Threat Research

The Resurgence of IoT Malware: Inside the Mirai-Based “Gayfemboy” Botnet Campaign

Fortinet
The Resurgence of IoT Malware: Inside the Mirai-Based “Gayfemboy” Botnet Campaign

FortiGuard Labs tracked the evolved “Gayfemboy” malware exploiting multiple vendor vulnerabilities (DrayTek, TP-Link, Raisecom, Cisco) to deliver a downloader that installs the botnet and coin miners across diverse sectors and countries. Campaign infrastructure included consistent attack source and download hosts, multiple C2 domains, UPX anti-unpacking tricks, sandbox evasion, process-killing of competitors, DDoS/backdoor capabilities, and explicit IOCs. #Gayfemboy #cross-compiling.org

Keypoints

  • Gayfemboy resurfaced in July 2025, exploiting vulnerabilities in devices from DrayTek, TP-Link, Raisecom, and Cisco to gain remote control of affected systems.
  • All observed incidents traced to a common attack source (87[.]121[.]84[.]34) and a consistent download host (220[.]158[.]234[.]135), with downloader scripts named after device vendors.
  • The downloader delivers architecture-specific binaries (e.g., xale for x86-64) and uses UPX with a modified header (“10 F0 00 00”) to evade unpacking detection.
  • Malware functionality is separated into Monitor, Watchdog, Attacker, and Killer modules enabling persistence, sandbox evasion, process-killing of competing malware, DDoS attacks, backdoor access, and remote commands.
  • Gayfemboy resolves C2 domains via public DNS (1.1.1.1, 8.8.8.8, 8.8.4.4), scans 15 predefined ports for connectivity, and supports lightweight four-byte and longer structured C2 commands for control and payload delivery.
  • Campaign targets spanned multiple countries (e.g., Brazil, US, Germany, France, Israel, Vietnam) and sectors (Manufacturing, Technology, Construction, Media/Communications) and also deployed XMRig miners.
  • Fortinet protections detect and block the malware (multiple AV signatures), block C2 domains via Web Filtering, and offer IPS signatures for the exploited CVEs; recommended mitigation includes patching and threat hunting using provided IOCs.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – used to execute downloader scripts and remote payloads (article: “downloader scripts … execute Gayfemboy using the corresponding product name as a parameter” and commands like “Download and execute a remote payload”).
  • [T1105] Ingress Tool Transfer – used when the malware downloads payloads from a consistent download host (quoted: “…a consistent download host at 220[.]158[.]234[.]135”).
  • [T1036] Masquerading – UPX packing with modified magic header (“10 F0 00 00”) to evade detection (quoted: “replacing it with a non-printable string represented by the hexadecimal value ’10 F0 00 00′ to evade detection”).
  • [T1518] Software Discovery – scans /proc/[PID]/exe and /proc/[PID]/cmdline to discover running processes and their executable locations (quoted: “scans each subdirectory under /proc/[PID]/, inspecting the path of every corresponding /proc/[PID]/exe”).
  • [T1497] Virtualization/Sandbox Evasion – introduces a 50 nanosecond delay and a fallback ~27-hour sleep to detect and evade sandboxes (quoted: “introduces a deliberate delay of 50 nanoseconds… fallback sleep of approximately 27 hours”).
  • [T1543] Create or Modify System Process – self-persistence by re-executing itself if terminated (quoted: “If Gayfemboy detects that its process has been terminated, it automatically re-executes itself”).
  • [T1071] Application Layer Protocol – uses DNS resolution via public resolvers (1.1.1.1, 8.8.8.8, 8.8.4.4) to bypass local filtering when resolving C2 domains (quoted: “uses public DNS servers… instead of relying on the system’s configured resolver”).
  • [T1041] Exfiltration Over C2 Channel – sends encoded system information back to C2 using a specific four-byte command (quoted: “11 11 11 11 Send the encoded system information back to the C2 server”).
  • [T1499] Endpoint Denial of Service – includes multiple DDoS methods (UDP flood, TCP SYN flood, ICMP flood) to launch attacks (quoted: “preloads several attack methods into memory… UDP flood, TCP flood, TCP SYN flood, ICMP flood”).
  • [T1112] Modify Registry (or equivalent persistence mechanisms) – modifies firewall rules via iptables to allow C2 traffic (quoted: “Modify firewall rules (via iptables) to allow C2 traffic”).
  • [T1574] Hijack Execution Flow – uses downloader scripts named after devices to invoke specific payloads and architectures, steering execution flow (quoted: “downloader scripts are named after specific products… each script executes Gayfemboy using the corresponding product name as a parameter”).

Indicators of Compromise

  • [IP Address] attack and download hosts – 87[.]121[.]84[.]34 (attack source), 220[.]158[.]234[.]135 (download host)
  • [Domains] C2 domains and malicious hosts – cross-compiling[.]org, i-kiss-boys[.]com, furry-femboys[.]top, twinkfinder[.]nl, 3gipcam[.]com
  • [Hosts] additional malicious hosts observed – 141[.]11[.]62[.]222, 149[.]50[.]96[.]114, 78[.]31[.]250[.]155
  • [File Hashes] downloader sample – SHA256 1940296f59fb5fb29f52e96044eca25946f849183ceda4feb03e816b79fbaa812… (truncated)
  • [File Hashes] Gayfemboy binary – SHA256 e85291d70a144ebe2842aeba2c77029762ca8ebfd36008b7bb83cda3e5d5d99d… (truncated)
  • [File Names] architecture-specific binaries – xale (x86-64 variant), xle (Intel 80386), aale (AArch64), mbe/mle (MIPS R3000) and others

Read more: https://feeds.fortinet.com/~/923640392/0/fortinet/blog/threat-research~The-Resurgence-of-IoT-Malware-Inside-the-MiraiBased-%e2%80%9cGayfemboy%e2%80%9d-Botnet-Campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint