L7 DDoS Botnet Hijacked 5.76M Devices to Launch Massive Attacks

In early March 2025, security teams first observed an unprecedented L7 DDoS botnet targeting web applications across multiple sectors.

The botnet, rapidly expanding from an initial 1.33 million compromised devices, employed HTTP GET floods to exhaust server resources and circumvent traditional rate limiting.

By mid-May, the threat escalated as the botnet grew to 4.6 million nodes, leveraging compromised IoT devices and poorly secured endpoints to amplify its attack surface.

By September, this sprawling network had mobilized 5.76 million IP addresses for a coordinated assault on a government organization, generating tens of millions of requests per second.

Qrator Labs analysts noted significant shifts in geographical distribution, with Brazil, Vietnam, and the United States emerging as major sources of malicious traffic.

The attack unfolded in two waves: an initial surge engaging approximately 2.8 million devices, followed an hour later by an additional 3 million nodes.

HTTP headers in the second wave revealed randomized User-Agent strings designed to evade simple traffic filtering.

Qrator Labs researchers identified key adaptations in the botnet’s control mechanism that facilitated its rapid scaling.

The malware communicates over encrypted channels with a decentralized command-and-control (C2) infrastructure, which the attackers rotate frequently to avoid blacklisting.

Signature-based mitigation struggled to keep pace as each C2 endpoint was active for mere hours before rotation.

Infection Mechanism and Persistence

The core infection vector relies on brute-force exploitation of default credentials and unpatched vulnerabilities in common IoT firmware.

Once inside a device, the malware deploys a lightweight rootkit that hooks into network interfaces and intercepts firmware update routines.

A code snippet extracted by Qrator Labs illustrates the persistence strategy:-

// Intercept firmware update calls
int hook_update(char *path) {
    if (!strcmp(path, "/usr/bin/fw_update")) {
        launch_payload();
        return 0;
    }
    return orig_update(path);
}

This approach ensures the malicious modules reload after each system restart, rendering simple reboot-based remediation ineffective.

The stealthy rootkit also suppresses suspicious process listings, further complicating detection and removal.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.