Gayfemboy Botnet Resurfaces With Enhanced Evasion, and Global Router Attacks for DDoS Campaigns
Published
- The botnet: Gayfemboy, a Mirai-based botnet, has been targeting IoT devices globally.
- Impact: It exploits known vulnerabilities in routers and platforms to launch DDoS attacks.
- Mitigation: Patches have been issued; updating firmware and using IPS signatures reduces exposure.
The Mirai-based botnet Gayfemboy, first documented in 2024, has been observed in new campaigns exploiting IoT device vulnerabilities, targeting routers and other connected systems, and fueling large-scale DDoS attacks.
Gayfemboy, in a global campaign, is infecting devices across the U.S., Brazil, Mexico, Israel, Germany, Switzerland, and Vietnam.
Expanding Botnet Operations and Targeted Devices
It is likely that, going after enterprise and carrier-grade routers, the operators behind Gayfemboy are linked to hacktivist activity, where disruption is the primary goal.
Targeting these devices can impact enterprise connectivity and impact service delivery at the provider level, where mitigation is more difficult than with standard endpoints because these systems are deeply embedded in core networks.
Moreover, if they run outdated firmware, they won't be easily patched or replaced without causing further outages. The botnet has been impacting sectors, including media, technology, and manufacturing.
Fortinet listed the following products targeted for DDoS attacks:
- DrayTek Vigor series (2960, 3900, 300B): Enterprise-grade routers and load balancers used by small to mid-sized businesses for network traffic management.
- TP-Link Archer AX21 (AX1800): A consumer/home Wi-Fi 6 router widely sold for residential and small-office use.
- Raisecom MSG series (1200, 2100E, 2200, 2300): Carrier-grade routers and switches, often used by ISPs and telecom operators to deliver internet services.
- Cisco ISE (Identity Services Engine) / ISE-PIC: A corporate network access control platform used in enterprises to authenticate and secure users and devices.
Gayfemboy assigns unique names to each architecture instead of standard Linux labels, making its binaries harder to detect with conventional signature-based defenses.
After looking up a C2 domain and scanning 15 predefined ports for communication, Gayfemboy connects to its server, which issues commands enabling reconnaissance and backdoor access on compromised hosts.
Through reconnaissance, the botnet gathers system and network details and gives operators insight into its weaknesses for refined attacks.
Threats Posed by the Gayfemboy Botnet
Self-Persistence: The botnet can sustain long-term infections because it includes self-persistence and sandbox evasion features. The persistence mechanism lets Gayfemboy automatically restart itself even after it's terminated.
Detection Evasion: It can lead the sandbox to misinterpret the delay by causing a 50-nanosecond pause. If the environment cannot accurately process this interval, the timing check fails, triggering a fallback sleep cycle of about 27 hours. This helps the malware evade automated analysis.
Shutting Down: The botnet terminates itself after sending nine messages to its own self-check watchdog process. If it does not receive a reply, it takes it as a sign of its execution being interrupted or compromised and shuts itself down.
Mitigation Techniques
The Mirai-based Gayfemboy exploits flaws in devices to gain initial access to launch DDoS attacks. Fortinet has linked its activity to vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco products, tracked under CVE identifiers including CVE-2020-8515, CVE-2023-1389, and CVE-2025-20281.
Mitigation requires promptly applying vendor patches, updating device firmware, and segmenting IoT equipment from sensitive networks. Intrusion prevention systems should be kept current, and FortiGuard Labs has released IPS signatures to detect and block exploitation of the listed vulnerabilities.
A recent arrest of an individual tied to another Mirai-based botnet, RapperBot for DDoS, shows how law enforcement can hinder operators; details are available in TechNadu’s coverage.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular