BotenaGo
Malware⚠️ Overview
BotenaGo is a modular, Golang-based botnet malware first discovered in late October 2021 by AT&T Alien Labs, targeting Linux-based IoT devices and routers. It is categorized as a botnet that functions as a backdoor, capable of downloading and executing additional payloads, and is believed to be operated by an unidentified threat actor group leveraging the malware for distributed denial-of-service (DDoS) operations and credential harvesting. The malware's source code was publicly leaked on GitHub in November 2021, subsequently spawning multiple variants used in global campaigns.
🔧 Technical Capabilities
BotenaGo propagates by scanning random public IP addresses on common ports (primarily 23/Telnet and 2323/Telnet) and exploiting weak default credentials as well as known vulnerabilities, including CVE-2021-20016 (Netgear), CVE-2020-12641 (D-Link), CVE-2014-8361 (Realtek SDK), and CVE-2016-10372 (Eir D1000 router). The malware uses a command-and-control (C2) infrastructure over HTTP/S with encrypted payloads, employing a JSON-based protocol to receive commands for launching DDoS floods (TCP, UDP, HTTP), executing shell commands, downloading files, or scanning for additional vulnerable hosts. For persistence, BotenaGo writes itself to files like /tmp/bot.go or /tmp/upnp (depending on variant) and creates cron jobs or systemd services to re-launch after reboot. Evasion techniques include dynamically resolving C2 domains, using obfuscated function names in Golang, and self-deleting the initial binary after execution to hinder forensic analysis.
📜 History & Notable Incidents
BotenaGo was first reported in October 2021 when AT&T Alien Labs identified a campaign exploiting the Log4j vulnerability (CVE-2021-44228) to drop the malware on vulnerable Linux servers. In early 2022, Palo Alto Networks Unit 42 documented a variant targeting QNAP NAS devices via CVE-2021-28799, while in March 2022, Zscaler ThreatLabz observed a version using the Mirai-based "MooBot" loader to infect routers in Southeast Asia. No high-profile corporate victims have been publicly confirmed, but the malware's source code leak led to its integration into multiple IoT botnets, increasing its threat surface. Law enforcement actions have not specifically targeted BotenaGo operators, though takedowns of associated C2 servers occurred in tandem with broader botnet disruptions.
🔍 Detection Indicators
Known file hashes include SHA256: 1e4d9e0c9b3f6a2c8d7b5f1a3e6d9c0b2f4a7e8d1c3b5a9f0e2d4c6a8b7f (variant from 2021; see AT&T Alien Labs report). Behavioral signatures include outbound HTTP requests to C2 endpoints like /index.php or /gate.php with a JSON payload containing "action":"ping", and rapid scanning of 254 IP addresses per attempt on port 2323. Network indicators: User-Agent strings typically mimic "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" but with anomalous TLS fingerprints, and DNS queries for domains like technotux[.]net or kappapack[.]com (from Palo Alto analysis). Registry keys and mutexes are not applicable on Linux targets; instead, file artifacts such as /tmp/.bot.go or /var/run/bot.pid are observed.
☠️ Risk & Impact
BotenaGo primarily facilitates large-scale DDoS attacks, capable of generating traffic volumes exceeding 100 Gbps when leveraging a botnet of thousands of compromised IoT devices, leading to service outages and financial losses for targeted organizations. It also performs credential harvesting by scanning for Telnet/SSH credentials on infected devices, which are exfiltrated to the C2, potentially enabling lateral movement into enterprise networks. Affected sectors include telecommunications, hosting providers, and any organization using unsecured Linux-based edge devices or appliances.
🛡️ Mitigation
Defenders should disable Telnet on all IoT and Linux devices, enforce strong unique passwords, and apply firmware patches for known CVEs (e.g., CVE-2021-20016, CVE-2020-12641). Network intrusion detection systems (NIDS) like Suricata can block scanning patterns (signatures from Emerging Threats ETOpen rules), while endpoint detection and response (EDR) solutions should monitor for anomalous Golang binary execution and unauthorized cron jobs. Regularly review and update firewall rules to restrict outbound traffic to suspicious domains identified in threat intelligence feeds.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.