Go back

Los Angeles, CA (September 8, 2021). Researchers from the cybersecurity company CUJO AI have discovered a new botnet built on the code of Mirai and Gafgyt – some of the most devastating botnets in recent history. It was discovered after a compromised Internet of Things (IoT) device accessed a server with the malware. An analysis of the malware showed it targets IP cameras and DVR devices almost exclusively and is estimated to affect millions of consumer devices around the world.

Mirai and Gafgyt botnets have been the backbone of IoT malware for years, after their source codes were leaked. Malicious actors use them as skeletons for new, retrofitted botnets. At the end of August 2021, a brand new version of Gafgyt botnet malware was detected by Albert Zsigovits, working at the Security Research team of CUJO AI Labs. 

The malware uses a scanner to go through random IP addresses and tries to access devices through the Telnet port (port 23). It uses default credentials of poorly secured IoT devices to gain administrative privileges for those devices. The new variant primarily targets IP cameras and DVR devices, but it can also compromise routers, servers as well as some other devices with extremely weak credentials. The new botnet uses denial-of-service (DoS) modules that had been previously analyzed by cybersecurity researchers, with two new additions, which might be used to attack OpenVPN servers. 

‘By this point, we have seen several instances of infected devices, but it does not seem to be too widespread for the time being,’ said Albert Zsigovits, the malware researcher behind the discovery, ‘The botnet itself borrows a lot from Mirai and Gafgyt, with a couple of new functions added to expand its capabilities.’ 

Researchers urge consumers to change the default credentials on their IoT devices and, if possible, to avoid exposing them to the internet directly. 

‘Open Telnet ports and other glaring security issues have plagued IoT devices for years,’ said Zoltan Balazs, the Head of the Vulnerability Research Lab at CUJO AI, ‘We are among countless cybersecurity researchers that continue to push IoT manufacturers towards better security practices.’ 

Mirai botnet malware is most famous for the 2016 DDoS attacks, where tens of millions of infected devices severely affected the global internet infrastructure by targeting the DNS service provider Dyn, several websites and a hosting provider. New incarnations of the botnet continue to threaten insecure IoT devices.  

The breakdown of the new botnet, its functions, and targeted devices is published on CUJO AI’s website: https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/ 


CUJO AI provides cybersecurity and device monitoring services to the largest telecommunications networks globally. Their services protect every device on the end-users’ network, preventing IoT devices from being accessed remotely by malicious actors and from participating in botnet attacks. The company uses machine learning algorithms to determine when a device might be compromised. The company currently monitors and protects over 1 billion consumer devices in more than 40 million networks. 

Questions? Media inquiries? Get in touch with us at [email protected]