• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Uncategorized
  • Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem

Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem

Pierluigi Paganini February 09, 2019

Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters

Cayosin Botnet

Money, botnet as service business and coding on the dark side of the life: “At this point of my life… if it doesn’t make me money, I don’t make time for it”, is stated in the picture below.

Or elsewhere the same threat actor pronounces a more blatantly made statement in a sentence that sounds like “I am not scared by the death, I am scared more to not live a pleasant life.”

Cayosin Botnet
Image downloaded by Odisseus
from the Instagram profile of the threat actor

This is the “new” motto of those youngsters-wannabe-hackers: botnet providers, sellers, coders, “boaters” driving in the night with the laptop ever connected aside. In the imaginary world of a teen the adults world becomes a violent jungle dominated by the dark colors of the delirium of omnipotence.  Botnet, packet flooding, bots, power of attack: “I don’t care how many and what bots I have, all I care is only to have stable stress power”.

It is in this psychedelic context that the Cayosin botnet has seen the light and for the first time has been reversed and analyzed (the report is here) by “unixfreaxjp” from the MalwareMustDie team. 

The analysis is sapient and clear: in the reversed samples there are many traces of a collection of attacks that lead to a collection of different source codes.

One of them is the Layer 7 (HTTP) Attack reported in the picture below documenting how this kind of malware can evade the anti-DDoS solutions like Cloudfare.

Cayosin Botnet

From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.

A ready-to-use botnet build to be sold for $20 a month, “full options” on sale with an expiry token and functionalities that were able to ban the users who didn’t renew the expired “licence”.

The combination of more capabilities of the botnet has been well documented also by PERCH Security Threat Report who made a great analysis on it, confirming the combination of these functionalities used in Cayosin along with the deeper OSINT investigation of the threat source.

PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits  and methods then implemented in the malware to enrich  the harmful capability of the new “product”.

They candidly state this in their Instagram Stories: “New Methods, DM me if you want to know more.”

Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

PERCH has understood it well, in fact writes: “This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.”

At this point is not excluded that Cayosin is only an evolution of many other botnets made always by the same threat actor (or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which remember Cayosin botnet capabilities. Check the following exclusive image:

  • Features:  Admin of accounts, Add user commands, Kick user commands, Full chat, On line user list, Bot limits for account, Full bot type list, Port Scanner and Resolver
  • Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
  • Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they adapt the capability by merging source codes. Each of coders and botnet provider is racing with others to present their technology of their botnet is better, to attract the market: Youngster and Actors who interest to rent the best service.

The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as Stressers or Bruters)  to providing the botnet control via API, then supplying infrastructure, assisting the newbies with setups, with all this effort these veterans are urging and provoking green and young actors to do their own botnets. The money scheme is following in these processes by first taking these youngster “weekly allowance”, then getting merit the botnets used by the rented “boaters” , till making profits from cuts taken from case by case with the arrangement of API used for Bruters/Stressers platform for the attackers that pays the service for DDoS”

In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their stressers behind them. The disrupting this money flow may give us a chance to disrupt this badness so strongly to force the scheme to the discontinuation.

Additional glossary:
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the frontend of DDoS-As-Service sites

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp team leader of the MalwareMustDie team.

Cayosin Botnet final 2
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cayosin Botnet, cybercrime)

[adrotate banner=”5″] [adrotate banner=”13″]



facebook linkedin twitter

Cayosin Botnet Cybercrime-as-a-Service Hacking Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT