Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



New ‘Gucci’ IoT Botnet Targets Europe

Security researchers with SecNiche Security Labs have discovered a new piece of malware that attempts to ensnare Internet of Things (IoT) devices in Europe into a distributed denial-of-service (DDoS)-capable botnet.

Security researchers with SecNiche Security Labs have discovered a new piece of malware that attempts to ensnare Internet of Things (IoT) devices in Europe into a distributed denial-of-service (DDoS)-capable botnet.

Called Gucci, the same as the Italian luxury brand of fashion and leather goods, the botnet appears to be new and previously undocumented, security researchers Aditya K Sood and Rohit Bansal told SecurityWeek in an email exchange.

The malware is targeting multiple architectures, including ARM, x86, MIPS, PPC, M68K and others, binaries discovered on the attackers’ server showed. The binaries were being disseminated from a server located in the Netherlands.Gucci botnet

Analysis of these binaries also revealed that the botnet operators removed all the debug symbols from them, a “stripping” process that resulted in reduced binary sizes. However, all the binaries were obfuscated.

While investigating the malware, the researchers discovered that each bot was connecting to a remote IP address on TCP port 5555, and also identified the remote host running a custom telnet service on TCP port 5555.

The host, Sood and Bansal explain in a report shared with SecurityWeek, was exchanging commands with Gucci bots regularly. When attempting to establish a TCP connection to the host, however, the researchers were prompted to provide a username and password for authentication.

Using automation, the researchers were able to crack the required credentials and access the command and control (C&C) panel.

The panel showed that the Gucci botnet was designed with support for different types of DDoS attacks, including HTTP null scan, UDP flood, SYN flood, ACK flood, UDP flood with less protocol options, GRE IP flood, and Value Source Engine specific flood.

The botnet operators appear to be keeping a close eye on all connections made to the C&C server.

In fact, as soon as they realized that the C&C had been compromised, the operators removed the aforementioned TCP service from the host and also attempted to hide indicators and artefacts by cleaning the directories and performing other operations.

“The botnet operator was found to be very proactive. The whole analysis and obtaining C&C access was like an arms race,” the security researchers note.

At the moment, the botnet seems to be in its early stages of development and it appears to be targeting the European continent. The botnet, Sood and Bansal say, is capable of launching both targeted and broad attacks.

Related: Mirai-Based Botnet Launches Massive DDoS Attack on Streaming Service

Related: Attackers Turn Elasticsearch Databases Into DDoS Bots

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.