Threat Research

CatDDoS-Related Gangs Have Seen a Recent Surge in Activity

Securonix

CatDDoS-related gangs remain active, exploiting 80+ vulnerabilities across a wide range of IoT and gateway devices, delivering DDoS samples at 300+ targets per day. The report traces CatDDoS variants to Mirai origins, notes zero-day indicators, and highlights code-sharing among groups such as RebirthLTD and Cecilio Network.

Keypoints

  • CatDDoS-related gangs exploited 80+ known vulnerabilities to deliver samples over the last three months, with more than 300 targets per day observed.
  • The vulnerabilities affect a broad set of vendor devices (cameras, routers, DVRs, etc.), indicating widespread IoT/embedded-device exposure.
  • CatDDoS is a Mirai variant lineage, first appearing in August 2023, with recent variants showing high code similarity and shared tactics across groups.
  • Active variants include v-2.0.4 (CatDDoS) and v-Rebirth (RebirthLTD), both using ChaCha20 for C2 traffic encryption, with identical key/nonce; other variants like v-snow_slide and v-ihateyou are described.
  • Template sharing is observed: multiple families use the same ChaCha20 algorithm and key/nonce, signaling cross-group homology in IoT botnet development.
  • Campaigns target worldwide users and sectors (cloud vendors, education, government, etc.), with notable incidents against Shanghai Network Technology and the UAE Telecommunications Authority.

MITRE Techniques

  • [T1190] Exploit Public-Facing Applications – CatDDoS samples exploited a large number of vulnerabilities to deliver samples in the past three months. “these vulnerabilities affect… delivery of samples”
  • [T1573] Encrypted Channel – Two variants use ChaCha20 for data encryption in communication, with identical key and nonce. “use chacha20 as a data encryption method for communication, and key and nonce are identical”
  • [T1071.004] Application Layer Protocol: DNS – v-2.0.4 uses the OpenNIC domain name as C2. “OpenNIC domain name as C2”
  • [T1027] Obfuscated/Compressed Files and Information – Changes from “no shell” to “modified upx shell” and “with symbols” to “remove symbols” to hinder reverse analysis. “to increase the difficulty of reverse analysis”

Indicators of Compromise

  • [Domain] CatDDoS-related domains – catddos.pirate, omgnoway.geek, rebirthltd.dev, and 2 more domains (if applicable)
  • [IP] observed command/data endpoints – 212.70.149.10, 87.246.7.66, and 2 more addresses (if applicable)
  • [Hash] Sample/file hashes – 5a1124cee1a26f84aa151a68e1dbdebd6fe7a247, f34e17c84d66117156826997aec6136e10d7cb9e

Read more: https://blog.xlab.qianxin.com/catddos-derivative-en/?ref=news.risky.biz