\nThe alleged seller of MedusaIRC and MedusaHTTP, Stevenking(s) has advertised this botnet family on\r\nhacker marketplaces for many years.\r\nMedusaHTTP has evolved from an IRC botnet to an HTTP botnet. The HTTP components appear to be\r\nreused code from the leaked Diamond Fox DDoS botnet.\r\nMedusaHTTP was observed being distributed by the Rig Exploit Kit by an independent researcher.\r\nIntroduction\r\nMedusaHTTP was discovered after reading an independent researcher’s blog post describing malware distributed\r\nby recent Rig exploit kit campaigns. Screenshots of network traffic from one of the malware payloads within the\r\npost, caught our attention:\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 1 of 8\n\nThe blog post initially identified the payload responsible for this traffic as AZORult; however, the commands in\r\nthis traffic suggest DDoS functionality. AZORult is classified as an information stealing trojan which has the\r\nprimary objective of capturing passwords, financial and personal information from the victim’s system. Samples\r\nof this family and campaign objectives are not known to contain DDoS functionality, so this could suggest a major\r\nupdate to the AZORult malware. ASERT obtained the sample linked in the blog post from VirusTotal, and after\r\nanalysis we believe this file is not AZORult but rather a new version of the DDoS bot known as Medusa.  \r\nEnter Medusa – StevenKings’ DDoS botnet kit since 2015\r\nThis isn’t the first time ASERT has encountered the Medusa botnet, we  previously analyzed the IRC version of\r\nMedusa in 2016. In addition, we found references of Medusa being advertised on underground hacker\r\nmarketplaces dating back to 2015. Advertisements were posted by a user under the name of StevenKings, a\r\nsample image of an advertisement is provided below:\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 2 of 8\n\nAs insinuated above, Stevenkings may not be a native English speaker. We believe he or she may be a native\r\nRussian speaker based on the origin of their most active forum. In this 2015 advertisement, Stevenkings is selling\r\nthe IRC version of Medusa for $500 in bitcoin, a cryptocurrency often leveraged in underground marketplaces.\r\nReading further shows descriptions of future commands that will be added to the bot such as, “.httpstrong” which\r\nwas the string that sparked our attention from the above researcher’s blog post. The advertisement also links to\r\nimages of the botnet’s throughput, first showing screenshots to prove DDoS rates of 30k requests-per-second:\r\nAnd then, a screenshot of it generating 3k requests-per-second with only 3 bots.\r\nHigher requests-per-second per bot allows a botnet controller to use less bots for taking down targets. This would\r\nmean the botnet controller could infect less victims while still remaining operationally successful.\r\nMedusa Now in HTTP\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 3 of 8\n\nOur research shows Stevenkings advertising the HTTP version of the Medusa botnet on underground hacker\r\nmarketplaces in early 2017. The advertisements for this version included images of the HTTP command and\r\ncontrol panel which appears to use the code and images from Diamond Fox, another well-known DDoS botnet.\r\nA view of the MedusaHTTP admin panel.\r\nA view of the MedusaHTTP attack page.\r\nA view of the Diamond Fox admin panel for comparison.\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 4 of 8\n\nMultiple versions of Diamond Fox botnet have been leaked over the past few years which would make the code\r\nreuse feasible for the Medusa malware author. All other portions of the code, except for the HTTP-based\r\ncommand and control communications, remain very similar to the IRC version of the Medusa botnet.  \r\nCommand and Control Communication\r\nThe latest version of MedusaHTTP uses a HTTP-based command and control (C2) communication method as\r\nopposed the IRC communication of its predecessor. The initial connection uses a POST request with a static user\r\nagent of Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 sent to the C2. In the\r\nPOST request payload, the victim bot will send introspection information using a xyz form item. The format of the\r\nintrospection information payload follows this format:\r\nxyz=08:00:27:??:??:??