A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month.

"This botnet is mainly derived from Gafgyt's source code but has been observed to borrow several modules from Mirai's original source code," Fortinet FortiGuard Labs said in a report this week.

The botnet has been attributed to an actor named Keksec (aka Kek Security, Necro, and FreakOut), which has been linked to multiple botnets such as Simps, Ryuk (not to be confused with the ransomware of the same name), and Samael, and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations.


Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybot's obfuscation attempts to hinder analysis and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands.

Enemybot, like the other botnet malware, is the result of combining and modifying the source code of Mirai and Gafgyt, with the latest version using the former's scanner and bot killer modules that are used to scan and terminate competitor processes running on the same devices.

EnemyBot DDoS Botnet

Some of the n-day vulnerabilities used by the botnet to infect more devices are as follows -

  • CVE-2020-17456 (CVSS score: 9.8) - A remote code execution flaw in Seowon Intech SLC-130 And SLR-120S devices.
  • CVE-2018-10823 (CVSS score: 8.8) - An arbitrary code execution vulnerability in D-Link routers
  • CVE-2022-27226 (CVSS score: 8.8) - A cross-site request forgery issue affecting iRZ Mobile Routers leading to remote code execution

Fortinet also pointed out its overlaps with Gafgyt_tor, suggesting that "Enemybot is likely an updated and 'rebranded' variant of Gafgyt_tor."

The disclosure comes as researchers from Qihoo 360's Network Security Research Lab (360 Netlab) detailed a rapidly spreading DDoS botnet called Fodcha that has ensnared more than 10,000 daily active bots, cumulatively infecting over 62,000 unique bots from March 29 to April 10, 2022.

Fodcha has been observed spreading through known vulnerabilities in Android, GitLab (CVE-2021-22205), Realtek Jungle SDK (CVE-2021-35394), digital video recorders from MVPower, LILIN, and routers from TOTOLINK and ZHONE.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.