216.73.217.139

The Resurgence of IoT Malware: Inside the Mirai-Based "Gayfemboy" Botnet Campaign

· Published 25/08/2025 12:22 · Modified 25/08/2025 20:04

Export JSON

Essential information

Published
25/08/2025 12:22
Modified
25/08/2025 20:04
Tags
2025-08-25 botnet ddos evasion iot mirai obfuscation
Related entities
12 techniques (mitre), 2 malware, 11 others

Description

FortiGuard Labs has been tracking a stealthy malware strain called "Gayfemboy" that exploits vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco products. The malware, based on , has evolved in form and behavior, targeting multiple countries and sectors. Gayfemboy employs techniques, anti-analysis measures, and multiple functions including Monitor, Watchdog, Attacker, and Killer. It uses public DNS servers to bypass filtering and establishes communication with C2 servers through predefined domains. The malware can execute various commands, launch attacks, and maintain persistence. This evolution highlights the increasing sophistication of modern malware and the need for proactive defense strategies.

External references