I’m a pentester and recently came across a new Mirai-based botnet called Gayfemboy (yes, the name sounds like a meme, but the threat is real). It’s currently infecting over 15,000 devices daily, mostly targeting routers and network gear from Cisco, TP-Link, DrayTek, and Raisecom.
What it does:
Launches DDoS attacks (UDP, TCP, ICMP) Mines Monero using XMRig Acts as a proxy for malicious traffic Installs backdoors and evades analysis (e.g., UPX header tampering, nanosecond delays)
Vulnerabilities exploited (At this moment):
CVE-2025-20281 (Cisco ISE) CVE-2023-1389 (TP-Link AX21) CVE-2020-8515 (DrayTek) CVE-2024-7120 (Raisecom MSG)
Mitigation ideas I’m testing:
Scanning client networks for vulnerable firmware Blocking known malicious domains and IPs at the firewall level Writing scripts to detect outbound traffic to those IOCs Recommending disabling remote admin access on routers I’d love to hear what others are doing to detect or contain this botnet. Has anyone seen it in enterprise environments? Any creative or effective mitigation strategies you’d recommend?
svgmaker•4mo ago
galaxy_gas•4mo ago
I dont know why its trying to mine crypto on a weak ARM router no way that gets far
garduno_AA•4mo ago
It’s a Mirai variant that infects routers (Cisco, TP-Link, etc.), does DDoS, mines crypto, proxies traffic, and drops backdoors. Spreads via known and zero-day vulns.