A massive Internet-of-Things (IoT) botnet has been observed orchestrating large-scale Distributed Denial-of-Service (DDoS) attacks targeting various sectors, including prominent Japanese corporations and global organisations. Discovered in late 2024, the botnet exploits vulnerable IoT devices to launch coordinated cyberattacks that have already caused significant network disruptions.
According to researchers, these attacks were initiated from command-and-control (C&C) servers, with a notable geographic focus on North America, Europe, and Asia. The targets included financial institutions, communication providers, and even transportation systems.
Between December 2024 and January 2025, attacks were concentrated on organisations in the United States (17%), Bahrain (10%), and Poland (9%). Other countries include Spain, Israel, Russia, the United Kingdom, Japan, Germany and Brazil. Within Japan, the financial and transportation sectors faced significant disruptions. Notably, 348 infected devices were traced to the botnet, with 80% identified as wireless routes and 15% as IP cameras.
Outside Japan, attackers targeted telecommunications, technology, hosting, cloud computing, banking, gaming, and financial services.

TP-Link and Zyxel routers were the most exploited; a substantial portion of these devices were located in India (57%) and South Africa (17%).
The botnet is powered by malware derived from Mirai and Bashlite (alternatively known as Gafgyt and Lizkebab). It infiltrates IoT devices by exploiting remote code execution (RCE) vulnerabilities or through weak initial passwords.
The infection process occurs in three stages:
- Infiltration: Malware gains access via vulnerabilities or weak credentials and executes a download script to retrieve a loader program.
- Payload deployment: The loader downloads and executes the main malware payload directly into memory, leaving no traceable files on the infected device.
- Activation: The malware connects to the C&C server, awaiting instructions for attacks or other actions.
To evade detection, the malware uses a customised User-Agent header during payload downloads and manipulates firewall rules on infected devices.
The botnet employs a sophisticated command structure to execute DDoS attacks and other malicious activities. These commands include DDoS variants like TCP SYN Flood, UDP Flood, and GRE Flood. Furthermore, the attackers use proxy operations to transform infected devices into underground proxy servers.

Cybercriminals also use system controls to update malware, execute commands, or terminate its process. Researchers observed that commands like ‘socket’ and ‘handshake’ are more common in international attacks, while ‘stomp’ is predominantly used against Japanese entities.
“We observed that socket and handshake commands targeting Japanese organizations were issued to the botnet. However, the attacks did not last long. Following that, other DDoS attacks were conducted instead,” researchers explained.
Researchers have urged individuals to change default passwords, regularly update the device firmware, limit unnecessary remote access and port forwarding, segregate IoT devices into dedicated networks to isolate vulnerabilities and employ network-level defences such as firewalls, CDNs, and real-time traffic monitoring.
For organisations, specific responses to DDoS attacks include blocking malicious traffic at the backbone, strengthening server hardware, and using behavioural analysis to detect abnormal traffic patterns.
In the News: Apple disables AI summaries for news due to hallucination