Security Experts:

Connect with us

Hi, what are you looking for?



Potent ‘dark_nexus’ IoT Botnet Emerges

A recently identified Internet of Things (IoT) botnet has modules developed in a manner that makes it significantly more “potent and robust” than other IoT botnets, Bitdefender’s security researchers say.

A recently identified Internet of Things (IoT) botnet has modules developed in a manner that makes it significantly more “potent and robust” than other IoT botnets, Bitdefender’s security researchers say.

Dubbed dark_nexus and featuring a modular architecture, the threat shares some features with previously observed pieces of malware, and even reuses Qbot and Mirai code, but its core modules appear mostly original.

The botnet’s payloads are compiled for 12 different CPU architectures and are dynamically delivered based on the victim’s configuration. The malware was also observed using a scoring system to determine which processes might pose a threat to it, and killing those processes.

Supposedly the work of a known botnet author named greek.Helios, dark_nexus was designed for distributed denial of service (DDoS) services, and it can hide generated traffic as innocuous browser-generated traffic. The malware uses Telnet scanners for infection and victim reporting, targeting a broad range of router models with Telnet credential stuffing and exploits.

It also employs socks5 proxies — likely for renting access to the botnet — a debugging module to ensure proper functionality and reliability of the device, and it removes device restart permissions to achieve persistence, Bitdefender says in a report (PDF).

dark_nexus is believed to be around three months old, but has received over 30 updates during this period of time.

The botnet appears to be comprised of at least 1,372 bots, located in China (653), Korea (261), Thailand (172), Brazil (151), Russia (148), Taiwan (110), Ukraine (77), United States (68), India (46), and Vietnam (24).

Compromised devices range from routers (including Dasan Zhone, D-Link, and ASUS) to video recorders and thermal cameras. Given the rapid pace at which the botnet’s developer delivers updates, it’s likely that more device models will be targeted.

Bitdefender’s security researchers identified within dark_nexus’ code a series of strings that connect it to greek.Helios, who is believed to be the author of a Mirai variant called “hoho.”

Together with pieces of evidence from the malware author’s YouTube channel, and correlated with the fact that the developer sells DDoS services and botnet code, this led the researchers to the conclusion that greek.Helios built dark_nexus as well.

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: Microsoft Cracks Infrastructure of Infamous Necurs Botnet

Related: New ‘Gucci’ IoT Botnet Targets Europe

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.