|\u003cOS Type\u003e|Version\r\nan example of this would be:\r\nAfter the check-in command is sent, the C2 will either respond with a HTTP status code 200 as seen below:\r\nor send back one of the following commands:\r\n.icmp [host] [threads] [delay] [stoptime]\r\n.httpseebix [www.website.com] [page.php] [threads] [delay] [stoptime]\r\n.httpoverload [www.website.com] [page.php] [threads] [delay] [stoptime]\r\n.httpstrong [www.website.com] [page.php] [threads] [delay] [stoptime]\r\n.httpactive [www.website.com] [page.php] [threads] [delay] [stoptime]\r\n.httpssl [www.website.com] [page.php] [threads] [delay] [true/false] [stoptime]\r\n.proxy [www.website.com] [page.php] [webpagewithproxy] [threads] [delay] [stoptime]\r\n.httppost [www.website.com] [page.php] [postcontent] [threads] [delay] [stoptime]\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 5 of 8\n\n.smartflood [GET] [www.website.com] [page.php] [threads] [delay] [stoptime]\r\n.smartflood [POST] [www.website.com] [page.php] [postcontent] [threads] [delay] [stoptime]\r\n.syn [host] [port] [sockets] [threads]\r\n.udp [host] [port] [sockets] [threads] [packetsize]\r\n.download [http://website.com/exe.exe] [filename] [true/false]\r\n.stop-[methodname]\r\n.stop-all\r\nAfter which the bot will either wait and check-in again at a later time or act on the specific command received.  \r\nPurported Capabilities\r\nStevenkings claims MedusaHTTP is capable of the following:\r\n.httpssl is made for TLS and SSL websites. Using the TRUE option on httpssl will grab cookies.\r\n.icmp is a layer 3 flood.\r\n.httpseebix is custom HTTP GET flood.\r\n.httpstrong is a fast HTTP flood method.\r\n.httpactive is a mix of TCP and layer 7.\r\n.httpoverload can crash certain servers.\r\n.httpproxy uses proxy servers to execute a DDoS.\r\n.httppost is a POST flood.\r\n.httpsmartflood bypasses all cookie protection unless its captcha.\r\n.syn TCP flood which bypasses OVH.\r\n.udp is basic UDP flood.\r\nObserved Command Traffic\r\nASERT observed and was able to capture DDoS and command traffic from a portion of the purported attack types\r\navailable to MedusaHTTP.\r\n.httpseebix\r\nThis command sends GET requests using 1 of 12 user agents randomly chosen from a predefined list, similar to\r\nthe below example:\r\n.httpstrong\r\nThis command appears to be similar to .httpseebix however this uses only one hardcoded user agent to perform\r\nhttp GET request.\r\n.httpoverload\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 6 of 8\n\nThis command appears to be the same as .httpseebix; Stevenkings claims it has the ability to crash certain servers.\r\n.httpactive\r\nThis command is advertised as a mixture of TCP and Layer 7 Flooding that has the ability to take down servers.\r\nBelow you can see the utilization of multiple GET requests with a TCP packet of “0000000” in between them,\r\nillustrating this technique.\r\n.smartflood (GET)\r\nThis command is purported to bypass cookie protection by StevenKings. The POST version of this command\r\ntakes an additional parameter ‘Payload’ which, in this example, is ‘hello=hello’.\r\nThere is also a GET version of this command which looks similar however does not include the POST data.\r\n.download\r\nThis command instructs the bot to download and run executables, which could be a bot update or additional\r\nmalicious files. The method of downloading the executables is a simple HTTP GET request.\r\n.stop-all\r\nThis command instructs the bot to stop all active attacks.  \r\nConclusion\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 7 of 8\n\nMedusaHTTP has evolved from its prior IRC version. Although there is a new command and control\r\ncommunication mechanism, a large amount of functionality overlap remains. Many of the DDoS traffic examples\r\nabove are exactly the same profile of traffic generated by MedusaIRC and continue to be mitigated in the same\r\nway using situationally appropriate firewall ACLs and other countermeasures available in Arbor products\r\nincluding HTTP Authentication, Zombie Detection, and AIF Malware Family Blocking.  \r\nIndicators\r\nSamples:\r\n2919a13b964c8b006f144e3c8cc6563740d3d242f44822c8c44dc0db38137ccb\r\n85ebf6330039de69dbef1a4860274f21d8b980adb9c3d8385873c5d697c61685\r\ne514935ab07b29ca1ee9eedaf699de202ada70e29b4fc4618908b8ca8b3f83ef\r\n290eb4666848172a03c9c5123c004278647e8f5445a7d4e9c29a9ecc58c1b329\r\n4654f4cbd9e3910f4901493b9774d978060f1c9a9489612b66d66ee61667f60f\r\nCommand and Control Domains:\r\nDisability[.]su\r\nFranchessko[.]top\r\nIrcnews[.]wang\r\nKjnsfiosgjnlorgiko[.]ru\r\nMhforum[.]biz\r\nMissyiurfound[.]bid\r\nscam-financial[.]org\r\nsgsdgsdger[.]ru\r\ntroyamylove[.]gdn\r\nwooow1[.]ru\r\nyouframegood[.]ru\r\nSource: https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nhttps://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/"
	],
	"report_names": [
		"medusahttp-ddos-slithers-back-spotlight"
	],
	"threat_actors": [],
	"ts_created_at": 1775434593,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2c3d21c944ba7ae65d02327a49ca3134a69cb93.pdf",
		"text": "https://archive.orkl.eu/e2c3d21c944ba7ae65d02327a49ca3134a69cb93.txt",
		"img": "https://archive.orkl.eu/e2c3d21c944ba7ae65d02327a49ca3134a69cb93.jpg"
	}
}