Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

While analyzing the notorious Mirai malware, researchers discovered what they claim to be a new and sophisticated worm designed to target Internet of Things (IoT) devices.

While analyzing the notorious Mirai malware, researchers discovered what they claim to be a new and sophisticated worm designed to target Internet of Things (IoT) devices.

The security research group at Boulder, CO-based Internet services company Rapidity Networks set up some honeypots in hopes of capturing a Mirai sample. However, their traps have caught what they believe to be a new IoT worm that behaves similarly to Mirai.

Since “Mirai” is the Japanese word for “future,” the company has decided to name the new piece of malware “Hajime,” which in Japanese can mean “beginning.”

The first sample was discovered by Rapidity Networks in the wild on October 5, but the timestamp of a configuration file suggests that the threat has been around since at least September 26. In addition, one of the libraries used by the malware is dated before 2013, which experts believe could indicate that Hajime has been in development for several years.

Similar to Mirai, Hajime scans the Internet in search of devices running the Telnet service and attempts to access them using a predefined list of common username and password combinations.

Unlike Mirai, which relies on command and control (C&C) servers, Hajime uses a decentralized, peer-to-peer (P2P) network to receive updates and configuration files. According to Rapidity, the worm uses BitTorrent’s DHT (Distributed Hash Tables) protocol for peer discovery and the uTorrent Transport Protocol (uTP) for data exchanges.

“For information exchange, Hajime piggybacks on BitTorrent’s DHT overlay network,” researchers explained. “To transfer files with its peers, Hajime ​uses the uTP implementation found in​ libutp. Hajime​ downloads files in a custom format which often contain payloads compressed with the LZ4 algorithm, and thus includes the decompression function from the LZ4 project.”

Rapidity Networks has only spotted one Hajime module in the wild, which the worm uses to spread from one device to another. The purpose of the botnet remains unclear, but experts believe it can be used for DDoS attacks, as a distribution platform for other payloads, or to steal sensitive data from other machines housed by the same network as the Hajime-infected device.

There is also the possibility that Hajime is part of a research project, similar to the “vigilante malware” named Wifatch.

Based on the number of Hajime attack attempts recorded by its honeypots, Rapidity believes the malware may have infected somewhere between 130,000 and 185,000 IoT devices.

While there are some similarities between Hajime and Mirai, there is no evidence that the two are connected. Researchers speculated that the new worm might be trying to pass off as Mirai in hopes of not drawing too much attention to itself.

It’s unclear who developed Hajime, but based on its analysis, Rapidity has concluded that the author is an individual or group familiar with the C programming language, ARM/MIPS assembly language, cryptography, network protocols and the limitations of low-memory systems.

Internal naming conventions suggest an English speaker, while timestamps show that the developers were most active in timeframes that would point to someone located in Europe.

Related: Mirai Increasingly Used for DDoS Attacks After Source Code Leak

Related: MITRE Offers $50,000 for Rogue IoT Device Detection

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.