CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Endpoint Security

Hide ‘N Seek IoT Botnet Can Survive Device Reboots

The Internet of Things (IoT) botnet known as Hide ‘N Seek that first emerged in January can now achieve persistence on infected devices, Bitdefender reports.

The Internet of Things (IoT) botnet known as Hide ‘N Seek that first emerged in January can now achieve persistence on infected devices, Bitdefender reports.

Discovered toward the end of April, the latest version of the malware also includes code that allows it to target more vulnerabilities and new types of devices, the security firm discovered, adding that it targets 10 different architectures and a broad range of models.

The botnet has so far infected 90,000 unique devices starting in January, and could become a major threat if weaponized.

When first observed in January, the botnet didn’t have a persistence module, meaning it was not able to survive a device reboot. This, however, changed in the last version: if it manages to successfully compromise a device via Telnet, the malware copies itself to /etc/init.d/ and adds itself to startup, so it is executed when the operating system launches.

The malware also abuses web based vulnerabilities to target specific devices like IPTV cameras, but persistence is only achieved if the infection took place via Telnet, because root privileges are required to copy the binary to the init.d directory, Bitdefender Senior E-Threat Analyst Bogdan Botezatu explains.

The malware targets a broad range of devices via the Telnet service. According to Bitdefender, the bot has 10 different binaries compiled for x86, x64, ARM (Little Endian and Big Endian), SuperH, PPC and other platforms.

The latest Hide ‘N Seek version can compromise more IPTV camera models by targeting vulnerabilities in Wansview NCS601W IP camera (a cloud-only device) and AVTECH IP Camera, NVR and DVR (the maker’s products have been targeted by other IoT malware as well).

Responding to a SecurityWeek inquiry, Botezatu revealed that the Hide ‘N Seek malware targets a long list of weak or default credentials frequently found in IoT devices.

Advertisement. Scroll to continue reading.

“The list is extremely long and features several camera models, but the hardcoded credentials also target several router models. In addition to specific models, the bot also attempts these credentials against Telnet for all sorts of devices. The fact that it has binaries compiled for 10 platforms and architectures shows that the attacker is aiming at enrolling as many devices, regardless of type, maker, and model,” Botezatu said.

“We’ve notified vendors about this,” he added.

Over the past three months, Hide ‘N Seek has been growing steadily although some devices left the botnet, while others joined it. Most likely, the botnet lost those devices “that could not be exploited in a way to offer persistence,” Botezatu said.

From February to May, however, Bitdefender’s security researchers identified almost 65,000 infected devices.

Botezatu told SecurityWeek that five versions of the botnet have been observed thus far. However, there haven’t been major changes in the list of supported commands compared to the earlier versions, and no support for distributed denial of service (DDoS), the most commonly encountered purpose of IoT botnets, has been added to Hide ‘N Seek either.

“Based on the evidence at hand, we presume that this botnet is in the growth phase, as operators are trying to seize as many devices as possible before adding weaponized features to the binary,” Botezatu revealed.

As for the current geographic distribution of the bots, most of them are located in China, with Russia, Brazil, the United States, and Italy rounding up top five, followed by India, Poland, Bulgaria, France, and Republic of Korea.

Related: “Hide ‘N Seek” IoT Botnet Ensnares 20,000 Devices in Days

Related: Industrial Internet Consortium Develops New IoT Security Maturity Model

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.