• Language chooser
    • USA (English)
    • France (Français)

Zerobot Attack

Released: Dec 27, 2022


High Severity

IoT Platform

Attack Type

Go-based malware exploiting multiple vulnerabilities.

Zerobot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. According to Fortinet research analysis the most recent distribution of Zerobot includes additional capabilities such a new DDoS attack capabilities and exploiting Apache vulnerabilities. Learn More »

Background

In November 2022, FortiGuard Labs observed a unique botnet written in the Go language known as Zerobot which contains several modules, including self-replication, attacks for different protocols, and self-propagation. For more information on Zerobot Malware, see the link to Fortinet blog below. Please note, ZeroBot Malware does not relates to ZeroBot Chatbot or ZeroBot AI

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


December 06, 2022: Fortinet posted a security blog research about Zerobot at https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities


December 12, 2022: Microsoft uncovers new Zerobot 1.1 capabilities and posted a blog at https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • AV

  • Vulnerability

  • AV (Pre-filter)

  • Behavior Detection

  • IPS

  • Web App Security

  • Application Firewall

  • Web Filter

  • Botnet C&C

DETECT
  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Content Update

RESPOND
  • Automated Response

  • Assisted Response Services

RECOVER
  • InfoSec Services

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
darkrat.lh1.in domain Active
http://darkrat.lh1.in/login url Active
240fe01d9fcce5aae311e906b8311a1975f8c1431b83618... file Active
45.146.164.110 ip Active
3c1a2e702e7079f9d49373049eff5e59fcf35d526b7a157... file Active
161.35.188.242 ip Active
89.248.173.143 ip Active
143.198.62.76 ip Active
46.101.59.235 ip Active
137.184.69.137 ip Active
202.28.250.122:51783 ip Active
45.146.164.110:48238 ip Active
202.28.250.122:42323 ip Active
46.101.59.235:44008 ip Active
128.14.134.170 ip Active
128.14.134.134 ip Active
192.53.170.243 ip Active
http://heuristic-hermann-392016.netlify.app/stg... url Active
heuristic-hermann-392016.netlify.app domain Active
202.28.250.122 ip Active
https://52.220.244.242/stg_ntf.sh url Active
139.59.126.50 ip Active
128.90.166.247 ip Active
128.90.161.152 ip Active
128.90.166.31 ip Active
157.119.200.185 ip Active
163.172.173.238 ip Active
155.138.142.87 ip Active
185.111.51.118 ip Active
185.225.17.102 ip Active
89.46.62.130 ip Active
140.213.59.194 ip Active
157.230.212.97 ip Active
157.230.216.201 ip Active
157.245.51.232 ip Active
nervous-hodgkin-5c3bb4.netlify.app domain Active
amazing-nightingale-3617e1.netlify.app domain Active
3b5ffd88a9762c68de551e63243fcc0549e3c31784285b3... file Active
fd7e26f48dfb68284f5acda50eedb8e9a964fb8b8a1dbb2... file Active
a025a8b424c23856c42dbebcb67ff7c60c6cfd13aa12fce... file Active
4fc7113ed150895587635fa58b8be66a32f2d41b06807ac... file Active
1489c404a110149b66476e0f41317770f0291da64a0d4b3... file Active
dd303c2644c2a58cf466a19f7c801aeae43a63d4efd5670... file Active
b8a146284e8abf867ed86ff6cc4ee44648e47c7e857d5d2... file Active
93167030a5bb32e8d777f04a0853b2a55a0ae91a634afbc... file Active
428340a0695393a0cec55513e700a479e252d9b034f27f8... file Active
61c0449a48cf9351f157d89deff88bd4df2ab5c1091b350... file Active
9691bf237d879299984abb23b25ffb51a0f00567a364899... file Active
aaee6e01f4192caea86645bea741d85c240083b55341e47... file Active
feb4541172610b742552d3ee4bc9b114e9bf0d11dfff153... file Active
747ceb6c37bae5670b0c469c998c66e58b4ec310ab8ddf3... file Active
5aa0da717d2e88682203f2831bfb550ed8530d98bed9232... file Active
fca6e56e74f94b29674528a8c4e82898f1ca7dc62b4a7d5... file Active
4d1e20ef6d88436a7246e79987e71238021dbbbb80a3bc8... file Active
cd291d2b3933ab914eed36d3c9c0200ae864fb4a5d29fb5... file Active
62f854be8c9876e84a920231bdf7bbe0757beb609486aa3... file Active
73ef742834dfa72668fc423bd43204456c2f4effef5a99a... file Active
e94f04e2822fc7e2406cf2ad8f0d1e0359a13647cf26a8f... file Active
3b0a31a6889d129324d922b8861a6f06101ea9bc6a89bd7... file Active
73a7aa23e68c0bd6bd6960327cf0a24217544a913f83b85... file Active
c5d9345a8a49f1109c2fcd1c649ceaa94421e6c3804284f... file Active
7f2b0f01547d7d43c8bd33206faf78d6500a7f6f2a9e661... file Active
b3215074ddb18e43771a51f3d3c8c49571bbf69b33b8bbb... file Active
60848e2d345c3241e637c989ee2c7bfbe6f991fd3e9c9ff... file Active
176.65.137.6 ip Active
176.65.137.5 ip Active
http://176.65.137.5/bins/zero.mips url Active
http://176.65.137.5/bins/zero.arm url Active
http://176.65.137.5/bins/zero.mips64 url Active
http://176.65.137.5/zero.sh url Active
198.98.56.129 ip Active
7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c50... file Active
df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a... file Active
http://zero.sudolite.ml/zero.sh url Active
sudolite.ml domain Inactive
zero.sudolite.ml domain Active
191ce97483781a2ea6325f5ffe092a0e975d612b4e1394e... file Active
2460434dabafe5a5dde0cce26b67f0230dbcd0d0ab5faba... file Active
2955dc2aec431e5db18ce8e20f2de565c6c1fb4779e73d3... file Active
2af33e1ff76a30eb83de18758380f113658d298690a436d... file Active
439b2e500e82c96d30e1ef8a7918e1f864e6d706d944aed... file Active
447f9ed6698f46d55d4671a30cf42303e0bd63fe8d09d14... file Active
4483c4f07e651ce8218216dd5c655622ff323bf3cdfe405... file Active
50d6c5351c6476ea53e3c0d850de47059db3827b9c4a6ab... file Active
5824fc51fcfba1a6315fd21422559d63c56f0e219293708... file Active
5af002f187ec661f5d274149975ddc43c9f20edd6af8e42... file Active
6ac49092ee1bdd55ddbf57df829f20aac750597d85b5904... file Active
6c284131a2f94659b254ac646050bc9a8104a15c8d54828... file Active
6dd71163b6ab81a35ce373875a688ad9b31e0d1c292f02e... file Active
74f8a26eb324e65d1b71df9d0ed7b7587e99d85713c9d17... file Active
7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e... file Active
7c085185f6754aef7824c201d8443300ff2b104521d82f9... file Active
96bbb269fd080fedd01679ea82156005a16724b3cde1eb6... file Active
9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96... file Active
af48b072d0070fa09bca0868848b62df5228c34ef24d233... file Active
b1d67f1cff723eda506a0a52102b261769da4eaf0551b10... file Active
c9ea4cda12c14c895e23988229831b8f04ccab315c1cbc7... file Active
cd9bd2a6b3678b61f10bb6415fb37ea6b9934b9ec8bb15c... file Active
d88e9248ff4c983aa9ae2e77cf79cb4efc833c947ec2d27... file Active
e0766dcad977a0d8d0e6f3f58254b98098d6a97766ddac3... file Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0