Cybersecurity scientists have uncovered a new botnet identified as Zergeca that’s capable of conducting dispersed denial-of-service (DDoS) assaults.
Written in Golang, the botnet is so named for its reference to a string named “ootheca” current in the command-and-handle (C2) servers (“ootheca[.]pw” and “ootheca[.]major”).
“Functionally, Zergeca is not just a regular DDoS botnet moreover supporting six different attack approaches, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and accumulating sensitive device information and facts,” the QiAnXin XLab group reported in a report.
Zergeca is also notable for using DNS-around-HTTPS (DoH) to execute Area Identify Method (DNS) resolution of the C2 server and utilizing a lesser-regarded library acknowledged as Smux for C2 communications.
There is proof to propose that the malware is actively acquiring and updating the malware to guidance new commands. What’s extra, the C2 IP deal with 84.54.51[.]82 is stated to have been beforehand used to distribute the Mirai botnet all around September 2023.
As of April 29, 2025, the same IP tackle commenced to be utilised as a C2 server for the new botnet, boosting the probability that the risk actors “amassed expertise operating the Mirai botnets just before building Zergeca.”
Assaults mounted by the botnet, largely ACK flood DDoS assaults, have targeted Canada, Germany, and the U.S. concerning early and mid-June 2024.
Zergeca’s functions span four distinctive modules, specifically persistence, proxy, silivaccine, and zombie, to set up persistence by incorporating a process services, applying proxying, taking away competing miner and backdoor malware and gaining exceptional command more than equipment managing the x86-64 CPU architecture, and handle the main botnet features.
The zombie module is dependable for reporting delicate data from the compromised product to the C2 and awaits commands from the server, supporting six varieties of DDoS assaults, scanning, reverse shell, and other capabilities.
“The constructed-in competitor list demonstrates familiarity with common Linux threats,” XLab reported. “Methods like modified UPX packing, XOR encryption for delicate strings, and employing DoH to conceal C2 resolution show a robust comprehension of evasion tactics.”
Observed this report interesting? Follow us on Twitter and LinkedIn to study extra exclusive information we publish.
Some parts of this article are sourced from:
thehackernews.com