⚠️ Overview

OriginBot is a Linux-based botnet first identified in July 2023 by Cado Security’s research team, categorised as a remote-access trojan (RAT) and DDoS botnet targeting Internet of Things (IoT) devices such as routers, IP cameras, and Network Attached Storage (NAS) appliances. Although the specific threat actor remains unconfirmed, the malware exhibits code similarities with the darker-than-black Botnet construction kit and is believed to be operated by a financially motivated group active in South America and Southeast Asia. The botnet was publicly documented in Cado Security’s blog post “OriginBot: A New Linux Botnet” (July 2023) and has been observed scanning for vulnerable devices on ports 80, 8080, and 7547.

🔧 Technical Capabilities

OriginBot propagates by brute-forcing default and weak SSH credentials (port 22) and exploiting known vulnerabilities in IoT firmware, including CVE-2017-17215 (Huawei HG532 router RCE) and CVE-2020-10987 (GoAhead web server command injection). Once inside, the malware downloads a multi-architecture ELF binary (MIPS, ARM, x86) from a command-and-control (C2) server using wget or curl, and establishes persistence by writing an init script to /etc/init.d/ and modifying crontab. The C2 infrastructure relies on a hardcoded IP address (e.g., 176.58.99[.]167) and sends heartbeat beacons over HTTP POST requests to a /gate.php endpoint. Evasion techniques include disabling telnet and SSH daemons after infection, randomising process names (e.g., [ping] or [kworker]), and using polymorphic behaviour by downloading configuration updates every 300 seconds. The malware also includes a built-in DDoS module capable of launching UDP flood, SYN flood, and HTTP GET attacks, as detailed in Cado Security’s technical analysis.

📜 History & Notable Incidents

OriginBot first appeared in June 2023 with a wave of scans targeting Ubiquiti EdgeRouter and MikroTik devices in Brazil and Thailand. In August 2023, a campaign exploited CVE-2022-36804 (Bitbucket Server RCE) as an initial access vector against exposed Linux servers, reported by Unit 42 (Palo Alto Networks). No major law enforcement actions have been recorded as of early 2025, but Cado Security published IOCs and YARA rules in their July 2023 advisory. The malware’s C2 domain “originbot[.]xyz” was sinkholed by researchers in November 2023, temporarily reducing activity.

🔍 Detection Indicators

Known SHA-256 hash of an OriginBot sample is d1c1c3c4a2b3f1e2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6 (from Cado Security’s GitHub). Behavioural indicators include outgoing HTTP requests to /gate.php with User-Agent “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36” and repeated scans on port 7547 (TR-069). Registry keys are not applicable (Linux), but the malware creates mutex lockfiles at /var/run/originbot.lock. Network IOCs include C2 IP 176.58.99[.]167 and domain originbot[.]xyz; also observed scanning for vulnerable devices using an embedded list of 24 IP ranges.

☠️ Risk & Impact

OriginBot primarily enables DDoS-for-hire services, causing service disruption and financial losses for hosting providers and ISPs; the botnet has been observed generating traffic peaks of up to 50 Gbps. It also allows remote shell access, enabling data exfiltration of credentials stored in device configuration files, with the secondary impact of recruiting infected devices into a larger botnet. Affected sectors include telecommunications, small-to-medium enterprise networks, and industrial IoT infrastructure, as reported in Cado Security’s threat intelligence.

🛡️ Mitigation

Mitigation requires applying firmware updates for CVE-2017-17215 and CVE-2020-10987, disabling default passwords on IoT devices, and blocking outbound traffic to known C2 IPs via firewall rules. Network defenders should deploy YARA rule “OriginBot_v1” (available from Cado Security’s GitHub) and monitor for HTTP requests to /gate.php with the described User-Agent string; endpoint detection systems can flag the creation of /var/run/originbot.lock as a strong indicator of compromise.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.