Security Experts:

Connect with us

Hi, what are you looking for?



Thousands of IP Cameras Hijacked by Persirai, Other IoT Botnets

Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

The Persirai backdoor is designed to target more than 1,000 IP camera models, and researchers said there had been roughly 120,000 devices vulnerable to this malware at the time of its discovery several weeks ago.

The malware, which uses a recently disclosed zero-day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.

Trend Micro has determined that of a total of 4,400 IP cameras it tracks in the United States, just over half have been infected with malware. The percentage of infected cameras spotted by the security firm in Japan is nearly 65 percent.

According to the company, more than 64 percent of the total number of 3,675 compromised devices located in the United States, Japan, Taiwan and South Korea have been infected with Persirai.

However, Persirai is not the only IoT malware targeting IP cameras. Trend Micro says there are three other malware families: Mirai, DvrHelper and TheMoon.

Mirai made a lot of headlines recently due to the significant number of devices it infected all around the world. Data from Trend Micro shows that of the hijacked devices it is monitoring in the U.S., Japan, Taiwan and Korea, Mirai accounts for more than a quarter of infections.

DvrHelper is based on Mirai, but its authors have implemented some interesting features, including additional DDoS modules and a mechanism for bypassing anti-bot solutions, including JavaScript-based challenges and Google’s reCAPTCHA system.

Another threat targeting IP cameras is TheMoon. This is actually the oldest IoT malware, but its authors have continued to improve it.

DvrHelper and TheMoon account for 6.8 percent and 1.4 percent of the infections seen by Trend Micro in the U.S. and the aforementioned East Asian countries.

Researchers pointed out that since the number of potential victims for these malware families is limited, some of them are designed to “lock the door” behind them after they infect a device.

For example, Persirai attempts to patch the zero-day vulnerability it exploits to prevent other malware from infecting the device. However, since the malware resides only in memory and the changes it makes are not persistent, the threat will be removed and the camera will become vulnerable once again after it’s restarted.

TheMoon also tries to keep other malware out. It does this by importing specific iptables firewall rules to the device.

Related: IoT Botnets Fuel DDoS Attacks Growth

Related: IoT Botnet “Amnesia” Hijacks DVRs via Unpatched Flaw

Related: Mysterious Hajime Botnet Grows to 300,000 IoT Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...