Security Experts:

Connect with us

Hi, what are you looking for?



Hoaxcalls Botnet Expands Targets List, DDoS Capabilities

The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.

The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.

First detailed at the beginning of April, Hoaxcalls is based on source code from the Tsunami and Gafgyt botnets and has been targeting vulnerabilities in Grandstream UCM6200 series devices (CVE-2020-5722) and Draytek Vigor routers (CVE-2020-8515).

The botnet was designed to launch DDoS attacks using UDP, DNS and HEX floods, based on commands received from its command and control (C&C) server.

Over the past several weeks, a new version of the botnet was observed targeting an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager. The botnet also added 16 new DDoS capabilities to the existing list, Radware’s security researchers say (PDF).

A couple of weeks ago, the more potent variant of the botnet was spreading from a single server, but the number of hosting servers now exceeds 75.

The new samples, Radware underlines, show how fast the development of malware can take place, as the 16 new DDoS vectors were added between March 31 (the initial botnet discovery) and April 8.

This week, the security researchers also identified a new variant of the botnet (dubbed XTC) that not only includes all of the 19 DDoS attack vectors, but also expands the list of targeted devices by attempting to exploit a vulnerability in ZyXEL Cloud CNM SecuManager.

Multiple vulnerabilities in the Zyxel network management software were published in early March, when security researcher Pierre Kim revealed that adversaries targeting them could achieve remote code execution.

“The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors. It is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large scale DDoS attacks,” Radware notes.

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Related: Potent ‘dark_nexus’ IoT Botnet Emerges

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...