• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Internet of Things
  • Malware
  • New Gafgyt botnet targets Gaming Servers

New Gafgyt botnet targets Gaming Servers

Pierluigi Paganini November 03, 2019

Palo Alto Networks discovered a new version of Gafgyt botnet composed of Home & Small Office Wireless routers used to attack gaming servers.

Palo Alto Networks researchers discovered a new version of Gafgyt botnet targeting home & small office wireless routers, including Zyxel and Huawei routers, as well as devices with Realtek RTL81xx chipset.

According to the experts, crooks are using the botnet for DoS attacks against servers running the Valve Source engine.

The new version of the Gafgyt botnet exploits three known remote code execution vulnerabilities affecting the targeted devices.

Gafgyt is a popular choice for launching large-scale DDoS attacks and it has been around since 2014, the latest variant borrows the code from the JenX botnet.

“In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek.” reads the analysis published by PaloAlto Networks. “This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers – most notably those running the Valve Source engine – and cause a Denial of Service (DoS).”

Experts from Palo Alto Networks’ Unit 42 pointed out that two of the three exploits included in the new variant of the Gafgyt were also present in JenX:

  • CVE-2017-18368​ – ZYXEL P660HN-T1A – new in Gafgyt
  • CVE-2017-17215​ – Huawei HG532 – also used by JenX
  • CVE-2014-8361​ – Realtek RTL81XX chipset – also used by JenX

Al the flaws are old, this means that attackers aim at infecting unpatched IoT devices.

Querying the Shodan search engine for vulnerable devices experts obtained 32,000 results.

The new Gafgyt variant can run multiple types of DoS attacks concurrently, one of which dubbed VSE leverages a payload to attack game servers running the Valve Source Engine.

“This payload is widely used to cause a Distributed reflection Denial of Service (DrDoS), which involves multiple victim machines that unwittingly participate in a DDoS attack.” continues the analysis. “The Source Engine Query is part of routine communications between clients and game servers using Valve software protocols. Requests to victim host machines are redirected, or reflected, from the victim hosts to the target. As a consequence, they also elicit an amplified amount of attack traffic, causing a DoS on the target host.”

Experts discovered that the new Gafgyt bot also attempt to deactivate any competing bot installed on the target machine by searching for binary names and keywords associated with other IoT bots, including Mirai, JenX, Hakai, Miori, and Satori.

Experts also provided some data related to hit-and-run DDoS services available online and advertised on social media platforms like Instagram.

The price ranges between $8 and $150 USD.

Gafgyt botnet

“Wireless routers are widely used in all industries, making them common targets of these types of attacks and we’re constantly looking for new malware against which we can protect our customers. The diversity of hosts attacked by IoT botnets is wider than before and gaming servers have become a popular target. Likewise, common malware marketplaces used to be more underground like the dark web and underground forums, but now malware is being sold on social networks.” concludes the analysis. “Malware samples and DoS attack codes are easily available to anybody, and they can launch massive attacks for a few dollars without much if any previous technical knowledge.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Gafgyt botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

botnet Gafgyt botnet Hacking IoT Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 09, 2025
Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
Read more
Pierluigi Paganini July 09, 2025
Hackers weaponize Shellter red teaming tool to spread infostealers
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

    Malware / July 09, 2025

    Hackers weaponize Shellter red teaming tool to spread infostealers

    Malware / July 09, 2025

    Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

    Security / July 08, 2025

    Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

    Intelligence / July 08, 2025

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT