The IoT Under Siege: The Resurgence of the Mirai-Based Gayfemboy Botnet

The IoT Under Siege: The Resurgence of the Mirai-Based Gayfemboy Botnet

Researchers at FortiGuard Labs have tracked a new wave of activity from the Gayfemboy botnet. This malware exploits known vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco devices, showcasing evolved attack strategies and a resurgence in activity.

The Gayfemboy botnet was first discovered in February 2024, leveraging not only the code from the basic version of the Mirai variant but also integrating both known and zero-day exploit capabilities. By November 2024, the botnet had exploited zero-day vulnerabilities in Four Faith industrial routers, Neterbit routers, and Vimar smart home devices, with over 15,000 active nodes daily. The operators also launched DDoS attacks against researchers tracking their activities.

In January 2025, experts from Qihoo 360 XLab discovered that Gayfemboy was deploying bot programs through over 20 vulnerabilities and attempting to penetrate systems using weak Telnet passwords. Researchers confirmed that the attackers targeted the zero-day vulnerability CVE-2024-12856 in Four Faith industrial routers, as well as several unknown vulnerabilities affecting Neterbit and Vimar devices.

In July 2025, FortiGuard Labs found that the Gayfemboy payload was exploiting multiple device vulnerabilities, with source IP addresses of 87.121.84.34 and 220.158.234.135. Experts identified download scripts targeting devices from multiple brands including ASUS, Vivo, H3C, and Realtek, which would retrieve malware and Monero mining programs, passing them to Gayfemboy via product name parameters.

According to a report from Fortinet Labs: “Gayfemboy employs first-layer obfuscation techniques during the file download phase. Unlike Mirai and Gafgyt variants that typically use Linux architecture names as file extensions, this botnet assigns unique names for each architecture, avoiding predictable naming conventions.”

The attack range of this botnet spans multiple countries including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam, with victims across various sectors such as manufacturing, technology, construction, and media communications.

Gayfemboy uses custom file naming to evade detection and obfuscates binary files by modifying UPX headers. It has the capability to eliminate competing malicious processes, with core modules including: a monitor (anti-analysis, persistence, sandbox evasion, process termination), a watchdog (ensures single instance operation, terminates unresponsive copies), an attacker (DDoS and backdoor functions), and a cleaner (removes competing infections).

The report specifically notes: “The monitor function includes two dedicated sub-functions—self-persistence and sandbox evasion. The former ensures continuous activity, automatically re-executing if the process is terminated; the latter introduces a 50-nanosecond delay, causing timing errors in sandbox environments that cannot accurately handle such granular delays, triggering a sleep state of up to 27 hours.”

To evade local filtering, Gayfemboy resolves random domain names (such as cross-compiling[.]org, furry-femboys[.]top) to connect to C2 servers using public DNS (1.1.1.1, 8.8.8.8). It scans 15 ports to establish communication, supporting 4-byte lightweight commands (reset, sleep, info) and extended commands (payload download, reverse shell, firewall rule modification, launching DDoS). Its self-protection mechanisms include clock-based sandbox detection and remote kill commands.

The report concludes by emphasizing: “While Gayfemboy inherits structural elements from Mirai, it significantly enhances complexity and evasion capabilities. This evolution reflects the increasing sophistication of modern malware and underscores the necessity of adopting proactive, intelligence-driven defense strategies. To maintain an edge, it is essential not only to regularly update patches but also to develop effective countermeasures through in-depth analysis and exposure of emerging threats to mitigate risks.” (This translation includes threat indicator information)

Leave a Comment