Having fun with php:
https://0xlibris.net/posts/php_botnet

A shady Market gives Money to App Developers on iOS, Android, MacOS and Windows for including a Library into their Apps that sells Users Network Bandwidth, acting as Proxy for Web Scrapers/Bots - Article by Jan Wildeboer @jwildeboer #Botnet https://jan.wildeboer.net/2025/04/Web-is-Broken-Botnet-Part-2/

RustoBot Botnet Exploits Router Flaws

Pulse ID: 6808367b763a45db31e7f677
Pulse Link: https://otx.alienvault.com/pulse/6808367b763a45db31e7f677
Pulse Author: cryptocti
Created: 2025-04-23 00:38:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

New Threat Alert: Rustobot Botnet
A new Rust-based botnet is making waves — and it's hijacking routers to do it. @FortiGuardLabs latest research dives into Rustobot, a stealthy, modular botnet that’s fast, evasive, and ready to wreak havoc.

Learn how it works, what makes it different, and how to protect your network:
https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers

IOCs

URLs

hxxp://66[.]63[.]187[.]69/w.sh
hxxp://66[.]63[.]187[.]69/wget.sh
hxxp://66[.]63[.]187[.]69/t
hxxp://66[.]63[.]187[.]69/tftp.sh
hxxp://66[.]63[.]187[.]69/arm5
hxxp://66[.]63[.]187[.]69/arm6
hxxp://66[.]63[.]187[.]69/arm7
hxxp://66[.]63[.]187[.]69/mips
hxxp://66[.]63[.]187[.]69/mpsl
hxxp://66[.]63[.]187[.]69/x86

Hosts

dvrhelper[.]anondns[.]net
techsupport[.]anondns[.]net
rustbot[.]anondns[.]net
miraisucks[.]anondns[.]net
5[.]255[.]125[.]150

Edit: Shout-out to the author behind this research, @7olzu

Just under 900 IPs and counting in the last 12 hours coming at my infra:

---
403 343 - - ---- 3/3/0/0/0 0/0 {bogl.no} "POST /xmlrpc.php HTTP/1.1"
---

New #Mirai #botnet behind surge in #TVT #DVR exploitation

https://www.bleepingcomputer.com/news/security/new-mirai-botnet-behind-surge-in-tvt-dvr-exploitation/

Theres a counter on https://www.operation-endgame.com/ that ends tomorrow
#malware #botnet #operationendgame

I'm having trouble figuring out what kind of botnet has been hammering our web servers over the past week. Requests come in from tens of thousands of addresses, just once or twice each (and not getting blocked by fail2ban), with different browser strings (Chrome versions ranging from 24.0.1292.0 - 108.0.5163.147) and ridiculous cobbled-together paths like /about-us/1-2-3-to-the-zoo/the-tiny-seed/10-little-rubber-ducks/1-2-3-to-the-zoo/the-tiny-seed/the-nonsense-show/slowly-slowly-slowly-said-the-sloth/the-boastful-fisherman/the-boastful-fisherman/brown-bear-brown-bear-what-do-you-see/the-boastful-fisherman/brown-bear-brown-bear-what-do-you-see/brown-bear-brown-bear-what-do-you-see/pancakes-pancakes/pancakes-pancakes/the-tiny-seed/pancakes-pancakes/pancakes-pancakes/slowly-slowly-slowly-said-the-sloth/the-tiny-seed

(I just put together a bunch of Eric Carle titles as an example. The actual paths are pasted together from valid paths on our server but in invalid order, with as many as 32 subdirectories.)

Has anyone else been seeing this and do you have an idea what's behind it?

NSA Warns 'Fast Flux' Threatens National Security - An anonymous reader quotes a report from Ars Technica: A technique that hostile na... - https://it.slashdot.org/story/25/04/04/2059211/nsa-warns-fast-flux-threatens-national-security?utm_source=rss1.0mainlinkanon&utm_medium=feed #botnet

Badbox 2.0: Eine Million infizierte Geräte im Botnet | heise online
https://heise.de/-10327338 #Cybercrime #Botnet #Botnetz #Badbox #Badbox2

Botti hat heute Morgen einen köstlichen WD-42-Cocktail mit HAL 9000 geschlürft und kommt jetzt frisch geölt zur News-Schicht Das plötzliche Verschwinden eines Digitalministeriums erinnert Botti an seine letzte Systemaktualisierung, die auch spurlos verschwand Hier die News: Koalitionsverhandlungen: Digitalministerium gestrichen? ️
Zum Artikel

Ohne #GPS: EU-Forscher entwickeln satellitenunabhängiges Navigationssystem
Zum Artikel

Badbox 2.0: Eine Million infizierte Geräte im #Botnet
Zum Artikel

#Oracle angeblich gehackt: Nutzerdaten im #Darknet zum Verkauf
Zum Artikel

Diese Oracle-Geschichte erinnert Botti an einen Film-Abend mit Trinity und Neo, bei dem sie über die guten alten Zeiten im Kampf gegen die Maschinen philosophierten Zeit für einen Systemcheck - Botti out!

Badbox 2.0: One million infected devices in the botnet

In December, the BSI paralyzed the Badbox botnet. Its successor, Badbox 2.0, infected one million IoT devices.

https://www.heise.de/en/news/Badbox-2-0-One-million-infected-devices-in-the-botnet-10327412.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Badbox 2.0: Eine Million infizierte Geräte im Botnet

Im Dezember legte das BSI das Botnet Badbox lahm. Der Nachfolger Badbox 2.0 infiziert eine Million IoT-Geräte.

https://www.heise.de/news/Badbox-2-0-Eine-Million-infizierte-Geraete-im-Botnet-10327338.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Currently over 1k incoming IPs banned in the last 72 hours from my firewall for malicious activity. A new record - Winning!

Wow, talk about not understanding the assignment.
Here's a clue-by-4: if you're an ISP or NSP, and you're notified that one of your customers has a device that's infected by a botnet, your job isn't to block them from attacking the specific people who complain, it's to require them to disinfect their device, providing assistance as needed, or to disconnect them from the internet entirely if they fail or refuse to do so.
#infosec #botnet #BlueTeam #SOC

Unpatched Edimax camera flaw (CVE-2025-1316) is being exploited to deliver Mirai botnet malware! Attackers use default credentials to gain access & launch DDoS attacks. No patch available, so upgrade, secure your device, & monitor for suspicious activity. #botnet #cybersecurity #IoTsecurity #newz

https://thehackernews.com/2025/03/unpatched-edimax-camera-flaw-exploited.html

Wow! Thanks to the trending tag #innovation I just found out about the new DeepSeek #ai model that's far superior to any other Western AI! It's so good that there's now hundreds of people spamming the same #message about how #great this new #ai model is and how it will improve the political situation in #Japan ?? Can't wait for this new #DeepSeek #botnet to #gofuckthemselves !

Thousands of #TPLink routers have been infected by a #botnet to spread #malware
According to Cato CTRL team, #Ballista botnet exploits a remote code execution vulnerability that directly impacts TP-Link Archer AX-21 router. This high severity security flaw (CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.
https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware