Home > Cyber News > Enemybot Botnet Now Exploiting CMS, Web Server and Android Flaws

Enemybot Botnet Now Exploiting CMS, Web Server and Android Flaws

enemybot botnet

A new distributed denial-of-service botnet has been detected in the wild.

Update. According to a new research released by AT&T, EnemyBot is now quickly adopting “one-day vulnerabilities as part of its exploitation capabilities.” Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, as well as IoT and Android devices are also being targeted in these new campaigns. More specifically, the latest variant includes a webscan function that contains 24 exploits to attack vulnerabilities in the aforementioned devices and web servers.

Meet EnemyBot

Dubbed EnemyBot and disclosed by FortiGuard Labs researchers, the botnet has a critical impact on specific devices, including Seowon Intech and D-Link routers, and it also exploits a recently reported iRZ router vulnerability to infect more devices. Researchers say it has been derived from Gafgyt’s source code, and has borrowed several modules from Mirai’s original source code. EnemyBotnet has been attributed to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

EnemyBot Technical Details

Like most botnets, this one also infects multiple architectures to increase its chances of infecting more devices. In addition to IoT devices, Enemybot also targets desktop and server architectures such as BSD, including Darwin (macOS), and x64, FortiGuard report said.

Here’s a list of the architectures the botnet targets:



EnemyBot uses obfuscation to obfuscate strings in several ways:

C2 domain uses XOR encoding with a multi-byte ke
Credentials for SSH brute-forcing and bot killer keywords use Mirai-style encoding, i.e., single byte XOR encoding with 0x22
Commands are encrypted with a substitution cipher, i.e,, swapping one character for another
Some strings are encoded by just adding three to the numeric value of each character

Even though these techniques are simple, they are efficient enough to hide any indicators of the malware presence from analysis. As a matter of fact, most IoT and DDoS botnets are designed to locate such indicators to terminate other botnets from running on the same device.


Enemybot leverages several distribution techniques, also typical for other similar botnets, such as using a list of hardcoded username and password combinations to login into devices. These devices are usually weakly configured or use default credentials. Mirai used the same technique.

To infect misconfigured Android devices with an exposed Android Debud Bridge port (5555), the malware attempts running shell commands. The botnet also uses security vulnerabilities to target specific devices, such as in SEOWON INTECH SLC-130 and SLR-120S routers and CVE-2018-10823 in D-Link routers.

Earlier this month, we wrote about another botnet disclosed by FortiGuard, which was considered another variant of the Mirai. Called Beastmode, the botnet was exploiting a list of specific vulnerabilities in TOTOLINK routers.

The critical vulnerabilities are relatively new, disclosed in the period between February and March 2022. Affected is the Linux platform. As a result of the vulnerabilities, remote attackers could gain control over the exposed systems.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree